Re: ISE Guest User problem

phatrachit · ‎02-28-2012

Hi Guys,

I got a problem about Guest user after create guest account from ISE sponsor. When i try to login with guest user on Web authen (WLC) it show login error and the message on ISE is Authentication failed : 24206 User disabled

Failure Reason > Authentication Failure Code Lookup

Failure Reason :

24206 User disabled

Description
User marked disabled in Internal database.

Resolution Steps
Check whether the user account in Internal database is enabled

I would like to know, how to enable the guest account? What i missed configuration?

DENNIS BAAS · ‎02-28-2012

In your sponsorportal: on the left, select menu item View guest Accounts to view your account(s).

Select the affected account and click Reinstate.

It is possible, that your sponsor account does not have the permission to Reinstate/Suspend accounts. Check/change this in your ISE admin page:

- Go to Administration > Guest Management > Sponsor Groups.

- Click the Sponsor Group your sponsor account is a member of to edit.

- Select tab Authorization Levels: view/modify the permission listed for the option Suspend/reinstate Accounts.

phatrachit · ‎02-28-2012

Hi DENNIS

Thank you for reply

I found the solution for solve my problem. I have to configure External Web Authentication on WLC as ISE.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml

Dave Anthony David · ‎03-14-2012

We have the same problem, creation of guest account using sponsor seems not working.

I reinstate the guest users as what Dennis have said but still guest is disabled.

Pre-auth ACL is already in placed.

Note that when using the guest users created via ISE > Administration > Identity Management > Identities > Users it is working. Here's the snapshot

phatrachit · ‎03-14-2012

Hi dsdavid,

Do you use ISE with WLC? If yes, you need to configure ISE as External Web Auth at WLC?

WLC

Security > Access Control List

Allow traffic from Client to ISE

* If you have firewall or ACL on Core switch between WLC and ISE, you have to allow traffic Client to ISE too.

Security > Web Auth > External Web Auth

Web Authentication Type : External

Redirect URL after login : Up to you

External Webauth URL : https://:8443/guestportal/Login.action

WLAN > Security > Layer 3

- Check Web Policy > Authentication

- Pre-Auth ACL > Choose ACL which you pre-define at Security > Access Control List

WLAN > AAA Servers

- Choose Authentication Server as ISE

WLAN > Advance

- Check Allow AAA override

Dave Anthony David · ‎03-14-2012

Hi Phatrachit,

Thanks for replying. Yes WLC is integrated to ISE. I've recheck all you have said and all of that are properly configured. The only difference is that my External Web Auth is configured under WLAN > Security > Layer 3 (override value) instead of Security > Web Auth > External Web Auth.

By the way, have you noticed when creating guest user using sponsor account, does it appear on Administration > Identity Management > Identities > Users ??

phatrachit · ‎03-14-2012

Hi dsdavid,

- For External Web auth, WLC will check Global configuration (Security > Web Auth) first then check in individual SSID thus try to configure External Web authn at the Security menu. If you have the SSID that need to use internal web auth, you can use override value at WLAN menu.

- Guest user that create on ISE Guest sponsor will not appear on Identities > Users. Those guest user can managed on ISE Guest sponsor only.

BR,

Bhatarajit.P

Dave Anthony David · ‎03-14-2012

Hi Phatrachit,

I have managed to make it work. After all the problem is actually right here (see attached picture).

It was set to Central Web Auth which I forgot to set back to Guest.

Thank you for your time.

Regards,

Dave