Document ID: 115802
Updated: Jan 15, 2013
Contributed by Vivek Santuka and Beau Wallace, Cisco TAC Engineers.
Contents
Introduction
This document describes how to configure guest accounts for any RADIUS-based authentication, as well as portal-based authentication, on Cisco Identity Services Engine (ISE).
Prerequisites
Requirements
The procedures in this document require basic knowledge of Cisco Identity Services Engine (ISE) and IEEE 802.1x.
Components Used
The information in this document is based on the Cisco Identity Services Engine (ISE).
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for information on document conventions.
Background Information
This feature described in this document works differently between ISE versions.
-
Before ISE 1.1.1: All guest accounts stay in an inactive state when they are created, and they are not activated until the first log in through the guest portal. While in the inactive state, they cannot log in using RADIUS.
-
ISE 1.1.1 and later: Guest accounts created in the default group (ActivatedGuest) are active immediately after they are created. Cisco Bug ID CSCuc76477 (registered customers only) applies to these version. Due to this issue, accounts are not created with an active status if the DefaultFirstLogin time profile is used. In order to resolve this issue, use a different default or custom time profile.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
Configuration Considerations for All Versions
These considerations apply to all version:
-
Any authentication rule that uses the guest accounts should have Internal Users as the source.
-
Any authorization rule for such a sequence should match on Guest (before ISE1.1.1) or Activated Guest (ISE 1.1.1 and later).
-
Sponsor portal and self registration configuration should place the guest account in the correct group. For ISE 1.1.1, the correct group must be ActivatedGuest in order to avoid the requirement for the first log in through the guest portal.
Configuration for ISE 1.1.1 and Later
Complete these steps in order to configure ISE 1.1.1 and later:
-
Configure the Sponsor Group in order to assign the ActivatedGuest role.
-
Configure an authorization policy in order to allow ActivatedGuest group access.
Sponsor users should now be able to create guests with the ActivatedGuest role. Users created here should be able to log in through 802.1x or any other authentication method that supports the internal identity store. In the live authentication logs, you should see the text shown in this image:
Note: The Identity Group is correct, and the identity store is "Internal Users."
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.