Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
6
Replies

Guest Endpoint not switching Identity Group Assignment

Go to solution
umahar
Cisco Employee
Cisco Employee

‎01-22-2018 01:29 PM

We are running ISE 2.1 patch 5. After guest clicks on Accept we still get the redirection URL and we found that the Identity Group Assignment is never switched to GuestEndpointGroups.

Does this look like a bug ? There is nothing wrong with the configuration.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to umahar

‎01-22-2018 01:47 PM

By default (unless something was changed in profiler, etc) it wouldn’t be in an endpoint group until you went through the guest flow.

Is this a fresh install? Why aren’t you on patch 6?

Your policy should be

If wireless_mab and guestendpoint then permit access

If wireless_mab then redirect

Otherwise please open a tac case

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-22-2018 01:33 PM

I have a concern with the switching identity group part

Are you saying that its in one identity group in the beginning and then you want to switch?

Guest is mean to take unknown fresh endpoint and move it into the guestendpointgroup.

I don’t believe we support switching identity group through the portal after its already in another group

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-22-2018 01:39 PM

Initially it is profiled as Workstation and is placed into Workstation meanwhile the endpoint gets a web redirection.

Then after the guest registers shouldn't it get placed into GuestEndpoints Identity Group ?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to umahar

‎01-22-2018 01:47 PM

By default (unless something was changed in profiler, etc) it wouldn’t be in an endpoint group until you went through the guest flow.

Is this a fresh install? Why aren’t you on patch 6?

Your policy should be

If wireless_mab and guestendpoint then permit access

If wireless_mab then redirect

Otherwise please open a tac case

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee

‎01-22-2018 02:01 PM

It's not a fresh install (even though we might plan a patch upgrade) and we have the same authorization policies like you mentioned.

If wireless_mab and guestendpoint then permit access

If wireless_mab then redirect

The endpoint connects and gets profiled as Windows7-Workstation while it gets the URL redirection but remains there even after the guest registers and accepts and hence hits the default rule again.

We have referred the guestendpoint group correctly in the guest portal.

errorpages.png

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to umahar

‎01-22-2018 02:10 PM

is the guest portal set to register the endpoint? guest device registration settings for the portal?

Were any of the profiler setting changed? for workstation?

Do you have a fresh setup to compare it to?

I would suggest a tac case

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-25-2018 10:34 AM

My bad. We were missing Registration

0 Helpful
Customers Also Viewed These Support Documents