ISE 2.3 brings a new functionality that is very useful for troubleshooting and monitoring the Guest flow around Guest Remember Me functionality. Basically pointing a guest endpoint into an endpoint group and granting access for a set number of days until their endpoint is purged and have to go through Credentialed portal again. We are working on these in ISE 2.3-2.5 and hope to backport them as well as far back as we can. If you have any needs please bring up through the TAC for patching in prior releases and they will be evaluated if available.
Another option of remembering the guest is to use sleeping client feature on the WLC. This will pin up the wireless session so that a device keeps same authorization for a set period of time. For example. I connect to the network, login to the portal and get access. My device goes to sleep and then I unlock it again and connect as long as its within the timeout i don't need to be redirected again. The issue with this is memory is consumed and pinned up while these session are sleeping so you don't want to do with too many clients or for a long period of time. For more information reach out to the wireless team.
Associated defect for licensing:
CSCvp16734 - Plus Licenses Consumed without Plus Features
In the case of Guest Access on Wired or wireless. if the Network Access Device doesn't already have a session for that user's MAC address, then the WLC sends the client's MAC address to ISE and two possible scenarios exist
If ISE doesn't recognise this MAC address in a 'Guest' Identity Group, then redirect user to the Guest Portal. If Login was successful then MAC address is added to the appropriate Guest Identity Group.
If ISE recognises the MAC address in a 'Guest' Identity Group then the Authorization happens accordingly and no Portal is presented. This is the so-called "Remember Me" feature.
The problem with scenario 2 is that ISE didn't correlate the user's username that was used during Portal login with the MAC address. This results in a few issues, please reach out to the ISE Product Managers at http://cs.co/ise-feedback or http://cs.co/ise-pm (for cisco employees only) to request this be addressed:
Radius Access-Accept to the NAD is the MAC address. Makes like difficult for monitoring clients on the WLC - all you'll see is a MAC address with no relation to the user identity
ISE 2.3 the identity in the live logs is rewritten with the guest username. There is no way to revert back to prior behavior
CSCvj29117 - ISE Guest Remember Me flow live logs should show guest username as identity
ISE 2.4 Live sessions is also rewritten: CSCvh05703 - remember me radius live sessions view does not show the guest username. This is the default behavior with fresh install but on upgrade you will need to enable it. The setting to enable this is under Work Centers > Guest Access > Settings > Logging
Fixed in 2.4 and 2.6 which are recommended releases (use latest patch)
CSCvh93370 - ISE Guest: Incorrect accounting in syslog causes issues
CSCux55288 - Guest remember-me breaks ISE Guest Activity Logging
CSCvg19708 - Guest accounting report broken
Radius Accounting contains MAC address. Makes reporting very difficult.
Setting in 2.4 to revert behavior (not available in 2.3)
The screen shot from the WLC below shows the Authenticated user (who was authenticated via Remember Me) as the MAC address of the guestendpoint. We would like it to show the actual guest user as is showing in the livelogs. See CSCvh04231 listed above
From ISE 2.3, The Identity column now displays the username that was used during portal login for subsequent logins (previously it used to display the MAC address) in 2.4 the live sessions also shows the guest rewrite
Click on pic to gain better clarity
Syslog Update for 2.4 patch 1
adds new variable UserName, this allows to keep same behavior with prior releases and also for systems looking to track guest via syslog (external vendor perhaps) then they will be able to key off it. We hope to change this in the future.
When a new device is seen on the network it is redirect to the guest portal for credentialed login. After they login the User-Name (common variable sent to NAD) will show the guest username. Also the UserName field should show same.
After a device is gone for a while and comes back they will now be in the Remember Me flow and authorized off GuestEndpoint with no portal login. Because of this the User-Name only contains the mac address. The newly introduced UserName will still have the guest user (portaluser) attached to it.
In our environment we have two sites, each site is behind an ASA firewall. The sites are connected through a lower-speed WAN link (e.g. 10.70.0.1, 10.71.0.1) and a higher-speed leased line. I'd like to encrypt the traffic between the two sites but with th...
I have 2 ASA firewalls that I am configuring the AnyConnect app in Azure AD. Firewall A works fine, SSO takes care of autologon using MFA in Azure AD. Firewall B also works, but differently. SSO still handles the autologon using MFA in Azu...
I have read the sizing docs and watched the Cisco Live presentations, but I am still confused about the number of active endpoints, total endpoints, total active sessions etc. per deployment and per PSN. If I have the following ISE 2.6 deployment all...
I have a problem where I am getting failed authentication using a One Time Password. I need the AnyConnect window to display username, password, and "Enter MFA Passcode". The user will enter their username, password and a six digit PIN from their MFA appl...
Hi team,I can´t make that access-lists works with FQDN.when i do show access-list the output show (unresolved) any (inactive) ASA CODE is Cisco Adaptive Security Appliance Software Version 9.12(4)38here is the configacl,asa,fqdnasa dn...