Solved: Using Guest Account for Device Policy Sets

Arie -- · ‎11-22-2017

Hello,

Does anyone ever try below scenario before?

I'm using Cisco ISE 2.3 for Device Administration (TACACS). One thing I want to try is using Guest Account created from Sponsor Portal to be using in Device Policy Sets for Authentication and Authorization.

First, I created 2 Guest Type called: Monitor & Read Only

Second, I created an account from Sponsor Portal and assigned in Read_Only Guest Type:

Third, I setup the Device Admin Policy Sets. Now, I focused on Authorization Policy since the Authentication Policy is work for me.

After I save the policy above, I tried to test AAA on a Cisco Switch. Unfortunately, it fails on Authorization and got default Deny Shell Profile. Below is the result:

I still don't know why the Authorization policy rule doesn't work for IdentityGroup. Does anyone here ever try this scenario before?

Thank you in advanced

Arie

Arie -- · ‎12-18-2017

Hi,

I would like to tell that there is a bug:

CSCvh12508

It makes authorization rule can't read the guest database and that's why my authorization rule doesn't work with guest type identity group.

View solution in original post

davidgranathkarlsson · ‎11-23-2017

Hi

Please paste all details from your shell profile "ReadOnly_Profile_Cisco"

/
David

Arie -- · ‎11-23-2017

Hi,

This is the detail of "ReadOnly_Profile_Cisco"

Arie -- · ‎12-18-2017

Hi,

I would like to tell that there is a bug:

CSCvh12508

It makes authorization rule can't read the guest database and that's why my authorization rule doesn't work with guest type identity group.

Using Guest Account for Device Policy Sets

CSCvh12508

CSCvh12508

Smart Licensing Using Policy の Online 方式でライセンスを適用する方法

Troubleshooting Guest Account Issues in Cisco ISE

Smart License using Policy (SLP)

Smart Licensing Using Policy の offline 方式でライセンス利用状況のレポーティングを行う方法

Doc - Smart Licensing using Policy en las plataformas Nexus