cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1528
Views
0
Helpful
7
Replies

Portal Cautivo and Sponsor Portal

nstr1
Level 1
Level 1

 

 

I have an ISE v 1.4, in which I have configured two captive portals and two portal sponsors. from the portal sponsor I am creating access users for the captive portal.

 

but at the moment I try to authenticate, it does not allow it and it shows me "authentication error" and the log says "5418 Guest Authentication Failed"

 

also check the time zone and it is without problem I add screens.

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
Are you sure the accounts are active? Perhaps you have a time zone mismatch?

By default guests are created using San Jose time and unless you create more time zones

Example If my browser is in Boston and if I create an account it won’t work until 3 hrs later because the time doesn’t match

You can check this in the sponsor portal

Would also recommend moving to ISE 2.2 or waiting for 2.4 since ISE 1.4 is ending support

View solution in original post

7 Replies 7

Jason Kunst
Cisco Employee
Cisco Employee
Are you sure the accounts are active? Perhaps you have a time zone mismatch?

By default guests are created using San Jose time and unless you create more time zones

Example If my browser is in Boston and if I create an account it won’t work until 3 hrs later because the time doesn’t match

You can check this in the sponsor portal

Would also recommend moving to ISE 2.2 or waiting for 2.4 since ISE 1.4 is ending support

 

 

sure the account is active and also add a new time zone, I am doing the test from ISE locally. and if I'm in a different time zone. but they are also doing the test from the place where the ISE is located and it is the same place.

It doesn’t matter if same place

The default time zone chosen for a guest is PST. Unless you browser is in that time zone for account creation then it won’t work

If you created new location then make sure this is added to the sponsor group and that sponsor is in same group and choose your time zone of sponsor portal browser when creating account

Also to check you’re logging into a web portal with this account?

it already allows me to authenticate, but now the problem is that I have a new tab in the browser, and asks for the username and password again.

likely you have your authorization rules in the incorrect order.

 

 

for 1.4 there is a guide here : https://community.cisco.com/t5/security-documents/ise-wireless-guest-setup-guide-wizard/ta-p/3636078 don't use the wizard

 

if mab and guestflow then permit access

OR if mab and guestendpoint then permit access

if mab then redirect to guestportal

yes i have two portal sponsors use the same database. I have two portal sponsors one for parties and another for employees but I see, despite being two different portal sponsors, I see the accounts in the same

Correct the sponsor portal doesn’t determine what guests accounts can be seen

It’s up to what groups the sponsors are in. You can restrict what ad groups ldap attribute information allows access to the certain portals as well

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01111.html#concept_0C4E9B15B81B4FE0ACD61178815E4272