Guest authentication

Similar Messages

• Cisco ISE Guest Authentication Failed : 86020: Unknown exception

  Hi,
  I would like to check what may be causing the error message 86020:unknown exception for ise when guest user authenticates via wireless using CWA? I have also attached a screen capture of the error and after the authenitcation logs change to autheorization only succeed after a repeated trying. Based on user feedback for failed login, When guest user gets conected to wirless and login in to guest  portal with credential after putting credential  then its again redirect  to same login page wihout successful login prompt; not too sure if there may be any settings that may be looked into and the reason for the unknown exception error?
  Any suggestion/recommendation is appreciated.

  Hi Tarik,
  Not too sure if i understand on the static hostname for redirection; there are 2 PSNs for the deployment however they are acting as active/secondary for the wireless (This is done from the wlan on the wlc to set the primary/secondary radius server). From the guest redirection; it is always hitting the primary radius server defined on the wlan/wlc. The ise is running version 1.1.4 with patch 8 applied.
  Not  too sure if there may be any settings that may be looked into for the guest authentication/redirection and the reason for the unknown exception error?
  Thanks.

• Guest Authentication With Accountability! -HELP CMX vs ISE?

  HI, 
  We currently are in the procurement stage of an upgrade to our wireless solution but are facing a  business requirements that hopefully you guys will be able to help with:-
  Guest authentication with some way of checking the guests are who they say they are (this is for accountability purposes)
  for example we would like something such as a guest logon portal with multiple ways to logon that provides us a credible source of identification for the guests (social media logons, email generated passwords to a valid email account, SMS generated passwords to a valid mobile phone number)
  The above would be much more favorable than the standard web portal / lobby admin access where people could give a bogus name to the lobby admin over the phone.
  We have been recommended cisco's CMX, this seems good on the face of it as it is able to integrate with a few social media platforms but can we set the ability to generate emails and SMS messages with this?
  ISE is also another platform we are trying to be sold but I dont think this really addresses the above business requirement.
  Can anyone offer any advise? 
  Thanks 

  Neither.  Look at PurpleWiFi or Nomadix.

• Best way for wireless guest authentication

  Hi
  Can anyone tell me what a good way to authenticate guest wireless in my workplace, we currently use mac auth and usernames in the controller, which is not Cisco.
  What solutions are out there for this, ie something separate to the controller like a radius or authentication server, we may want the guests to register themselves by providing there mobile number etc
  Any ideas?

  When you want to provide guest authentication and then you want certain fields for the user to enter, guest access is best when there is a portal page. When you want guest to enter information like cell number etc, then you either need to find a 3rd party captive portal software, or external webauth server or if you have Cisco wlc, you use ISE.
  Your final requirements will determine what solution can or can't work.
  Sent from Cisco Technical Support iPhone App

• Web guest authentication on ISE 1.1.1

  Can somebody help me about activation of web authentication on only one location (for exemple one catalyst) concerning a vlan guest wifi and wired
  Thanks

  I think you are talking about LWA  .Following link may help you.
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml

• ISE Guest Authentication only with email address

  Hi,
  I want to know is there an option to use ONLY the email address as an authentication credential for Guest user authentication using Guest Protal and this should be done only with Self Registration not with Sponsored accounts.
  Appreciate if someone has done this and advise us how to achieve this.?
  thanks

