Solved: Using Guest Account for Device Policy Sets

Arie -- · ‎11-22-2017

Hello,

Does anyone ever try below scenario before?

I'm using Cisco ISE 2.3 for Device Administration (TACACS). One thing I want to try is using Guest Account created from Sponsor Portal to be using in Device Policy Sets for Authentication and Authorization.

First, I created 2 Guest Type called: Monitor & Read Only

Second, I created an account from Sponsor Portal and assigned in Read_Only Guest Type:

Third, I setup the Device Admin Policy Sets. Now, I focused on Authorization Policy since the Authentication Policy is work for me.

After I save the policy above, I tried to test AAA on a Cisco Switch. Unfortunately, it fails on Authorization and got default Deny Shell Profile. Below is the result:

I still don't know why the Authorization policy rule doesn't work for IdentityGroup. Does anyone here ever try this scenario before?

Thank you in advanced

Arie

Arie -- · ‎12-18-2017

Hi,

I would like to tell that there is a bug:

CSCvh12508

It makes authorization rule can't read the guest database and that's why my authorization rule doesn't work with guest type identity group.

View solution in original post

davidgranathkarlsson · ‎11-23-2017

Hi

Please paste all details from your shell profile "ReadOnly_Profile_Cisco"

/
David

Arie -- · ‎11-23-2017

Hi,

This is the detail of "ReadOnly_Profile_Cisco"

Arie -- · ‎12-18-2017

Hi,

I would like to tell that there is a bug:

CSCvh12508

It makes authorization rule can't read the guest database and that's why my authorization rule doesn't work with guest type identity group.