Cisco Identity Services Engine

ISE Guest Accounts for RADIUS/802.1x Authentication Configuration Example

Document ID: 115802

Updated: Jan 15, 2013

Contributed by Vivek Santuka and Beau Wallace, Cisco TAC Engineers.



This document describes how to configure guest accounts for any RADIUS-based authentication, as well as portal-based authentication, on Cisco Identity Services Engine (ISE).



The procedures in this document require basic knowledge of Cisco Identity Services Engine (ISE) and IEEE 802.1x.

Components Used

The information in this document is based on the Cisco Identity Services Engine (ISE).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to the Cisco Technical Tips Conventions for information on document conventions.

Background Information

This feature described in this document works differently between ISE versions.

  • Before ISE 1.1.1: All guest accounts stay in an inactive state when they are created, and they are not activated until the first log in through the guest portal. While in the inactive state, they cannot log in using RADIUS.

  • ISE 1.1.1 and later: Guest accounts created in the default group (ActivatedGuest) are active immediately after they are created. Cisco Bug ID CSCuc76477 (registered customers only) applies to these version. Due to this issue, accounts are not created with an active status if the DefaultFirstLogin time profile is used. In order to resolve this issue, use a different default or custom time profile.


In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Configuration Considerations for All Versions

These considerations apply to all version:

  • Any authentication rule that uses the guest accounts should have Internal Users as the source.

  • Any authorization rule for such a sequence should match on Guest (before ISE1.1.1) or Activated Guest (ISE 1.1.1 and later).

  • Sponsor portal and self registration configuration should place the guest account in the correct group. For ISE 1.1.1, the correct group must be ActivatedGuest in order to avoid the requirement for the first log in through the guest portal.

Configuration for ISE 1.1.1 and Later

Complete these steps in order to configure ISE 1.1.1 and later:

  1. Configure the Sponsor Group in order to assign the ActivatedGuest role.


  2. Configure an authorization policy in order to allow ActivatedGuest group access.


Sponsor users should now be able to create guests with the ActivatedGuest role. Users created here should be able to log in through 802.1x or any other authentication method that supports the internal identity store. In the live authentication logs, you should see the text shown in this image:


Note:  The Identity Group is correct, and the identity store is "Internal Users."

Related Information

Updated: Jan 15, 2013
Document ID: 115802