Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE web agent not working for guest users

 

Hi All,

I'm trying to configure client provisioning, and posture assessment for guest user (Computers not joined to domain).

when I try to connect the guest to the network, I found that the guest computer matches with the MAB authentication policy, and then doesn't match with the guest created authorization policy, but matches with the default policy.

no certificates installed on the guest computer.

my configuration is attached.

 

any solution please?

Regards,

Maher

 

 

5 REPLIES
New Member

Could you try endpoint

Could you try endpoint debugging, a new feature in ISE 1.3, and see if that gives a better DEBUG log(s)? You may access it at ISE live log by right-clicking on the endpoint’s MAC address or go to Operations > Troubleshoot > Diagnostic Tools > General Tools > EndPoint Debug.

Hi Maher,Did you solve it?

Hi Maher,

Did you solve it? How?

New Member

Hi andre,

Hi andre,

i tried a work around, and it's working now using the guest flow.

I created 3 authz policies for the guest (Compliant, non-compliant, and unknow).

the difference between the policies is in the conditions.

for compliant:

Conditions
Session:PostureStatus EQUALS Compliant OR
Network Access:UseCase EQUALS Guest Flow OR
AD01:ExternalGroups EQUALS centamin.local/Builtin/Guests

for non-compliant:

Conditions
Session:PostureStatus EQUALS NonCompliant OR
Network Access:UseCase EQUALS Guest Flow OR
Network Access:WasMachineAuthenticated EQUALS False OR
AD01:ExternalGroups EQUALS centamin.local/Builtin/Guests

for the unknown:

Conditions
Session:PostureStatus EQUALS Unknown AND
Network Access:UseCase EQUALS Guest Flow AND
Network Access:WasMachineAuthenticated EQUALS False AND
AD01:ExternalGroups EQUALS centamin.local/Builtin/Guests

notice that I configured the guest to include also the domain users whos their computers aren't authenticated previously..

Thanks,

New Member

did you get this working? i'd

did you get this working? i'd like to run something similar.

My config is working now ben

My config is working now ben.posner.
The problem is that in the newest versions we shouldn't use "guestflow" to identify authenticated guest user.
How did you configure it?
You might try to use the Guest User Group.

My Guest Authorization rules are attached.

 

248
Views
0
Helpful
5
Replies
CreatePlease to create content