topic ISE Hotspot portal only allow certain devices in Network Access Control

ISE Hotspot portal only allow certain devices

deyster94 — Fri, 26 Jan 2018 22:21:23 GMT

I am working on configuring ISE for my client's guest wireless. They only want to allow certain devices (i.e. laptops, tablets, phones) and not streaming/gaming devices. With that being the case, I have profiling running to detect what type of devices is connecting to their wireless network. However, I am running into an issue with the devices that are allowed getting constantly redirected. What I have for my authorization policies are as follows:

Rule 1: if you are part of the GuestEndpoints identity group and this allowed profiled group, you are allowed on

Rule 2: WebAuth redirect

Rule: deny access

From what I can tell, a device cannot be part of two identity groups. Since that is the case, I need suggestions on how to get this to work. If i remove the condition from Rule 1 of having to be part of the GuestEndpoints Identity group, devices that are already profile (usually Windows devices) are allowed on without going to the splash page and get internet access. We cannot use any portal that requires credentials being enter as this is for a retirement community, hence the Hotspot portal.

ISE is version 2.3, patch 2

Two ISE VM's running in HA mode

Let me know if you need any other information.

TIA,

Dan

Re: ISE Hotspot portal only allow certain devices

paul — Fri, 26 Jan 2018 22:35:26 GMT

A MAC address can belong to a endpoint profile group and an endpoint identity group. The hotspot process maps the MAC address to an endpoint identity group and doesn't touch the endpoint profile group. So your rule should be able to work with an endpoint profile group and endpoint identity group specified.

I would personally do the profile check at the redirect rule. Why even bring unwanted users to the portal. Keep it easier by using a logical profile of the profiles you want to allow.

If GuestEndpoints then Internet Access

If Allowed_Guest_Logical_Profile then redirect

else Deny Access

The only reason to bring everyone into the portal is if you are relying on the collection of the HTTP header information to help with profiling things correctly then it would be:

If GuestEndpoints and Allowed_Guest_Logical_Profile then Internet Access

else Redirect

Re: ISE Hotspot portal only allow certain devices

Jason Kunst — Fri, 26 Jan 2018 22:41:28 GMT

What about using the lastaupacceptance value

If profiled and lastaupacceptance is greater than x hours the permit

If profiled and lastaupacceptance is less than x hours then redirect to portal

If wireless mab then redirect to portal

If not allowed then redirect to bad page

Re: ISE Hotspot portal only allow certain devices

paul — Fri, 26 Jan 2018 22:48:04 GMT

That works as well, but no reason the endpoint identity group and the endpoint profile group/logical profile can’t be used in the same rule.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: ISE Hotspot portal only allow certain devices

deyster94 — Sat, 27 Jan 2018 04:21:20 GMT

Paul,

I tried do what you suggested. However, some devices, like Android and IOS have to be able to reach the WebAuth page to be profiled correctly. Android and IOS use the HTTP probe to be profiled with ISE.

-Dan

Re: ISE Hotspot portal only allow certain devices

deyster94 — Sat, 27 Jan 2018 04:22:17 GMT

Jason,

Thanks for the suggestion. I will give it try Monday and report back.

Dan

Re: ISE Hotspot portal only allow certain devices

paul — Sat, 27 Jan 2018 04:23:44 GMT

That is fine then just do the first flow I mentioned. Use a logical profile + guest endpoints.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250