Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
1
Replies

ISE Guest Portal and username format

MikeMoss
Level 1
Level 1

‎09-30-2024 01:47 PM

I do have a TAC case open about this, but after 3 days they have been unable to provide a solution. So looking here now too.

We have multiple Polocy Sets for both wired and wireless using dot1x and MAB. All are working great. We also have a Guest + Employee Wireless. 

When employees use this, they are instructed to sign in with only their username [IDENTITY]. If they try with @domain - [IDENTITY]@[DOMAIN], It doesnt work. It doesnt give any sort of reason why, theres no ISE logs for this attempt. But the captive portal just says "Error Loading Page". - And the next page that should appear is the AUP. Again, all this works fine when they only use their username and no @domain.

I tested user authentication with both formats (using the test user tool), and both test sucessfully. I can seem to find a reason why one works, but the other doesnt. All our other policy sets using dot1x, authenticate the user fine.

 

I understand it MIGHT be possible to use the rewrite tool, but 1) im afraid that might break something else that is working as it is now, and 2) still doesnt explain why it doesnt work as it is now. 

Not sure what other info might be needed, or screenshots - but let me know and ill see what i can share.

 

TY!

Labels:
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎09-30-2024 02:26 PM

You're right that, both username format should be accepted by ISE - I have not tested this and I don't see a solution for this. One thing I would caution is that allowing employees access to the guest portal sounds like a great idea, but most cyber security professionals would recommend NOT allowing this, because you're entering corporate sensitive credentials in potentially unprotected/private devices. Would you feel good knowing that your employees are entering their corp credentials on devices that potentially contain malware?  Not saying it's always a threat, but the potential is there. Why do employees need guest access?  rather make them register for an ISE guest account, and then you're not exposing anything sensitive.

That's not the technical answer you were hoping for, but perhaps some food for thought. 

0 Helpful
Customers Also Viewed These Support Documents