  The exact scenario explained above is unachievable , however a little different from that can be achieved , see below
  New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2
  Support for Guest Self-Registration Based on Email Domain Whitelist
  You can allow guests to create their own accounts by enabling the self-service feature by choosing: Administration  > Web Portal Management > Settings > Guest > Multi-Portal  Configurations > Operations > Guest users should be allowed to do  self service. When you enable this feature, the account credentials  display on the screen, and they are also emailed to the email address  used to create the account.
  You can restrict this feature by limiting guests' ability to create  their own accounts based on their email domain. By creating an email  domain whitelist, you can ensure that only guest users with email  accounts on those domains can create guest accounts.
  To prevent the account credentials from displaying on the screen, you  must create a custom portal when using an email domain whitelist. These  steps provide an overview:
  1. Create a custom portal, following these guidelines:
  –Add  a required email field and an acceptable use policy (AUP) page to the  Self-Registration html file. See the "Sample Code for Sponsor and Guest  Portal Customizations" appendix in the Cisco Identity Services Engine User Guide, Release 1.2 for a sample file.
  –Add  text to refer users to their email for their login credentials on the  Self-Registration Results html file. See the "Sample Code for Sponsor  and Guest Portal Customizations" appendix in the Cisco Identity Services Engine User Guide, Release 1.2 for a sample file.
  –Map the Login file to the Self-Registration page. See the "Mapping HTML Files to Guest Portal Pages" section in the Cisco Identity Services Engine User Guide, Release 1.2 for detailed instructions.
  2. Configure the SMTP server to support notifications (Administration > System > Settings > SMTP Server).
  3. Specify  the default e-mail address from which to send all guest notifications.  (Administration > System > Settings > SMTP Server and choose Use Default email address).
  4. Create the email domain whitelist. See the "Restricting Self-Registration Based on Email Domain" section.
  5. Customize the self-registration credentials email message. See the "Customizing the Self-Registration Credentials Email" section.
  6. Customize the self-registration failure message. See the "Customizing the Self-Registration Failure Message" section

• HTML Source for Web Page Guest Authentication

  Where is the html source located in the WLC for Guest web authentication page.                  

  If you have 5508 WLC you can download it from here:
  http://www.cisco.com/cisco/software/release.html?mdfid=282600534&release=1.0.2&softwareid=282791507
  If other model, go to cisco download and choose the product to download the software for and from softwares to download for that product choose: Wireless Lan Controller Web Authentication Bundle
  (It is same bundle under all WLCs but you may or may not have permission to download the software depending on what WLC model is listed in your contract).
  HTH
  Amjad
  You want to say "Thank you"? Don't. Just rate the useful answers, that is more useful than "Thank you".

• Guest authentication in ISE

  Hi All,
  We are having two SSID in WLC. We are planning that both SSID users has to get authenticate through ISE by Web auth .
  One SSID users will get authenticate via guest accounts created by sponsor. Another SSID need to get authenticate by AD user group.
  So , in ISE if it is possible to ceate two seperate rules for the SSID's?
  Thanks!
  TS.

  Hi Vijay,
  I am not an ISE guy, but from my understanding to the concept of the policy model on which the ISE is based I can say "yes. It is possible".
  You need to create two different identity sources based on which SSID the user is connecting.
  If a user is connecting to SSID1 then check credentials locally.
  If a user is connecting to SSID2 then check credentials on AD.
  HTH
  Amjad
  p.s: the term "identity source" is from Cisco ACS 5.x. in ISE you may have same or different name but with same concept.
  Rating useful replies is more useful than saying "Thank you"

• ISE Guest Authentication

  We are using ISE 1.2. We have a requirement that the Guest when trying to access the Internet he is redirected to the Self Registration Page. Once he fills in the requisite details the request should go to any Approving Authority . Once he/she approves the request only then the Username and Password should be sent to the end user via Email or SMS.
  Can anyone guide on how this can be accomplished.                

  Currently this feature is not supported on the current 1.2 version, also I have a discussion about that with one of Cisco engineers and he told that this (somehow) maybe implemented on 1.3 version.
  I think that the best approach is to check with your Cisco SE for the feature lists in 1.3.
  Sent from Cisco Technical Support iPad App

• Using 3rd party WEB redirect for Guest authentication

  I'm currently using (Internal) WEBAuth on the WLC for my guest WLAN but my management would like a simlper method.  Some external WEB page that the guest user can fill out a form and enter some information such as name, location and email address and they would get a cookie or something that would provide then guest access for some period of time.  Does anyone know of such a product?
  Thanks,
  Gary

  I don't see  how that is different from web passthrough on the WLC where the user has to type his information but doesn't need a password ...
  Have you looked at the Nac Guest Server ? It's an appliance especially made for that purpose.
  The upcoming ISE has also some cool unified guest features.

