Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5326
Views
15
Helpful
8
Replies

ISE 1.3 Sponsored Guest Portal Login Failure

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎12-24-2014 12:55 AM - edited ‎03-10-2019 10:18 PM

Hello Team,

Ive created a guest account in the sponsor portal for a test guest user, however the state remains in "created" state.

Now when the user tries to log on via the sponsored guest portal the error back is "invalid username or password".

In ISE logs it says :

Overview

Event5418 Guest Authentication Failed
Usernamebnawaz01
 
Endpoint Id
Endpoint Profile 
Authorization Result 

 

Authentication Details

Source Timestamp2014-12-24 08:49:05.551
Received Timestamp2014-12-24 08:49:05.553
Policy ServerDC1-ISE-DMZ01
Event5418 Guest Authentication Failed
Failure ReasonAccount is not yet active.
Resolution 
Root cause 
Usernamebnawaz01
User TypeGuestUser
Endpoint Id 
Endpoint Profile 
IP Address 
Authentication Identity StoreGuest Users
Identity GroupGuestType_Contractor (default)
Audit Session Id 
Authentication MethodPAP_ASCII
Authentication ProtocolPAP_ASCII
Service Type 
Network Device 
Device Type 
Location 
NAS IP Address 
NAS Port Id 
NAS Port Type 
Authorization Profile 
Posture Status 
Security Group 
Response Time 

 

Any ideas why this might be, if im doing something wrong and how to fix?

Thank you

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
4 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mick_johnson@hotmail.com
Level 1
Level 1
In response to mohanak

‎04-14-2015 02:21 AM

I have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration

To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group

One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups

View solution in original post

8 Replies 8

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎12-29-2014 01:52 AM

Conditions:
Guest uses a timeProfile fromFirstLogin and didn't logged in before timeProfile validity time

Workaround:
Reset Guest account validity from Sponsor portal fixes the issue temporarily (the same situation will occur if guest do not login).

0 Helpful

Go to solution
mick_johnson@hotmail.com
Level 1
Level 1
In response to mohanak

‎04-14-2015 02:21 AM

I have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration

To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group

One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups

Go to solution
Mathieu LASSERRE
Level 1
Level 1
In response to mick_johnson@hotmail.com

‎04-14-2015 03:30 AM

I confirm, it's the solution.

Well done.

 

0 Helpful

Go to solution
mick_johnson@hotmail.com
Level 1
Level 1
In response to Mathieu LASSERRE

‎02-17-2016 01:25 AM

The issue is caused by incorrect time zone all goes back to when the ISE was first installed and you select the wrong time zone there, eg if in UK you select UTC instead of GB (best to select GB).

When you create your guest portal and use UTC time zone as your local time there is an hours difference so when you create the user account it sees it as not active yet, if you wait an hour you would then be able to log in. I usually use London and remove the default time zone from the portal.

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to mick_johnson@hotmail.com

‎02-16-2016 09:29 AM

Hello,

I am having the same problem but the difference is that I have ISE 2.0. I already did the recommendations and still get the same situation.

My ISE is using NTP as the time source and shows the correct timezone. I edited the Guest Locations and SSIDs parameters to match the correct timezone.

The guest tries to self-register, gets the username and password but when he tries to log in the authentication fails and I receive the log message saying that the account is not yet active.

I don't know what else to try.

Any ideas?

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to PAUL GILBERT ARIAS

‎02-16-2016 09:59 AM

I was able to resolve my problem. I had to go to Guest Locations and SSIDs and leave the default setting for San Jose. Instead of using my local timezone I used UTC. Don't know why this solved the problem but it did.

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎01-12-2015 06:49 AM

Have you checked the identity source sequence

0 Helpful

Go to solution
Mathieu LASSERRE
Level 1
Level 1

‎02-10-2015 09:51 AM

Hello,

Have you found a solution about your issue ??

thx

regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents