Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
4
Replies

ISE Guest Wireless

campbech1
Level 1
Level 1

‎05-26-2016 08:02 AM - edited ‎03-10-2019 11:48 PM

I'm moving all of our guest wireless access over to ISE and having some issues. The portal page is redirecting as it should, the ACLs are in place and working well, but if the user presses declined on the AUP page and then opens a browser window, they are allowed to surf the Internet.

I used the ISE wireless guest setup wizard so I would have thought this would have been a pretty easy setup.

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎05-26-2016 10:27 AM

Hi

On your guest portal configuration, where are you registering MAC address devices for Guest? In Which group?

Could you check that the user mac address is visible on Guest Endpoints and/or Registered Devices?

Could you give an output of the success authentication log?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

campbech1
Level 1
Level 1
In response to Francesco Molino

‎05-26-2016 11:29 AM

Hello,

Attached are the screenshots from the logs.

0 Helpful

Thomas Wall
Cisco Employee
Cisco Employee
In response to campbech1

‎05-26-2016 02:00 PM

Hello,

I can see in the outputs that the end user is getting the correct rule and matching the GuestPermit rule after the user successfully authenticates to the guest portal and a Change of Authorization (COA) is issued. Once the guest authenticates to the page, they are automatically added to the GuestEndpoints group by default (This can be changed under the Guest Types menu option). Depending on the portal settings, acceptance of the AUP may not be a requirement. As such, can you please share the AUP settings of the portal itself under Guest Access > Guest Portals > Select the portal in use.  From the portal settings, I would like to see the  AUP Page Settings and the Self Registration Success Page settings(can force aup acceptance here)? 

Lastly, can you please provide your version of ISE? Depending on your version of ISE, we could force the user to accept the AUP and then modify our authorization rules to look for guest who have accepted the aup within a given amount of time.

-Thomas

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to campbech1

‎05-26-2016 02:43 PM

Ok thanks. Maybe you are registering mac addresses and that's why he is authenticated.

On the rule, in order to check that'sbdue to mac registration, could you add a condition like:

wireless_mab AND network_access:usecase EQUALS Guest Flow

thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents