topic Restrict GuestType to specific portal/SSID in Network Access Control

Restrict GuestType to specific portal/SSID

KevinMuller — Mon, 18 Aug 2025 14:46:30 GMT

Hello!
For a customer, i'd like to configure two captive portals respectively tied to two SSID (different usage).

However, i'd like Guest Type to be tied to one of the captive portal/SSID, basically :
- GuestType "A" can only authenticate to GuestPortal/SSID "A"
- GuestType "B" can only authenticate to Guest Portal/SSID "B"
- GuesType "B" cannot login to Guest Portal/SSID "A" and vice-versa

I there a way to perform this with ISE in 3.3 ?
Thanks a lot!

Re: Restrict GuestType to specific portal/SSID

ahollifield — Mon, 18 Aug 2025 14:48:15 GMT

If I understand correctly, just assign different Endpoint ID Groups to each portal. In authz policies map those EIDs to SSIDs.

Re: Restrict GuestType to specific portal/SSID

KevinMuller — Mon, 18 Aug 2025 14:50:11 GMT

Yes, this is something that^I've done already but it does not prevent you to have GuestType "A" authenticating on Guest Portal "B", and if the users does so, its MAC will be added to the Endpoint ID Group mapped to GuestType "A",

Re: Restrict GuestType to specific portal/SSID

MHM Cisco World — Mon, 18 Aug 2025 14:51:41 GMT

In wlc make sure you set calling ID to inlcude SSID

Then match SSID in authz

MHM

Re: Restrict GuestType to specific portal/SSID

KevinMuller — Mon, 18 Aug 2025 14:56:01 GMT

Yes, that's already what I do for "classic" CWA, but in the Identity Source Sequence mapped to the Guest Portal, there is no way to set a specific "user groups", you can only define identity store.

Re: Restrict GuestType to specific portal/SSID

MHM Cisco World — Mon, 18 Aug 2025 15:00:32 GMT

I think you can do two policy (not two authz policy) and match SSID in policy.

So each policy have it authz policy abd it portal

MHM

Re: Restrict GuestType to specific portal/SSID

ahollifield — Mon, 18 Aug 2025 15:01:27 GMT

Just curious but why treat these two guest differently in the first place?

Re: Restrict GuestType to specific portal/SSID

Arne Bier — Mon, 18 Aug 2025 20:58:25 GMT

@KevinMuller what is Type A/B exactly, and how would ISE discern (in a RADIUS Access-Request) which is which? You can't rely on MAC addresses - so there is no unique client identifier that I know of, at the pre-auth stage (i.e. the stage where you want this MAC address to be steered to a particular Guest Portal).

Re: Restrict GuestType to specific portal/SSID

KevinMuller — Tue, 19 Aug 2025 08:58:37 GMT

Type A/B are GuestType (so basically the User ID Group to which Guest account belong).
Indeed, there is no actual way of filtering on the pre-auth as ISE only get the client's MAC, but I was thinking of restricting access to "A" portal to only guest that below to User ID Group mapped with GuestType "A" during the portal authentication. Hope it makes it clearer 🙂

Re: Restrict GuestType to specific portal/SSID

MHM Cisco World — Tue, 19 Aug 2025 09:11:25 GMT

Re: Restrict GuestType to specific portal/SSID

MHM Cisco World — Tue, 19 Aug 2025 09:36:47 GMT

You have One SSID or two ?

If you have two use one for each policy.

MHM

Re: Restrict GuestType to specific portal/SSID

Arne Bier — Tue, 19 Aug 2025 10:18:32 GMT

I don’t understand why you’d want to do that. Notwithstanding the fact that it’s possible to direct a client to a specific portal based on MAC address identity - unless you had some bizarre 6th sense to know which MAC address needs which portal. The screenshot that MHM posted doesn’t solve the issue either. The portal selection can be done on ISE hostname, but that means the WLC is now the one with the 6th sense to know which PSN to target. What exact problem are you looking to solve? Is it that you want the self registering user to end up in a specific group, rather than the default (and one and only) Group for self registering guest flow?

