I have sponsored accounts which assign a guest role of 'member'.
I have a guest service which is self service and assigns a guest role of 'guest'.
I have identity groups called 'member' and 'guest'.
The problem I have is that if I create a sponsored account that user can login to the member SSID and also to the guest SSID. The policy authorization rules are using guest flow and the WLAN ID but it is not stopping the client from logging onto to either SSID. If I add the identity group to the authorization rule I still get the same problem.
I cannot seem to separate the client types.
I'm obviously missing something but can't see what. When the accounts are created you can never see them in the identity groups.
If I create a sponsored account I can use the credentials to authenticate to either SSID.
Similarly if I create a self-registered account I can use the credentials to authenticate to either SSID.
The correct policy set is selected each time based on the SSID.
It seems to me as if the guest roles effectively do nothing and that all users get assigned to a single group. Of course, as an administrator you simply can't ever see the accounts and where the user has been assigned to. Any attempts to differentiate based on the group simply fail.
It looks like the assignment of a guest role for self-registration is actually a global setting that is applied to all portals and therefore over-rides the guest role assigned within the sponsor group settings. See the attached image.
The information about the "self-registered" guests is news to me. Thank you for sharing that. Now I want to test this and see the behavior for myself, however, I am on vacation for the next two weeks so it will have to wait :) Now, with that being said, i still believe that you should be able to provide deferential type of access for guests that fall in two different guest identity groups. I would suggest that you open a case with TAC and have them examine all of the rules/logs, etc.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...