• Using external radius with ise for guest authentication

  Hi Everyone,
  I am trying to migrate from NAC Guest Server to Cisco ISE Guest CWA on wireless, and can't figure out whether what i am trying is just unsupported or i just can't find out how to do this ?
  I am attempting to authenticate my existing guest users, using a radius lookup towards my existing NAC Guest server, which has many hundred guest users with long account duration, which i really don't want to recreate on ISE, and send new passwords to all those users. Problem is i can't export the user list from NAC guest server with the password intact, and ISE can't import guest users with a set password.
  Any ideas ?

  Setting up ISE as radius  proxy server will work because NAC guest user does not support exporting user information with passwords
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The External RADIUS Servers page appears.
  Step 2 Click Filter > Advanced Filter to perform your search. The Filter page appears.
  Step 3 You must define whether the search should match any or all of the rules that you define on this page.
  Step 4 Enter your search criteria based on the name or description of the RADIUS server, choose an operator, and enter the value.
  Step 5 You can do the following:
  •To add a filter condition, click the plus sign (+).
  •To remove a filter condition, click the minus sign (-).
  •To clear all filter conditions, click Clear Filter.
  Step 6 Click Go to perform your search.
  You can also save the filter criteria so that it can be used again. Click the Save icon to save the filter condition.

• WIRELESS IOS AUTONOMOUS + Guest to internet + authenticated via a web page.

  Hi to all,
  need to configure with:
  - AUTONOMOUS IOS AP (NOT use a wireless controller)
  - CISCO IOS router 2811
  a guest wireless network that only has access to the internet through a vlan WITH HTTP/S GUEST AUTHENTICATION WEB PAGE ?
  I know:
  "web authorization isn't native to the access point. It is a web authorization portal that is on the WLC."
  "Cisco IT example: At present we use GRE tunnels for guest traffic which was a part of legacy guest networking solution we had at Cisco for several years. GRE tunnels get terminated at one the DMZ routers. Each request for a guest connection to the Internet gets authenticated over https by either a Cisco Building BroadBand Services Manager (BBSM) or a Cisco NAC Appliance. Guests get provided with an access code in advance as we use a web based portal/application to produce those. Also we support guest connections for both wireless and wired clients from some switch ports. "
  I am looking for any suggestions (are there any feature on CISCO IOS ROUTER for "HTTP/S GUEST AUTHENTICATION WEB PAGE").
  Thanks.
  Roberto Taccon

  If the router with auth proxy is the one providing the ip address on the client connecting to the autonomous AP, it may be an option.
  Local AAA will not work with auth proxy as then there you are no longer in a scenario where the router is proxy.
  You could get a WLC526 (small controller) to get the web auth, or a free radius server (many out there) that will run on a linux server and then use the http proxy feature.
  I personally recommend you to get a WLC, in the long run you will benefit of many more features and you will be able to very easily add other access points.
  The WLC526 is the smaller one:
  http://www.cisco.com/en/US/docs/wireless/controller/526/1.5/configuration/guide/2_add_contr.html

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success

• ISE Authentication cache in CWA for Guest

  Ciao,
  do you known how I can cache a guest authentication ? 
  For example a Guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After that every time the guest logoff and login,  no authentication is required during the same days.
  Thanks

  You can find "Automatically register guest devices /Allow guests to register devices"  option here -> Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > Guest Device Registration Settings.
  using this option -Automatically create an endpoint for the device from which the guest is accessing this portal. The endpoint will be added to the endpoint identity group specified for this portal and is subject to the identity group's purge policy.
  An authorization rule can now be created to allow access to endpoints in that identity group, so that web authentication is no longer required.
  And you have "ActivatedGuest" option in 1.2