Re: Restrict GuestType to specific portal/SSID

KevinMuller — Tue, 19 Aug 2025 11:45:01 GMT

Challenge is quite simple : Sponsor can create account for group "A" or group "B". Depending on the SSID you are connected to, and the associated portal (Portal are different between SSID "A" and "B"), you only allow guest account from group "A" or group "B".
Let's say you have a Guest/Visitor SSID with its associated portal where Guest account are created and associated to User ID Group "Guest". We don't want them to use their account to associated to another CWA SSID named "Contractor" which is also authenticated via ISE. Even if the Guest Portal is different the Identity Store remains the same (Guest Users) and there is no way natively to limit to specific User ID Groups (Guest Type)

Re: Restrict GuestType to specific portal/SSID

Arne Bier — Tue, 19 Aug 2025 22:40:35 GMT

You should create two Guest Types - Contractor and GuestOnly - each Guest Type has its own Endpoint Identity Group and rules etc. The question you're asking is how to ensure that Contractor can't authenticated on 'GuestOnly' Portal and vice-versa.

I think that would be possible in an Authorization Policy (each Guest Type that you create, also creates an internal user Identity Group that can be leveraged here)

The Rules shown above do not include handling HA (multiple PSN's) - you should add the ISE hostname check to redirect to your secondary PSN (if you have one) - that just doubles the rules to 4 in total.

The Rules that come after the redirection part will then simply check the Endpoint Identity Group and then return the Authorization Policies accordingly (Access-Accept with Session-Timeout etc.)

Re: Restrict GuestType to specific portal/SSID

MHM Cisco World — Tue, 19 Aug 2025 23:10:01 GMT

So what difference between my suggestion and your?

Really don't get.

MHM

Re: Restrict GuestType to specific portal/SSID

Arne Bier — Tue, 19 Aug 2025 23:56:11 GMT

@MHM Cisco World - your screenshot shows the proven solution for doing ISE Portal HA, by checking which PSN is processing the request (hostname check) and then returning the appropriate URL to the endpoint. Noticed that the SSID is the same in both rules.

What @KevinMuller was asking for was to prevent Guests and Contractors from using the wrong portal - and that enforcement requires validation of the SSID AND the Internal User Group of the authenticating user.

My comment at the end of my last post mentioned the HA aspect - which your slide covered. So it's a merging of both of our suggestions.

Re: Restrict GuestType to specific portal/SSID

MHM Cisco World — Wed, 20 Aug 2025 00:01:11 GMT

@Arne Bier

Please check my all comments' I already mentioned many times he need two ssid.

MHM

Re: Restrict GuestType to specific portal/SSID

Arne Bier — Wed, 20 Aug 2025 00:05:58 GMT

You're right about suggesting two SSID's - it was when @KevinMuller explained his intention of restricting each guest type to a particular portal, that I added the AND rule logic to enforce that.

Something worth trying and testing.

Re: Restrict GuestType to specific portal/SSID

KevinMuller — Wed, 20 Aug 2025 08:03:14 GMT

You cannot checks on these conditions are for CWA you perform Host Lookup type of authentication. ISE performs the authentication process on the guest portal "internally", it doesn't go through the RADIUS Policy Sets for this. Only Endpoint ID Groups are correct conditions in the AuthZ Rules (unfortunatly ...).
I'll try enable external authentication in the ISS pointing to RADIUS Token Identity Store where the RADIUS Server is actually the same ISE to "loopback" the authentication.I've never tested that before. Anyhow, even if it works, I can only restrict one Portal not both.

Re: Restrict GuestType to specific portal/SSID

MHM Cisco World — Wed, 20 Aug 2025 08:21:42 GMT

You cannot checks on these conditions are for CWA you perform Host Lookup type of authentication. <<- I dont get what you meaning here

But

Guest when it authc in ISE it CWA

MHM