Solved: Re: Using the guest CWA username as a radius attribute in authorization

jpujol · ‎02-07-2017

Hi team,

I got the request to return to the WLC the radius:username attribute in the authorization profile when doing CWA, because all subsequent connections currently end up with the MAC address instead of the guest username in the WLC session reports. MAC address formats aren't even compatible between WLC and ISE.

However, it's not possible to select this "radius:username" attribute.

Do you know any way to return it somehow ? any VendorSpecific attribute which may be usable with the WLCs ?

Thanks in advance,

jean-francois

Expected option :

Arne Bier · ‎11-28-2017

Hi Jean-Francois

In ISE 2.3 the situation has improved a little bit - but the bugs that Jason mentions are still outstanding (slated to be resolved in ISE 2.4).

In ISE 2.3 you can now see the username <-> MAC address correlation in the LiveLogs GUI. That is the only improvement that has been made. It does not address reporting or the radius return values (which is what you (and I, and possibly many others) are after).

I wrote a Document on this ISE 2.3 Remember Me guest using guest endpoint group logging display and Jason provided the bug ID's. Jason has been raising the visibility on these bugs and it looks as if they will be resolved in v2.4 - it's one of the first things I will be testing when the code goes GA.

View solution in original post

Jason Kunst · ‎02-07-2017

I don't know about this but maybe someone else has some ideas but I am wondering if you have the CWA username on each device login? Are you authorization off endpoint group with the registered device once the initial weblogin is done?

If so you will not have the CWA:Username any longer and may have to rely on the Portal User ID attached to the mac address which we don't correlate, see the following bugs.

CSCuh14138 - US12844	reporting issue - Guest user Identity is getting updated with Mac addr. instead identity
CSCux55288- US12844	reporting issue - Guest remember-me breaks ISE Guest Activity Logging

What version of ISE are you running?

Arne Bier · ‎11-28-2017

Hi Jean-Francois

In ISE 2.3 the situation has improved a little bit - but the bugs that Jason mentions are still outstanding (slated to be resolved in ISE 2.4).

In ISE 2.3 you can now see the username <-> MAC address correlation in the LiveLogs GUI. That is the only improvement that has been made. It does not address reporting or the radius return values (which is what you (and I, and possibly many others) are after).

I wrote a Document on this ISE 2.3 Remember Me guest using guest endpoint group logging display and Jason provided the bug ID's. Jason has been raising the visibility on these bugs and it looks as if they will be resolved in v2.4 - it's one of the first things I will be testing when the code goes GA.

Jason Kunst · ‎11-28-2017

Clarification, These haven’t been committed for 2.4 that I know of, I am asking development why they state 2.4 in some of them to make sure I understand what’s going on

Please if you have any customers being impacted please keep attaching to the defects

Please get business justification through sales team to our guest pm Ameet Kulkarni

Jason Kunst · ‎12-07-2017

Please see this link.

ISE 2.3 Remember Me guest using guest endpoint group logging display

I updated all associated defects, please have your customers and partners open cases and attach to all of these directly. 2.3 Patch 1 only fixes the issue with Radius live logs. It doesn't fix Radius account, guest reports or information sent to the WLC for its display of the guest users