06-04-2012 03:01 AM - edited 03-10-2019 07:09 PM
I have a question concerning the guest store on the ISE.
I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
Has anyone already implemented a similar solution or any idea how to access the guest store?
Thanks
Thomas
Solved! Go to Solution.
06-05-2012 09:55 AM
The ActivatedGuest capability is available in the next release of ISE: - 1.1 MnR that should be FCS in next month
In the meantime, what is required to activate a guest is for them to login to the guest portal. Once this login is performed then the guest is Activated for RADIUS access. The "Not Used" option is used to determine whether the guest needs to accept the Acceptable Use Policy on login to the guets portal,
I think the URL for the guest portal is https://ISE:8443/guestportal/portal.jsp
.
06-04-2012 10:59 AM
The internal user store does include the guest store. I suggest to look at live authentications and see if guest logins are in fact making it to the box and if so see the failure reason when the guest logs in
06-04-2012 12:09 PM
The local identity store will not contain the guest users. Those are created within the sponsor portal (unless self registration). if you create a guest account in 1.1 (dont know if 1.0.4 vs 1.1 is different here) it will not appear under the local identity store.
06-04-2012 12:37 PM
I agree that if you create a guest account you can not see it qhen looking at the list of users in the internal users store. However, if you want to authenticate a guest you need to select "Internal Users" as result in authenticaiton policy
I confirmed this as follows:
- create a guest user
- select "Internal Users" as result in authentication policy
>>>> authentication succeeds
- select different indentity store as result in authentication policy and authentication fails
06-05-2012 01:36 AM
I just created a simple setup and tested the login.
It doesn't work with a user created as a guest account.
If I create the user in the normal internal identity store I works fine.
Might there be a difference between ISE Versions?
We are currently using Version 1.1.0.665 on a VM for testing purpose.
This is what the details show:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24206 User disabled
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - Guest
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept
06-05-2012 07:28 AM
I am looking at a 1.1 system and running same test. when create a guest have the option to select the Group Role. If select the option of "Guest" you will see the behavior above and guest will be initially disabled and require activation.
However, if slect "ActivatedGuest" then the guest will created in an enabled state and will be able to login with this guest user name
06-05-2012 08:00 AM
The initial setup doesn't have a Group Role called "ActivatedGuest", there is only the "Guest" role.
I created another role but I can't see any difference between the two roles. They just match the guest user to a corresponding group in the internal identity store.
The created user is in state "Awaiting Initial Login". I can't find any hint for an enable or disable state or how to change this state in a different Group Role.
06-05-2012 08:22 AM
When the user is in the "Awaiting Initial Login" state they must first login through the Guest portal and ack the Acceptable Use Policy (AUP) to make the guest active
I am in fact looking on a later version than 1.1 (sorry for that) and see options under "Multi-Portal Configurations" to define whether guest users need to agree to an acceptable use policy. Do not know whether same option exists on 1.1 and will see how to avoid this state in 1.1
06-05-2012 08:35 AM
This option also exists in the version i'm using. I already set it to "Not Used" but the user stays in the
"Awaiting Initial Login" state.
06-05-2012 09:55 AM
The ActivatedGuest capability is available in the next release of ISE: - 1.1 MnR that should be FCS in next month
In the meantime, what is required to activate a guest is for them to login to the guest portal. Once this login is performed then the guest is Activated for RADIUS access. The "Not Used" option is used to determine whether the guest needs to accept the Acceptable Use Policy on login to the guets portal,
I think the URL for the guest portal is https://ISE:8443/guestportal/portal.jsp
.
06-06-2012 02:33 AM
Thanks a lot!
That should solve my problem.
12-10-2012 01:20 AM
This seems to be the same issue with ISE version 1.1.2.145
Any fix to this ?
Regards Rasmus
12-12-2012 07:51 AM
I don't have any problems with this issue. The new group "ActivatedGuest" which was implemented with version 1.1.1 is still working with 1.1.2.145.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide