Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
4
Replies

Unexpected Change of Identity group assignment

osama_masoud
Level 1
Level 1

‎04-10-2016 10:36 AM - edited ‎03-10-2019 11:39 PM

Dears,

We are facing an issue after assigning an endpoint to the wireless profiler policy group we created, it works for about 5 mins or so, then it gets changed automatically to a different identity group called GuestEndpoints, 

To give you an insight on what is implemented, we have a Wireless profiler policy for users that need to connect using their smartphones, we add their mac addresses as endpoints then assign them to the wireless profiler created, then they connect and enter the credentials given to them to access the internet

Issue as stated above, endpoint profiler policy statically assigned gets changed with no intervention to a different identity group

I have tried the below: 

  •       Assigned both the endpoint policy and identity group to Wireless Profiler policy
  •       Adding Customer SSID to the authorization condition when ID equals SSID in endpoints calling request
  •       Changed the order of authorization for wireless rule to be checked first, since the logs indicate that wireless endpoints are matching an authorization condition that precedes the wireless condition

I would highly appreciate if you have any other ideas 

Thank you

Regards,

Labels:
Preview file
78 KB
0 Helpful
4 Replies 4

Joseph Johnson
Level 1
Level 1

‎04-10-2016 11:48 AM

Are they entering their credentials into a guest portal? If so, that's why they are reassigned.

What do your authorization rules look like for the connections? Are you assigning a rule based on the MAB group to allow them access without having to go through a portal?

0 Helpful

osama_masoud
Level 1
Level 1
In response to Joseph Johnson

‎04-11-2016 12:55 AM

Yes, they enter credentials in portal to get access 

Authorization rules as below: 

Wireless profiler policy where we assign the devices, Wireless-Guest referring to allow wireless connection only and Wireless_CWA is the portal that they get 

That is one example of an endpoint that used to be assigned to wireless profiler and changed to guest endpoints, and it is now denied from having access

RADIUS created a new session
Detected Host Lookup UseCase (Service-Type = Call Check (10))
Evaluating Policy Group
Evaluating Service Selection Policy
Queried PIP
Queried PIP
Matched rule
Evaluating Identity Policy
Matched Default Rule
Selected Identity Source - Internal Endpoints
Looking up Endpoint in Internal Endpoints IDStore - D8:BB:2C:4C:54:C1
Found Endpoint in Internal Endpoints IDStore
Authentication Passed
Evaluating Authorization Policy
Queried PIP
Looking up user in Active Directory - D8:BB:2C:4C:54:C1
Resolving identity
Search for matching accounts at join point
No matching account found in forest
Identity resolution detected no matching account
Identity resolution failed
User not found in Active Directory
Queried PIP
Queried PIP
Queried PIP
Queried PIP
Queried PIP
Queried PIP
Queried PIP
Queried PIP
Queried PIP
Queried PIP
Queried PIP
Queried PIP
Matched rule - Default
Selected Authorization Profile - DenyAccess
Rejected per authorization profile
Returned RADIUS Access-Reject
Endpoint conducted several failed authentications of the same scenario

Thank you,

Please let me know if further info is needed

0 Helpful

Joseph Johnson
Level 1
Level 1
In response to osama_masoud

‎04-11-2016 04:46 AM

I'm willing to bet your guest portal is set to automatically register the guest devices and that's why they are being dropped into a different endpoint identity group once they login.

Try one of the following:

1. Remove the checkmark to automatically register guest devices in the portal settings.

2. Change the rule so that if the known device is in one of those endpoint groups the device is granted access to the guest network without having to access the portal.

3. Create a rule that allows guest access based on the login name. This would still limit access because you are only allowing certain devices access to the login page. You would also need a new rule for the guest endpoint devices group (grant access) as well so they can access the network when reauth is required.

The deny access result is expected if you have no rules granting access to devices in the guest endpoint devices group or the default rule doesn't redirect to the login portal for registration (or sponsored login).

0 Helpful

osama_masoud
Level 1
Level 1
In response to Joseph Johnson

‎04-14-2016 12:25 AM

Jospeh, thank you for your suggestions, I solved it by changing the guest_type settings to store information in the endpoint Wireless Profiler that was created automatically when creating the wireless profiler policy

Now, I really need to apply your suggestion which is changing the rule so that if the user has already authenticated, even if the session is timed out, he will never face the portal login page again since it is irritating all users, almost 5 mins, and portal login pops up

Thanks again

0 Helpful
Customers Also Viewed These Support Documents