Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
8
Helpful
3
Replies

Registration Portal Loop in ISE

ahurtadove
Level 1
Level 1

‎07-01-2014 01:12 PM - edited ‎03-10-2019 09:50 PM

After the user logs into the portal and register its device I can´t seem to find a way for an auth policy to capture the data and permit the device into the network. So the flow would be MAB->CWA->Permit access if users are in identity group name "X". here is my auth policy that doesn´t work

 

 

Labels:
Preview file
8 KB
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎07-01-2014 03:41 PM

I see that your authorization policy calls for a check if the device was registered. A device becomes registered either by using DRW (Device Registration Web Auth) or via the BYOD provisioning flow. Looking at your example I don't think you are using either one of those. I am guessing that if you remove that check in your condition then your authentications would be successful. 

Hope this helps!

 

Thank you for rating helpful posts! 

ahurtadove
Level 1
Level 1
In response to nspasov

‎07-01-2014 05:18 PM

Thank you Neno,

 

I changed to policy to registered devices and wireless MAB and it worked but it seems too general and not that usefl security wise. It actually did was I was looking for in the registration flow, MAB then redirected to guest portal and then allowed the client to register its device then It granted access to a vlan with more priviledges.

 

I want to take out the self registration portal for guest users (or in this case corporate) and I did but then it goes back to the registration loop. It seems that I have not been able to catch the correct variables for the second authorization for this flow.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to ahurtadove

‎07-02-2014 01:07 PM

I agree that it would be nice to be able to do device registration and guest logins but that is just not there yet. I have suggested to Cisco so we can only hope that the feature makes it to ISE :)

If you are still having issues you should make the rules as simple as possible then test. If behavior is as expected then add more conditions. If you are still unable to figure it out post some screen shots from the Live Authentications window and then some screenshots from the detailed screen. Also, make sure that you don't have the "Enable Self-Provisioning Flow" enabled under the Operations tab in your HTML portal. 

 

Thank you for rating helpful posts!

 

Customers Also Viewed These Support Documents