Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
0
Helpful
3
Replies

ISE Guest Portal Wrong authorization match for Linux OS endpoint

edwardonelife
Level 1
Level 1

‎01-31-2022 08:46 AM - edited ‎01-31-2022 09:09 AM

Scenario

We have Ubuntu Linux based guest users connecting to the wired network and authenticating using the guest portal.

In most cases the authorization matches the wrong authz policy as ISE doesn't seem to use the guest username and instead uses the endpoint mac address.

The Authorization policy condition is set to match the guest username to the correct user identity group.

 

What could be the root cause?

ISE v2.7p3

 

Successful authorization Log in ISE

 11017RADIUS created a new session -                             johndoe
 24631Looking up User in Internal Guests IDStore
 24632Found User in Internal Guests IDStore
 24209Looking up Endpoint in Internal Endpoints IDStore - johndoe
 24211Found Endpoint in Internal Endpoints IDStore

 

UN-Successful authorization Log in ISE

 11017RADIUS created a new session -        00-16-45-00-00-00
 24209Looking up Endpoint in Internal Endpoints IDStore - johndoe
 24211Found Endpoint in Internal Endpoints IDStore
 24209Looking up Endpoint in Internal Endpoints IDStore - johndoe
 24211Found Endpoint in Internal Endpoints IDStore
0 Helpful
3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

‎01-31-2022 03:02 PM

I'm not sure what you mean by "Authorization policy condition is set to match the guest username to the correct user identity group."

I would suggest comparing your environment and policy configuration against the Guest Access Prescriptive Deployment Guide.

If you still need help, please provide more information and screenshots of your Authentication and Authorization Policies and other relevant configuration elements.

0 Helpful

edwardonelife
Level 1
Level 1
In response to Greg Gibbs

‎01-31-2022 09:08 PM - edited ‎01-31-2022 09:18 PM

Hi Gibbs,

After logging in to the Guest portal, we are expecting the below condition to match so that the correct authZ profile is assigned to the guest.

IdentityGroup:Name EQUALS User Identity Groups:GuestType_Contractor_ABC

Basically we are checking if user johndoe is in GuestType_Contractor_ABC identity group. This condition is not being matched during the GuestFlow process from my analysis.

 

Successful Match - Queried PIP.Guest.UserName can be seen

success.png

 

Unsuccessful Match - Queried PIP.Guest.UserName is NOT seen

unsuccess.png

 

This is a production environment and has been working fine apart from Linux guest machines which are a hit-and-miss.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to edwardonelife

‎02-01-2022 01:33 PM

I have used the GuestType matching condition in multiple customer environments (with the Remember Me option) and I don't recall any issues with it.

Does this happen after a period of time (like after a periodic reauth) or can you consistently duplicate the issue?

What other matching conditions would make the guest endpoint hit an AuthZ Policy for a Contractor instead of hitting your default guest redirect policy?

If you delete the endpoint from ISE and reconnect, does the guest flow work again? If so, there could be some issue with the endpoint getting put into an Endpoint Identity Group automatically that's being matched on a diff AuthZ Policy.

There's still not enough info to provide any meaningful assistance. I would suggest opening a TAC case to investigate further.

0 Helpful
Customers Also Viewed These Support Documents