Preview Tool

Cisco Bug: CSCun35563 - Two "UseCase" Attributes for Guest Access ISE flow

Last Modified

Feb 27, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases


Description (partial)

When configuring ISE for guest access. and if we are using dot1x instead of MAB.we are tryiing the following set up 

1. When guest device is connected on the switch, guest will login with guest user account with PEAP(MSCHAPv2). ISE runs as a RADIUS proxy to forward the authentication to the external RADIUS Servers.
2. If external RADIUS servers returns a pass result, ISE responses with a url-redirect to point the user to the ISE Guest portal. 
3. Guest login on the portal again with the same user account. ISE checks with the same external RADIUS servers again.
4. After COA, guest devices suppose to get full access by matching the attribute "UseCase" to "Guest Flow" in the authorization policy.

However we found it failed to match in step 4. What we found is that there are 2 UseCase attributes in the log - one is "Proxy" and one is "Guest Flow". It seems like the authorization policy always match the first UseCase attirbuite, but not the 2nd one. As a result, it always return the url-rediret profile again. 

we need a way to match the second use case and not the first one

Proxy radius with Guest Flow
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.