Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
5
Helpful
3
Replies

ISE Guest login page problems

Go to solution
eric.lessard
Level 1
Level 1

‎03-26-2013 11:56 PM - edited ‎03-10-2019 08:14 PM

hello all,

am trying to setup a 'guest' access for known people... i mean, the validation of the credentials are made to a LDAP server. User account are created there, and inside a wfacces group.

My probleme is when i activate my autorization policy #3, the guest need to enter his credential many times...

Rule 1: if Network Access:UseCase EQUALS Guest Flow then Permitaccess

Rule 2: if (Wireless_MAB AND Radius:NAS-Identifier EQUALS Guest_corp  ) then Authprof_Guest_corp

Rule3 : if (Radius:NAS-Identifier EQUALS Guest_corp AND ldap_corp:ExternalGroups EQUALS cn=wfAcces,ou=ISE,ou=security,ou=groups,o=my.domain ) then PermitAccess

In my Authprof_Guest_corp, i have my ACL, my redirect URL and the identity source sequence.

Removing my rule 3 fix the issue, but i dont want ALL LDAP users to be able to access inet...

The Multiple Matched Rule Applies is selected

Any idea what am doing wrong? or how i should do that?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-27-2013 01:31 AM

Eric,

I tried something similar just yesterday with BYOD.

Does it really make sense to match multiple in your case?

By the looks of it linear processing should be OK.

Can you show us which policies you matched during authentication Operation -> Authentications

M.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-27-2013 01:31 AM

Eric,

I tried something similar just yesterday with BYOD.

Does it really make sense to match multiple in your case?

By the looks of it linear processing should be OK.

Can you show us which policies you matched during authentication Operation -> Authentications

M.

0 Helpful

Go to solution
bhthapa
Level 1
Level 1

‎04-10-2013 11:02 AM

There are several things which need to check in order to  resolute.

1.)  Authentication Failure message indicates that the user’s  credentials are invalid. Resolution Check if the Active Directory user  account and credentials that are used to connect to the Active Directory  domain are correct.

2.) Test Bind to Server Click to test and ensure that the LDAP server  details and credentials can successfully bind. If the test fails, edit  your LDAP server details and retest.

3.)Cisco ISE allows you to import MAC addresses and the associated  profiles of endpoints securely from an LDAP server. You can use an LDAP  server to import endpoints and the associated profiles, by using

either the default port 389, or securely over SSL, by using the default  port 636.

0 Helpful

Go to solution
eric.lessard
Level 1
Level 1
In response to bhthapa

‎04-10-2013 01:26 PM

thx both of you.

My problem was with the Mutli match... and order of auth policy.

Case closed

Thx

Customers Also Viewed These Support Documents