Solved: Re: Customizing ISE Guest Portal to allow both direct Internet access and VIP login

Nate Zhang · ‎08-27-2019

We are trying to find a solution for below which is pretty much seen in Hotel Industry.

There are 2 parts on the portal.

1. （Upper half) A button for guest login. Guests who click the button will get internet access immediately and 5m bandwidth will be assigned.

2. (Bottom half) Username/Password input field to allow VIP users to login with their credentials accordingly. Upon login, VIP users will have Xmb bandwidth.

If this is doable, are we able to assign authorization based on different level/type of VIP users?

These users are managed in the customer CRM system (ODBC) and there are 3 levels of VIP users.

Upon a different level, we would like to authorize bandwidth using 'Aire-xxx-xxx' to WLC.

level1 -10m
level2 -20m
level3 -50m

Arne Bier · ‎08-28-2019

Hello

I have developed something along these lines by creating an all-in-one portal - see below:

https://community.cisco.com/t5/security-documents/combining-sponsored-guest-portal-and-hotspot-portal-into-one/ta-p/3875968

The Authorization Policies would send back the RADIUS attributes to set the per-user rate limits to the WLC as required.

Each VIP type would be a separate GUEST TYPE. And you can check/test for that during authorization and then send the appropriate RADIUS attribute to the WLC.

If you're doing Remember-Me, then you can also check which Endpoint Identity Group the MAC address was found in, and return the same bandwidth attributes.

BTW I don't know how to get the portal screen to look exactly as you require - in my case I (ab)used the Self-Registration link of the Sponsored Portal to link to a "Hotspot" page with AUP. I think it might be possible to change the portal layout, but in my experience I don't like to involve JQuery because it can end up breaking the Apple CNA (Captive Network Assistant). Maybe there is another way.

View solution in original post

Arne Bier · ‎08-28-2019

Hello

I have developed something along these lines by creating an all-in-one portal - see below:

https://community.cisco.com/t5/security-documents/combining-sponsored-guest-portal-and-hotspot-portal-into-one/ta-p/3875968

The Authorization Policies would send back the RADIUS attributes to set the per-user rate limits to the WLC as required.

Each VIP type would be a separate GUEST TYPE. And you can check/test for that during authorization and then send the appropriate RADIUS attribute to the WLC.

If you're doing Remember-Me, then you can also check which Endpoint Identity Group the MAC address was found in, and return the same bandwidth attributes.

BTW I don't know how to get the portal screen to look exactly as you require - in my case I (ab)used the Self-Registration link of the Sponsored Portal to link to a "Hotspot" page with AUP. I think it might be possible to change the portal layout, but in my experience I don't like to involve JQuery because it can end up breaking the Apple CNA (Captive Network Assistant). Maybe there is another way.

Nate Zhang · ‎08-29-2019

Thank you Arne. This is very much something I'm looking for to start with. I had gone through your post and a quick question is, is it possible to assign different authorization when the user is from 'Get Instant Internet Access' VS from 'Sign on'?

As of my understanding, they are from different 'type' and will have different 'expired date' in the backend system.
What we want to do is assign different bandwidth to those users and so I'm thinking of find a way to create authorization rule like below:

If from 'Get Instant Internet Access' , then give 5m bw + internet only
If from 'Sign on' and VIP type1, then give 10m bw + internet only
If from 'Sign on' and VIP type 2, then give 20m bw + internet only

I will go ahead testing base on your post and see if this is possible. Once it is achieved, I will have a check if it is possible where those VIP users are from ODBC.