×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE Authorization Policies

Unanswered Question
Nov 3rd, 2014
User Badges:

Hi All

Has anyone successfully used a Guest Role in an ISE authorization policy?

I'm using 2 different Guest Roles that get assigned by the Sponsor on the account creation page.

I want to differentiate between the 2 roles in my authorization policies to ensure separation between the 2 types of user.

I've had a suggestion to use an Option field on the sponsor's account creation page - this will work but it would be more secure if the Guest Role could be used.

ISE version is 1.2.198.0

Regards

Roger

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nspasov Mon, 11/03/2014 - 13:53
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Hi Roger-

Yes, I have done this before without any problems. What are the issues that you are having? If possible please share some screenshots of your authorization policies. 

What I have done in the past is:

- If guest account = Contractors then use "Guest_Contractors" Authorization Profile which had an WLC ACL "ISE-Guest-Contractors" attached to it

- If guest account = Regular_Guests then use "Regular_Guests" Authorization Profile which had an WLC ACL "ISE-Regular-Guests" attached to it

I hope this helps!

 

Thank you for rating helpful posts!

Roger Alderman Wed, 11/05/2014 - 03:20
User Badges:

Hi Neno

I have attached 2 screen shots.

The first is a standard authentication section for wireless MAB.

The condition for the policy set is using device location, device type, nas-port type and the WLAN Index.

The authorization policy is where I'm having issues.

I have created 2 groups called PublicGuest and ContractorGuest.

I have used these 2 groups as guest roles in the sponsor group. Basically, when the sponsor creates an account he will assign the user into 1 of the 2 groups.

In my authorization policy I want to check either that the user is in the PublicGuest Group and is using WLAN Index 3 or that the user is in the ContractorGuest Group and is using WLAN Index 4.

Regards

Roger

Roger Alderman Wed, 11/05/2014 - 03:31
User Badges:

Hi Neno

Further to my previous post. The attached capture shows what I'm trying to make work.

Regards

Roger

 

Attachment: 
nspasov Wed, 11/05/2014 - 10:28
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

So from a high level your policies look correct. What is the issue(s) that you are having? 

Roger Alderman Tue, 12/02/2014 - 08:16
User Badges:

Hi Neno

I have sponsored accounts which assign a guest role of 'member'.

I have a guest service which is self service and assigns a guest role of 'guest'.

I have identity groups called 'member' and 'guest'.

The problem I have is that if I create a sponsored account that user can login to the member SSID and also to the guest SSID. The policy authorization rules are using guest flow and the WLAN ID but it is not stopping the client from logging onto to either SSID. If I add the identity group to the authorization rule I still get the same problem.

I cannot seem to separate the client types.

I'm obviously missing something but can't see what. When the accounts are created you can never see them in the identity groups.

Regards

Roger

nspasov Thu, 12/04/2014 - 08:43
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Hmm, are you saying that a user that is member of the "PublicGuest" user group is able to login to the "member" SSID?

Roger Alderman Sun, 12/07/2014 - 03:33
User Badges:

Exactly.

If I create a sponsored account I can use the credentials to authenticate to either SSID.

Similarly if I create a self-registered account I can use the credentials to authenticate to either SSID.

The correct policy set is selected each time based on the SSID.

It seems to me as if the guest roles effectively do nothing and that all users get assigned to a single group. Of course, as an administrator you simply can't ever see the accounts and where the user has been assigned to. Any attempts to differentiate based on the group simply fail.

It looks like the assignment of a guest role for self-registration is actually a global setting that is applied to all portals and therefore over-rides the guest role assigned within the sponsor group settings. See the attached image.

nspasov Mon, 12/08/2014 - 03:34
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

The information about the "self-registered" guests is news to me. Thank you for sharing that. Now I want to test this and see the behavior for myself, however, I am on vacation for the next two weeks so it will have to wait :) Now, with that being said, i still believe that you should be able to provide deferential type of access for guests that fall in two different guest identity groups. I would suggest that you open a case with TAC and have them examine all of the rules/logs, etc. 

 

Actions

This Discussion