topic ISE Hotspot deny page in Network Access Control

ISE Hotspot deny page

deyster94 — Mon, 08 Jan 2018 16:27:19 GMT

I have setup a hotspot page for my client in ISE. They are using this for their guest wireless, but it is locked down to only allow certain types of devices on it (i.e. PC's, tablets, etc....not streaming devices like Roku's). At any rate, they asked if there is a way to have a deny page come when someone tries to connect with a device like a Roku. They feel that they will get a lot of phone calls without a deny page. Not sure if this can be done or not.

TIA,

Dan

Re: ISE Hotspot deny page

ldanny — Mon, 08 Jan 2018 17:04:28 GMT

You could redirect them to a custom portal like Blacklist Portal

Heres a thread on the topic

Blacklist for Registered Corporate MAC's on Guest??

How To Whitelist or Blacklist an Endpoint by Endpoint Profile

How To Whitelist or Blacklist an Endpoint by MAC Address

Thanks,

Danny

Re: ISE Hotspot deny page

Jason Kunst — Mon, 08 Jan 2018 18:08:07 GMT

You said its locked down to certain devices? How are they doing that? Or is this just a policy that they don’t want to allow it but they aren’t actually restricting it now because they don’t know how?

For this to work you would need to identify the groups of devices that are allowed and then using Plus licensing and profiling setup policies

The problem I see however is that when you first come in you will be redirected to the hotspot portal and only then recognized by the browser user agent string on the roku. Then you will have to do a Change of authorization with the profile change to get the new authz policy

Does the roku even have a web browser where they could see this message?

Here is how it may work but you would have to lab it up. It might prove problematic.

If wireless mab and guestendpoints and notallowed then redirect to message portal

If wireless_mab and guestendpoints and alloweddevices then permit access

If wireless_mab then redirect to hotspot portal

If you can get this to work then here is a way to make a message portal.

https://communities.cisco.com/docs/DOC-64018

Look for hotspot as a message portal

For ISE 2.2 and higher you can use the Custom portal files to host an HTML file to redirect to

See powerpoint at this top of that page what’s new in ISE 2.2, look at slide 15

https://communities.cisco.com/docs/DOC-64018#jive_content_id_ISE_22

Re: ISE Hotspot deny page

deyster94 — Mon, 08 Jan 2018 18:37:53 GMT

Jason,

Thanks for the response.

The solution was sold as follows. When a device connects, ISE will profile the device and if it it matches an allowed profile, it can access the guest wireless, otherwise they are blocked. This wireless is for guests and residents (this is a retirement community).

Honestly, I think it would be easier to send a letter out to the residents to let them know what only certain devices can connect, or vice versa. You do bring up a good point of some devices won't be able to display a deny access page.

Dan

Re: ISE Hotspot deny page

Jason Kunst — Mon, 08 Jan 2018 18:42:55 GMT

OK well like I said it might be problematic on what you expect to work. With profile changes and COAs and correctly identifying allowed devices vs not allowed devices.

I suggest that its validated and tested in a lab to see if it can work per expectations.

Re: ISE Hotspot deny page

deyster94 — Mon, 08 Jan 2018 18:58:24 GMT

I talked to them more about this that most, if not all, the devices that will be blocked won't have the ability to display a deny page. Once they thought about it, they agreed to leave it be for now.

Thanks again.

Re: ISE Hotspot deny page

Jason Kunst — Mon, 08 Jan 2018 19:05:07 GMT

Great! Makes sense