Re: ISE3.2- Self-registration users cannot be updated in GuestEndpoint

Magret · ‎03-12-2025

Self-registration users cannot be updated in GuestEndpoints after users pass authentications. And CoA cannot be triggered.

I read this article:https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216191-troubleshoot-common-cisco-ise-guest-acce.html

It seems that CoA will be triggered automatically after self registration users passing authtentications.

I did all the config according to this article:https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-ise-captive-portals-with-aruba-wireless/ta-p/4633904

Can anyone explain the logic behind this and find out why this issue happens?

Best Regards

Magret

Arne Bier · ‎03-12-2025

Your screenshots are not very helpful - without the details (i.e. we need more than seeing a red "failed" icon), it's impossible to tell what's gone wrong. Show us the details, and then also prove to us that the CoA was sent by ISE, and acknowledged by the Aruba AP. a tcpdump on ISE is a good place to start.

Magret · ‎03-17-2025

Actually the current issue is that portal user cannot be put into GuestEndpoint, which then cannot trigger coa profile.

Arne Bier · ‎03-17-2025

The problem description was clear from your first posting. But if you want assistance with finding the cause, then please supply us with some data to investigate. None of us here are clairvoyant.

Screenshots of your ISE Policy Set
- Authentication ... show the action for "If user not found" also)
- Authorization
Screenshots of your Guest Type
tcpdump of the RADIUS traffic before, during and after a user attempts to log into the portal (we want to see the Access-Request MAB to ISE, and the responses to the NAD (hopefully the URL redirect), and then any other RADIUS traffic thereafter)
Live logs details of the MAB session
Operations / Reports relating to Guest Portal - there are a few Reports to choose from - I can't remember which one

Magret · ‎03-31-2025

Thanks for the reminder.

The policy set details are as below:

Authentication:

Authorization Policy:

Guest Type:

Session log：I also attached detailed info as pdf

TCP dump: I start tcp dump first and then connect SSID, after device pops out login page, I registered a new accont and login, then I stopped the tcp dump. Strange thing is that I didn't see radius related packet capture in tcp dump. However, I can see radius request in NAS(aruba controller) packet capture.

I attached Guest report as CSV type.

Arne Bier · ‎04-06-2025

In your ISE Guest Type definition, you show that you're using Identity Group 'GuestEndpoints' - which means that if a guest logs into the portal and provides the correct creds, then their MAC address gets added to GuestEnpoints. However, in the 'Session log - Guest auth.pdf' I see another Endpoint Identity Group mentioned - "GuestType_Guest-Daily" - since your Authorization Rule mentions 'GuestEndpoints' as the Group for which you want to grant access, you need to use this Group. Where does "GuestType_Guest-Daily" fit into the picture?

Magret · ‎04-06-2025

Guest Type_Guest-Daily as below：

Arne Bier · ‎04-06-2025

Ok I see now - the confusion was because in the Live Logs details, a successful authentication shows the User Identity Group, which ISE creates for you internally - always has the prefix "GuestType_". I thought I was looking at the Endpoint Identity Group. Those are two different things. So your output looks ok.

I can't tell what the issue might be.

ISE3.2- Self-registration users cannot be updated in GuestEndpoints