I started getting random complaints from users stating that authorized guests were unable to login to Guest Portal and were getting “Authentication failed” messages. What was interesting it was happening for users created in advance with start times the day before. Checking online I came across this bug CSCux20531 but it did not apply. Guest locations and time-zones were in order. To avoid confusions with time-zones I removed all but one – EST. That way no matter if you are East or West – guest account will be enabled from time-zone perspective.
Next, I checked Policy Service Nodes (PSN) since that is where authentication is taking place. Make sure time matches with Policy Administration Node using CLI command “show clock“. In my case, all times were in sync.
And last but not least check for access restrictions under Guest Access > Configure > Guest Types. There are several default types configured and one of them is Vendor. Check settings to find out restrictions are set to allow access from 9:00 AM to 5:00 PM only. Removing restriction fixed the issue.
It would be nice for ISE log message to be more descriptive instead of just Authentication failed. Hopefully, Cisco is working on it and in upcoming releases, it will be easier to troubleshoot guest login failures.