Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ISE Authorization Policies

Hi All

Has anyone successfully used a Guest Role in an ISE authorization policy?

I'm using 2 different Guest Roles that get assigned by the Sponsor on the account creation page.

I want to differentiate between the 2 roles in my authorization policies to ensure separation between the 2 types of user.

I've had a suggestion to use an Option field on the sponsor's account creation page - this will work but it would be more secure if the Guest Role could be used.

ISE version is



Cisco Employee

Hi Roger-Yes, I have done

Hi Roger-

Yes, I have done this before without any problems. What are the issues that you are having? If possible please share some screenshots of your authorization policies. 

What I have done in the past is:

- If guest account = Contractors then use "Guest_Contractors" Authorization Profile which had an WLC ACL "ISE-Guest-Contractors" attached to it

- If guest account = Regular_Guests then use "Regular_Guests" Authorization Profile which had an WLC ACL "ISE-Regular-Guests" attached to it

I hope this helps!


Thank you for rating helpful posts!

Community Member

Hi NenoI have attached 2

Hi Neno

I have attached 2 screen shots.

The first is a standard authentication section for wireless MAB.

The condition for the policy set is using device location, device type, nas-port type and the WLAN Index.

The authorization policy is where I'm having issues.

I have created 2 groups called PublicGuest and ContractorGuest.

I have used these 2 groups as guest roles in the sponsor group. Basically, when the sponsor creates an account he will assign the user into 1 of the 2 groups.

In my authorization policy I want to check either that the user is in the PublicGuest Group and is using WLAN Index 3 or that the user is in the ContractorGuest Group and is using WLAN Index 4.



Community Member

Hi NenoFurther to my previous

Hi Neno

Further to my previous post. The attached capture shows what I'm trying to make work.




Cisco Employee

So from a high level your

So from a high level your policies look correct. What is the issue(s) that you are having? 

Community Member

Hi NenoI have sponsored

Hi Neno

I have sponsored accounts which assign a guest role of 'member'.

I have a guest service which is self service and assigns a guest role of 'guest'.

I have identity groups called 'member' and 'guest'.

The problem I have is that if I create a sponsored account that user can login to the member SSID and also to the guest SSID. The policy authorization rules are using guest flow and the WLAN ID but it is not stopping the client from logging onto to either SSID. If I add the identity group to the authorization rule I still get the same problem.

I cannot seem to separate the client types.

I'm obviously missing something but can't see what. When the accounts are created you can never see them in the identity groups.



Cisco Employee

Hmm, are you saying that a

Hmm, are you saying that a user that is member of the "PublicGuest" user group is able to login to the "member" SSID?

Community Member

Exactly.If I create a


If I create a sponsored account I can use the credentials to authenticate to either SSID.

Similarly if I create a self-registered account I can use the credentials to authenticate to either SSID.

The correct policy set is selected each time based on the SSID.

It seems to me as if the guest roles effectively do nothing and that all users get assigned to a single group. Of course, as an administrator you simply can't ever see the accounts and where the user has been assigned to. Any attempts to differentiate based on the group simply fail.

It looks like the assignment of a guest role for self-registration is actually a global setting that is applied to all portals and therefore over-rides the guest role assigned within the sponsor group settings. See the attached image.

Cisco Employee

The information about the

The information about the "self-registered" guests is news to me. Thank you for sharing that. Now I want to test this and see the behavior for myself, however, I am on vacation for the next two weeks so it will have to wait :) Now, with that being said, i still believe that you should be able to provide deferential type of access for guests that fall in two different guest identity groups. I would suggest that you open a case with TAC and have them examine all of the rules/logs, etc. 


CreatePlease to create content