Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Using ISE guest store via RADIUS

I have a question concerning the guest store on the ISE.

I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
Has anyone already implemented a similar solution or any idea how to access the guest store?

Thanks

Thomas

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Using ISE guest store via RADIUS

The ActivatedGuest capability is available in the next release of ISE: - 1.1 MnR that should be FCS in next month

In the meantime, what is required to activate a guest is for them to login to the guest portal. Once this login is performed then the guest is Activated for RADIUS access. The "Not Used" option is used to determine whether the guest needs to accept the Acceptable Use Policy on login to the guets portal,

I think the URL for the guest portal is https://ISE:8443/guestportal/portal.jsp

.

12 REPLIES
Gold

Using ISE guest store via RADIUS

The internal user store does include the guest store. I suggest to look at live authentications and see if guest logins are in fact making it to the box and if so see the failure reason when the guest logs in

New Member

Using ISE guest store via RADIUS

The local identity store will not contain the guest users. Those are created within the sponsor portal (unless self registration). if you create a guest account in 1.1 (dont know if 1.0.4 vs 1.1 is different here) it will not appear under the local identity store.

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674
Gold

Using ISE guest store via RADIUS

I agree that if you create a guest account you can not see it qhen looking at the list of users in the internal users store. However, if you want to authenticate a guest you need to select "Internal Users" as result in authenticaiton policy

I confirmed this as follows:

- create a guest user

- select "Internal Users" as result in authentication policy

>>>> authentication succeeds

- select different indentity store as result in authentication policy and authentication fails

New Member

Using ISE guest store via RADIUS

I just created a simple setup and tested the login.

It doesn't work with a user created as a guest account.

If I create the user in the normal internal identity store I works fine.

Might there be a difference between ISE Versions?

We are currently using Version 1.1.0.665 on a VM for testing purpose.

This is what the details show:

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - Internal Users

24210  Looking up User in Internal Users IDStore - tuser001

24206  User disabled

22057  The advanced option that is configured for a failed authentication request is used

22061  The 'Reject' advanced option is configured in case of a failed authentication request

11003  Returned RADIUS Access-Reject

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - Internal Users

24210  Looking up User in Internal Users IDStore - tuser001

24212  Found User in Internal Users IDStore

22037  Authentication Passed

Evaluating Authorization Policy

15004  Matched rule

15016  Selected Authorization Profile - Guest

11022  Added the dACL specified in the Authorization Profile

11002  Returned RADIUS Access-Accept

Gold

Using ISE guest store via RADIUS

I am looking at a 1.1 system and running same test. when create a guest have the option to select the Group Role. If select the option of "Guest" you will see the behavior above and guest will be initially disabled and require activation.

However, if slect "ActivatedGuest" then the guest will created in an enabled state and will be able to login with this guest user name

New Member

Using ISE guest store via RADIUS

The initial setup doesn't have a Group Role called "ActivatedGuest", there is only the "Guest" role.

I created another role but I can't see any difference between the two roles. They just match the guest user to a corresponding group in the internal identity store.

The created user is in state "Awaiting Initial Login". I can't find any hint for an enable or disable state or how to change this state in a different Group Role.

Gold

Using ISE guest store via RADIUS

When the user is in the "Awaiting Initial Login" state they must first login through the Guest portal and ack the Acceptable Use Policy (AUP) to make the guest active

I am in fact looking on a later version than 1.1 (sorry for that) and see options under "Multi-Portal Configurations" to define whether guest users need to agree to an acceptable use policy. Do not know whether same option exists on 1.1 and will see how to avoid this state in 1.1

New Member

Using ISE guest store via RADIUS

This option also exists in the version i'm using. I already set it to "Not Used" but the user stays in the

"Awaiting Initial Login" state.

Gold

Using ISE guest store via RADIUS

The ActivatedGuest capability is available in the next release of ISE: - 1.1 MnR that should be FCS in next month

In the meantime, what is required to activate a guest is for them to login to the guest portal. Once this login is performed then the guest is Activated for RADIUS access. The "Not Used" option is used to determine whether the guest needs to accept the Acceptable Use Policy on login to the guets portal,

I think the URL for the guest portal is https://ISE:8443/guestportal/portal.jsp

.

New Member

Using ISE guest store via RADIUS

Thanks a lot!

That should solve my problem.

sin
New Member

Using ISE guest store via RADIUS

This seems to be the same issue with ISE version 1.1.2.145

Any fix to this ?

Regards Rasmus

New Member

Using ISE guest store via RADIUS

I don't have any problems with this issue. The new group "ActivatedGuest" which was implemented with version 1.1.1 is still working with 1.1.2.145.

7214
Views
0
Helpful
12
Replies
CreatePlease to create content