topic Re: ISE Guest Flow with Multiple Endpoint Identities in Network Access Control

ISE Guest Flow with Multiple Endpoint Identities

scamarda — Mon, 11 Apr 2016 17:19:52 GMT

Customer has guest wireless controlled via ISE. Employees are allowed to use the guest wireless with their personal devices when they log in through active directory. Once the employee logs in via the portal page, they are registering the device so the system does a MAB on the second and subsequent logins for that device. What they are asking is to be able put certain users in separate identity groups. This is to be able to purge the registered devices at specific intervals. For example, Executives would log in one time and not have to enter credentials again for 365 days (after the device is purged). Employees would log in from the guest portal and their device would be purged out after 30 days. In the guest portal and byod portals it only shows 1 identity group to assign the user. Can I assign more then one identity group in a guest flow? I think what I am looking for is DRW with multiple identity groups.

Is there another way to be able to assign guest users to different policies and then purge them at a specific interval?

Re: ISE Guest Flow with Multiple Endpoint Identities

Jason Kunst — Mon, 11 Apr 2016 17:26:06 GMT

Since both of these type of users are in the same Identity store and considered employees to the guest portal thank I think you could do it the following way.

This would assume you have an AD group for execs vs employees or perhaps LDAP attribute?

Create endpoint groups for employees and another for execs. Purging policy as needed.
Create a hotspot portal for employee devices and another for executives and choose the corresponding endpoint groups.
Setup authorization rule above the standard redirect rule to say if guest flow and employees then redirect to employee hotspot portal. Make another rule above that for Executives group.

Re: ISE Guest Flow with Multiple Endpoint Identities

scamarda — Tue, 12 Apr 2016 17:07:22 GMT

Followed your instructions below. I have three rules plus the CWA. Hotspot 1, Hotspot 2 and a Guest Access depending on the Hotspot assigned identity.

I've enabled the policy - user hits CWA then is redirected to appropriate Hotspot portal. The hotspot portal is set up to put the endpoint in a specific endpoint identity. Flow goes through hotspot but the endpoint assignment does not happen. The endpoint identity stays as Unknown and I loop back to CWA.

What am I missing ?

Re: ISE Guest Flow with Multiple Endpoint Identities

Jason Kunst — Tue, 12 Apr 2016 17:27:46 GMT

What version of ise ?

I have heard something similar where endpoint is not being registered into group

Is regular hotspot working?

Re: ISE Guest Flow with Multiple Endpoint Identities

scamarda — Tue, 12 Apr 2016 17:36:10 GMT

ISE 2.0 no patch. Will have to test regular hotspot functionality.

Re: ISE Guest Flow with Multiple Endpoint Identities

Jason Kunst — Tue, 12 Apr 2016 17:42:19 GMT

I know there was a problem with ISE 2.0 with no patch not registering correctly

Can you apply latest patch and then make sure you are sending to an AUP page where they have to hit accept?

Re: ISE Guest Flow with Multiple Endpoint Identities

scamarda — Wed, 13 Apr 2016 11:15:25 GMT

Upgrading to 2.0.1.130 seems to have fixed the issue.

Thanks.

Sam

Re: ISE Guest Flow with Multiple Endpoint Identities

ajamerica — Tue, 28 Jun 2016 20:41:49 GMT

This is a very interesting setup. Could you share a quick screen capture of your Auth policies? I am looking at applying the same method.

Re: ISE Guest Flow with Multiple Endpoint Identities

Jason Kunst — Wed, 06 Jul 2016 19:03:24 GMT

scamarda can you share

Re: ISE Guest Flow with Multiple Endpoint Identities

scamarda — Thu, 07 Jul 2016 21:16:29 GMT

Usernames are loaded in AD. Originally the use CWA. The different AD user types are directed to their respective hotspot portal. Once they hit the portal there are assigned a unique identity. There is an AUP in between CWA and the Hotspot. Other than that, not interaction. The identities are defined with different purge times.

Re: ISE Guest Flow with Multiple Endpoint Identities

Jason Kunst — Thu, 07 Jul 2016 21:23:25 GMT

ok assuming you have authz rules above that with the different endpoint groups

if executiveEndpoint then permitExecutive permissions

if UserEndpoint then permitUser permissions

Re: ISE Guest Flow with Multiple Endpoint Identities

scamarda — Thu, 07 Jul 2016 21:29:24 GMT

This was on the guest network so no permission differences. Customer wanted to have execs renew AUP every 365 days and Employees using the Guest Wifi every 8 days. Needed a way to purge devices that were using the Guest WiFi. Once purged, AUP was redisplayed. Also a way to clean up the DB clutter.

Re: ISE Guest Flow with Multiple Endpoint Identities

ajamerica — Mon, 11 Jul 2016 19:42:18 GMT

Thanks for sharing! I am working on setting up the same scenario for a customer as well. We are now trying to configure identity mapping to identify the users on these open connections.