ISE Authorization Policies

Roger Alderman · ‎11-03-2014

Hi All

Has anyone successfully used a Guest Role in an ISE authorization policy?

I'm using 2 different Guest Roles that get assigned by the Sponsor on the account creation page.

I want to differentiate between the 2 roles in my authorization policies to ensure separation between the 2 types of user.

I've had a suggestion to use an Option field on the sponsor's account creation page - this will work but it would be more secure if the Guest Role could be used.

ISE version is 1.2.198.0

Regards

Roger

nspasov · ‎11-03-2014

Hi Roger-

Yes, I have done this before without any problems. What are the issues that you are having? If possible please share some screenshots of your authorization policies.

What I have done in the past is:

- If guest account = Contractors then use "Guest_Contractors" Authorization Profile which had an WLC ACL "ISE-Guest-Contractors" attached to it

- If guest account = Regular_Guests then use "Regular_Guests" Authorization Profile which had an WLC ACL "ISE-Regular-Guests" attached to it

I hope this helps!

Thank you for rating helpful posts!

Roger Alderman · ‎11-05-2014

Hi Neno

I have attached 2 screen shots.

The first is a standard authentication section for wireless MAB.

The condition for the policy set is using device location, device type, nas-port type and the WLAN Index.

The authorization policy is where I'm having issues.

I have created 2 groups called PublicGuest and ContractorGuest.

I have used these 2 groups as guest roles in the sponsor group. Basically, when the sponsor creates an account he will assign the user into 1 of the 2 groups.

In my authorization policy I want to check either that the user is in the PublicGuest Group and is using WLAN Index 3 or that the user is in the ContractorGuest Group and is using WLAN Index 4.

Regards

Roger

Roger Alderman · ‎11-05-2014

Hi Neno

Further to my previous post. The attached capture shows what I'm trying to make work.

Regards

Roger

nspasov · ‎11-05-2014

So from a high level your policies look correct. What is the issue(s) that you are having?

Roger Alderman · ‎12-02-2014

Hi Neno

I have sponsored accounts which assign a guest role of 'member'.

I have a guest service which is self service and assigns a guest role of 'guest'.

I have identity groups called 'member' and 'guest'.

The problem I have is that if I create a sponsored account that user can login to the member SSID and also to the guest SSID. The policy authorization rules are using guest flow and the WLAN ID but it is not stopping the client from logging onto to either SSID. If I add the identity group to the authorization rule I still get the same problem.

I cannot seem to separate the client types.

I'm obviously missing something but can't see what. When the accounts are created you can never see them in the identity groups.

Regards

Roger

nspasov · ‎12-04-2014

Hmm, are you saying that a user that is member of the "PublicGuest" user group is able to login to the "member" SSID?

Roger Alderman · ‎12-07-2014

Exactly.

If I create a sponsored account I can use the credentials to authenticate to either SSID.

Similarly if I create a self-registered account I can use the credentials to authenticate to either SSID.

The correct policy set is selected each time based on the SSID.

It seems to me as if the guest roles effectively do nothing and that all users get assigned to a single group. Of course, as an administrator you simply can't ever see the accounts and where the user has been assigned to. Any attempts to differentiate based on the group simply fail.

It looks like the assignment of a guest role for self-registration is actually a global setting that is applied to all portals and therefore over-rides the guest role assigned within the sponsor group settings. See the attached image.

nspasov · ‎12-08-2014

The information about the "self-registered" guests is news to me. Thank you for sharing that. Now I want to test this and see the behavior for myself, however, I am on vacation for the next two weeks so it will have to wait :) Now, with that being said, i still believe that you should be able to provide deferential type of access for guests that fall in two different guest identity groups. I would suggest that you open a case with TAC and have them examine all of the rules/logs, etc.