cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3605
Views
1
Helpful
10
Replies

a Q regarding guest users and ISE

ciscoworlds
Level 4
Level 4

Hi;

I configure ISE to redirect the guest users toward the Guest portal and everything works fine. but at the end, ISE adds the guest's MAC address to the local DB and the second time the same person wants to access the network, its MAC address matches an authorization rule that I had created for known clients (not guest users). 

How can prevent ISE from adding MAC addresses of guest users automatically to the internal MAB DB?  

1 Accepted Solution

Accepted Solutions

Peter Koltl
Level 7
Level 7

Basic_Authenticated_Access authz rule should contain a specific (preferably static) endpoint identity group (e. g. CompanyLaptop). Why do you use a rule with such a broad condition that is matched even for new guest endpoints?

View solution in original post

10 Replies 10

Gagandeep Singh
Cisco Employee
Cisco Employee

Hi ,

Please check if Guest Device Registration Settings is disabled or not on Guest portal configuration.

Uncheck "Automatically register guest devices "

See if that works or not.

Regards

Gagan

rate if it helps!!!!

Hi;

both of the "Automatically Register Guest Devices" and "Allow Devices To Register Devices" check boxes in the created Sponsor Guest Portal are disabled. I tested it again but ISE still adds the guest MAC addresses to the internal devices, but marks them as "Not registered" and "Unknown". this process of automatically adding the guest MAC addresses to the internal DB is very bad idea, because the second time the same guest want to gain access to the network, its MAC address matches another rules that have been created for known MAB users, not guests. so how can I disable this feature? 

Ideally if Register device option is disabled then the mac address should go away after disconnect from the SSID.

Also confirm if profiling is enabled on the PSN ?

Does Portal contains AUP in it ?

Hi;

as i said the "Register Guest Devices" is disabled. Also, profiling is enabled by default if I remember. But I think the portal does not contain AUP (but I need to check it). I disconnected the device from the network by shutting down the port, but after re-enabling the port, it mached another rule that was created for known users, not guests, just because ISE had been added the MAC to the internal DB. This is really ridiculous feature. 

Are you talking about the "Internal Endpoints" Identity Source? ISE adds any MAC address (guests, byod included) it learns into that Identity Source.I do not believe that there is a way to turn this off. But this is usually just used for Authentication Policy and not Authorization Policy.

Can you provide the condition for the Authz rule that the Guest user is being matched on?

Hi;

First of all I'm using ISE 2.0. in this version, by default, if the MAC of the client cannot be found in any DB (internal/external Identity source), "continue" action is taken. in this situation, I used the last Authz rule and apply CWA authz profile to it. it works as desired at the first time the unknown client (first-time guest) connects to the network. 

on the other side, I created a MAB authentication policy for known clients. for authz part, I used the default "Basic_Authenticated_Access" for known clients. as result, when known clients matches MAB authentication rule, then it matches "Basic_Authenticated_Access" authz rule and gains PermitAll permission. 

the problem in this configuration is, as I described, ISE automatically adds the MAC address of the guest to the internal DB (as displayed on Administration > Identities > Endpoints page) as soon as the guest user connects to the network for the first time. in second attemp of guest user, this makes the guest to matches with MAB and categorized as "Authenticated user", so it uses "Basic_Authenticated_Access" authz rule this time as opposite to what I expected. 

I hope that I managed to explain the situation. I really appreciate your time. 

Makes perfect sense now. Unfortunately, I don't think there is a way to not add the Guest endpoint into the Internal Endpoints database. One workaround that I can think of is to use another condition in your "Basic_Authenticated_Access" Authz rule to not match for Guest Flow. So in essence your condition should be 

Network Access:AuthenticationStatus EQUALS AuthenticationPassed

AND

Network Access:UseCase NOTEQUALS Guest Flow

So when a Guest user comes in, this condition is not matched and it should move in to your Guest Allow rule.

Ideally, the "Basic_Authenticated_Access" is used below all your rules and not for MAB. MAB devices are matches using a combination of profiling groups or custom endpoint identity groups where the MAC addresses are added manually. You may face the same issue also with BYOD or other flows, so best control who can successfully connect using a combination of the above.

I don't think that It works. the reason for that is when the MAC address of the guest user is added automatically to the ISE, in authz part, it will not be considered "Guest User" anymore and therefor it may not matches an authz rule that contains "Network Access:UseCase NOTEQUALS Guest Flow" in its condition part. 

I think, if there is no way to disable this automatically addition, we can assign another attribute to the locally and manually added MAC addresses and use that attribute in authz rule. I don't know if it works or if there should be another way, but I need to test it on Monday. so I will post the results here. again thanks for your time Rahul.

Peter Koltl
Level 7
Level 7

Basic_Authenticated_Access authz rule should contain a specific (preferably static) endpoint identity group (e. g. CompanyLaptop). Why do you use a rule with such a broad condition that is matched even for new guest endpoints?

ciscoworlds
Level 4
Level 4

Hi;

you were right. I was using a very comprehensive rule that matched most of the conditions. I added a static EndPoint Group and placed my manually created known MAC addresses inside that group and edited the condition part of the "Basic_Authenticated_Access" authz rule to contain just that EndPoint Identity Group. this time, every time a guest user wants to access the network, he should go through the whole process as expected. tnx for your small but important trick Peter. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: