cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

412
Views
5
Helpful
3
Replies
Highlighted
Beginner

ISE Guest login page problems

hello all,

am trying to setup a 'guest' access for known people... i mean, the validation of the credentials are made to a LDAP server. User account are created there, and inside a wfacces group.

My probleme is when i activate my autorization policy #3, the guest need to enter his credential many times...

Rule 1: if Network Access:UseCase EQUALS Guest Flow then Permitaccess

Rule 2: if (Wireless_MAB AND Radius:NAS-Identifier EQUALS Guest_corp  ) then Authprof_Guest_corp

Rule3 : if (Radius:NAS-Identifier EQUALS Guest_corp AND ldap_corp:ExternalGroups EQUALS cn=wfAcces,ou=ISE,ou=security,ou=groups,o=my.domain ) then PermitAccess

In my Authprof_Guest_corp, i have my ACL, my redirect URL and the identity source sequence.

Removing my rule 3 fix the issue, but i dont want ALL LDAP users to be able to access inet...

The Multiple Matched Rule Applies is selected

Any idea what am doing wrong? or how i should do that?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Eric,

I tried something similar just yesterday with BYOD.

Does it really make sense to match multiple in your case?

By the looks of it linear processing should be OK.

Can you show us which policies you matched during authentication Operation -> Authentications

M.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Eric,

I tried something similar just yesterday with BYOD.

Does it really make sense to match multiple in your case?

By the looks of it linear processing should be OK.

Can you show us which policies you matched during authentication Operation -> Authentications

M.

View solution in original post

Highlighted
Beginner

There are several things which need to check in order to  resolute.

1.)  Authentication Failure message indicates that the user’s  credentials are invalid. Resolution Check if the Active Directory user  account and credentials that are used to connect to the Active Directory  domain are correct.

2.) Test Bind to Server Click to test and ensure that the LDAP server  details and credentials can successfully bind. If the test fails, edit  your LDAP server details and retest.

3.)Cisco ISE allows you to import MAC addresses and the associated  profiles of endpoints securely from an LDAP server. You can use an LDAP  server to import endpoints and the associated profiles, by using

either the default port 389, or securely over SSL, by using the default  port 636.

Highlighted

thx both of you.

My problem was with the Mutli match... and order of auth policy.

Case closed

Thx