cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9855
Views
0
Helpful
12
Replies

Using ISE guest store via RADIUS

ThoDoepke
Level 1
Level 1

I have a question concerning the guest store on the ISE.

I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
Has anyone already implemented a similar solution or any idea how to access the guest store?

Thanks

Thomas

1 Accepted Solution

Accepted Solutions

The ActivatedGuest capability is available in the next release of ISE: - 1.1 MnR that should be FCS in next month

In the meantime, what is required to activate a guest is for them to login to the guest portal. Once this login is performed then the guest is Activated for RADIUS access. The "Not Used" option is used to determine whether the guest needs to accept the Acceptable Use Policy on login to the guets portal,

I think the URL for the guest portal is https://ISE:8443/guestportal/portal.jsp

.

View solution in original post

12 Replies 12

jrabinow
Level 7
Level 7

The internal user store does include the guest store. I suggest to look at live authentications and see if guest logins are in fact making it to the box and if so see the failure reason when the guest logs in

The local identity store will not contain the guest users. Those are created within the sponsor portal (unless self registration). if you create a guest account in 1.1 (dont know if 1.0.4 vs 1.1 is different here) it will not appear under the local identity store.

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674

I agree that if you create a guest account you can not see it qhen looking at the list of users in the internal users store. However, if you want to authenticate a guest you need to select "Internal Users" as result in authenticaiton policy

I confirmed this as follows:

- create a guest user

- select "Internal Users" as result in authentication policy

>>>> authentication succeeds

- select different indentity store as result in authentication policy and authentication fails

I just created a simple setup and tested the login.

It doesn't work with a user created as a guest account.

If I create the user in the normal internal identity store I works fine.

Might there be a difference between ISE Versions?

We are currently using Version 1.1.0.665 on a VM for testing purpose.

This is what the details show:

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - Internal Users

24210  Looking up User in Internal Users IDStore - tuser001

24206  User disabled

22057  The advanced option that is configured for a failed authentication request is used

22061  The 'Reject' advanced option is configured in case of a failed authentication request

11003  Returned RADIUS Access-Reject

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - Internal Users

24210  Looking up User in Internal Users IDStore - tuser001

24212  Found User in Internal Users IDStore

22037  Authentication Passed

Evaluating Authorization Policy

15004  Matched rule

15016  Selected Authorization Profile - Guest

11022  Added the dACL specified in the Authorization Profile

11002  Returned RADIUS Access-Accept

I am looking at a 1.1 system and running same test. when create a guest have the option to select the Group Role. If select the option of "Guest" you will see the behavior above and guest will be initially disabled and require activation.

However, if slect "ActivatedGuest" then the guest will created in an enabled state and will be able to login with this guest user name

The initial setup doesn't have a Group Role called "ActivatedGuest", there is only the "Guest" role.

I created another role but I can't see any difference between the two roles. They just match the guest user to a corresponding group in the internal identity store.

The created user is in state "Awaiting Initial Login". I can't find any hint for an enable or disable state or how to change this state in a different Group Role.

When the user is in the "Awaiting Initial Login" state they must first login through the Guest portal and ack the Acceptable Use Policy (AUP) to make the guest active

I am in fact looking on a later version than 1.1 (sorry for that) and see options under "Multi-Portal Configurations" to define whether guest users need to agree to an acceptable use policy. Do not know whether same option exists on 1.1 and will see how to avoid this state in 1.1

This option also exists in the version i'm using. I already set it to "Not Used" but the user stays in the

"Awaiting Initial Login" state.

The ActivatedGuest capability is available in the next release of ISE: - 1.1 MnR that should be FCS in next month

In the meantime, what is required to activate a guest is for them to login to the guest portal. Once this login is performed then the guest is Activated for RADIUS access. The "Not Used" option is used to determine whether the guest needs to accept the Acceptable Use Policy on login to the guets portal,

I think the URL for the guest portal is https://ISE:8443/guestportal/portal.jsp

.

Thanks a lot!

That should solve my problem.

This seems to be the same issue with ISE version 1.1.2.145

Any fix to this ?

Regards Rasmus

I don't have any problems with this issue. The new group "ActivatedGuest" which was implemented with version 1.1.1 is still working with 1.1.2.145.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: