Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
2
Replies

Unusual BYOD/ Guest Use Case

Go to solution
Gordon McKay
Cisco Employee
Cisco Employee

‎10-11-2018 08:19 AM

Apologies in advance for the length of post:-

 

I have a Partner running a PoC for ISE in an unusual customer environment. This is an issue they've run into, which I think probably falls into the category "working as expected", but if anyone has a better idea I like to hear it.

 

"

Guest/”BYOD”

  • They want employees to be able to login to guest portal with AD credentials and get access – this works fine (bog standard setup)
  • They are using an open SSID and CWA to do this
  • If disconnect and reconnect from the wireless there are no problems (as you’d expect – Employees get five days or something like that)
  • However, they also have a requirement that the same device may need to connect the “BYOD” (not BYOD in terms of ISE workflow – just an EAP protected SSID basically) using PEAP – again, this works fine. User enter credentials and all works ok
  • However, the problem comes when that same device then needs to flick back to the unencrypted guest SSID. Basically it seems like the dot1x auth session overrides the DB on ISE for that MAC to cause it to lose “guest” status (i.e. the rule with use case guest flow never gets hit). Which kind of makes sense – it isn’t a scenario you often come across
  • The only workaround I could come up with was to use the guest registration to add the MAC to a static identity group and then use membership of this MAB group in the guest Internet rule. This works fine, but the problem they have with it is you lose the identity then in the logs. i.e.
    • Connect first time to open SSID, register and use Internet – live logs show identity of firstname.surname
    • Connect to the EAP SSID – live logs show identity of firstname.surname
    • Connect back to the open SSID (and hit the rule which references MAB group NOT use case guest) – access works but identity it just the MAC address

 

Appreciate it is a bit of a weird one, but that is the only workaround I could come up with (which they may find suitable as there is still a log somewhere of the username to MAC, you just have to search in reports). Just figured I’d reach out to you on the off chance you’ve seen similar had any other idea’s I hadn’t thought of (BYOD no go – don’t want NSP or certs etc. on the device from ISE)"

 

Thanks

 

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-11-2018 06:22 PM

Hi Gordon

 

it's not that strange of a scenario.  And I fully get where you're coming from. As Jason was mentioning, the version of ISE is a bit crucial here because there have been some enhancements around the RememberMe feature.  A returning Guest user whose WLC guest session has ended will indeed be presented as User-Name=MAC_ADDR - which is ugly and hopefully Cisco will fix this one day.  The fix is trivial because ISE already has the mapping of that MAC_ADDR <-> User_Identity - the proof of that statement is that ISE will now report the true identity in the LiveLogs and Radius Reports.  That means your ISE operations team will be happy and can see who that Guest user is.

However - the part that is still broken is the Radius protocol part for RememberMe in the case where there is no web redirection- ISE will always return the MAB auth request to the NAS with User-Name=MAC_ADDR - this means your WLC/NAS will display the MAC address and not the username.  If only ISE would overwrite the User-Name with the guest identity then we could put that issue to bed.  It has further implications for Radius Accounting because the User-Name in accounting also contains MAC address (might break things if you rely on accounting).

The cosmetic "fix" is in ISE 2.4 and I can vouch for that - it's like putting lipstick on a bulldog :-)

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-11-2018 08:23 AM

What version are they running? Seems like this would help

https://community.cisco.com/t5/security-documents/ise-2-3-remember-me-guest-using-guest-endpoint-group-logging/ta-p/3641150

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎10-11-2018 06:22 PM

Hi Gordon

 

it's not that strange of a scenario.  And I fully get where you're coming from. As Jason was mentioning, the version of ISE is a bit crucial here because there have been some enhancements around the RememberMe feature.  A returning Guest user whose WLC guest session has ended will indeed be presented as User-Name=MAC_ADDR - which is ugly and hopefully Cisco will fix this one day.  The fix is trivial because ISE already has the mapping of that MAC_ADDR <-> User_Identity - the proof of that statement is that ISE will now report the true identity in the LiveLogs and Radius Reports.  That means your ISE operations team will be happy and can see who that Guest user is.

However - the part that is still broken is the Radius protocol part for RememberMe in the case where there is no web redirection- ISE will always return the MAB auth request to the NAS with User-Name=MAC_ADDR - this means your WLC/NAS will display the MAC address and not the username.  If only ISE would overwrite the User-Name with the guest identity then we could put that issue to bed.  It has further implications for Radius Accounting because the User-Name in accounting also contains MAC address (might break things if you rely on accounting).

The cosmetic "fix" is in ISE 2.4 and I can vouch for that - it's like putting lipstick on a bulldog :-)

 

0 Helpful
Customers Also Viewed These Support Documents