cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3886
Views
5
Helpful
12
Replies

Sponsor portal and internal users

tuva02100
Level 1
Level 1

Hi

I have configured on our ISE to use AD-users as sponsors. And this works perfect.

but I'm also trying to configure an internal user, for the sponsor portal.

I Have configured it almost the same way so i don't understand why the ISE is reporting :
Sponsor authentication has failed : Sponsorgroup not found for user        

My identity store is a sequence for AD and internal users, and i can see from the log that it looks in the right place :

Identity Store:

Internal Users

My condition is that the internal user, should be a member of identity group : sponsorAllAccount

my identity group : 

Identity Group:

SponsorAllAccount


and then get a created sponsor group, this sponsor grop that is allocated to the condition, works fine for det AD-users.

Evaluating Identity Policy

5435 Sponsor authentication has failed

any suggestions of why ?    I'm now running the lastes 1.1.1 version.

Br

Tuva

1 Accepted Solution

Accepted Solutions

Yes,

For your internal groups use the preconfigured identity group condition on the left.

I don't know why this is a option on the left it hasn't worked for me in authorization policies either.

Thanks

Sent from Cisco Technical Support iPad App

View solution in original post

12 Replies 12

Tarik Admani
VIP Alumni
VIP Alumni

The username that you created in the internal database is it the same username in AD? There for the username is present in AD but the password is different and therfore failing authentication?

Check the authentication report and see which user database that ISE checked before rejecting the user.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi  Tarik

thanks for the answer.

I'm certain that the user does not exist in the AD domain,  anyhow, then my log would tell me that the authentication failed because of wrong password !? 

I can se from the log that the ISE is doing lookup in the internal database.

this is output from he logging : 

Identity Store:

Internal Users

I have ,made a identity store sequence with both AD and internal users.

Br

Tuva

Do you have the option "Treat as if the user was not found and proceed to the next store in the sequence" enabled?

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi

I'm pretty sure (don't have the chance to confirm it 110% for sure)   but  on monday I will be at the customer site again so I can check.

But i find it strange that the ISE does the lookup in the internal DB  if this was not enabled.

The logging says that it is the sponsor group that the ISE can't find for the user.  

But the sponsorgroup is created and the user name has been "attached" to this sponsor group.

This sponsor group is also used by the AD users.

thanks for your replies !  

thanks,

Its much easier if you post screenshots of the authentication entry that fails.

Tarik Admani
*Please rate helpful posts*

Hi Tarik

got the screenshoots

I added the file.

Br

Tuva

Tuva,

Attached is the default settings, move your condition from the right to the left and that should fix your issue.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik

thanks for the reply

I'm not sure if  I understand you right

from thje right to the left ?   Is my condition wrong ?   : )

Br

Tuva

Yes,

For your internal groups use the preconfigured identity group condition on the left.

I don't know why this is a option on the left it hasn't worked for me in authorization policies either.

Thanks

Sent from Cisco Technical Support iPad App

Hi Tarik

I would like to check if the guest user (not the sponsor user) is either in the local Identity Group OR the defined AD group. But the check on the left in the authorization rule is AND, or am I wrong?

If I checked it with two Authz single conditions (one for AD group OR one for Local group) then local users failed. Maybe I have to make two rules, like you can see here:

Thanks in advance and best regards

Dominic

Sent from Cisco Technical Support Android App

That is correct, this is the best way to configure this in my opinion and this is the method I use.

Tarik Admani
*Please rate helpful posts*

Hi Tarik

thanks for your feedback.

Best regards

Dominic

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: