cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

173
Views
0
Helpful
2
Replies
Cisco Employee

Customizing ISE Guest Portal to allow both direct Internet access and VIP login

We are trying to find a solution for below which is pretty much seen in Hotel Industry.

 

There are 2 parts on the portal.

1. (Upper half) A button for guest login. Guests who click the button will get internet access immediately and 5m bandwidth will be assigned.

2. (Bottom half) Username/Password input field to allow VIP users to login with their credentials accordingly. Upon login, VIP users will have Xmb bandwidth.


If this is doable, are we able to assign authorization based on different level/type of VIP users?

These users are managed in the customer CRM system (ODBC) and there are 3 levels of VIP users.

Upon a different level, we would like to authorize bandwidth using 'Aire-xxx-xxx' to WLC.

level1 -10m
level2 -20m
level3 -50m

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: Customizing ISE Guest Portal to allow both direct Internet access and VIP login

Hello

 

I have developed something along these lines by creating an all-in-one portal - see below:

 

https://community.cisco.com/t5/security-documents/combining-sponsored-guest-portal-and-hotspot-portal-into-one/ta-p/3875968

 

The Authorization Policies would send back the RADIUS attributes to set the per-user rate limits to the WLC as required.

Each VIP type would be a separate GUEST TYPE. And you can check/test for that during authorization and then send the appropriate RADIUS attribute to the WLC.

If you're doing Remember-Me, then you can also check which Endpoint Identity Group the MAC address was found in, and return the same bandwidth attributes.

 

BTW I don't know how to get the portal screen to look exactly as you require - in my case I (ab)used the Self-Registration link of the Sponsored Portal to link to a "Hotspot" page with AUP.  I think it might be possible to change the portal layout, but in my experience I don't like to involve JQuery because it can end up breaking the Apple CNA (Captive Network Assistant).  Maybe there is another way.

 

2 REPLIES 2
VIP Advocate

Re: Customizing ISE Guest Portal to allow both direct Internet access and VIP login

Hello

 

I have developed something along these lines by creating an all-in-one portal - see below:

 

https://community.cisco.com/t5/security-documents/combining-sponsored-guest-portal-and-hotspot-portal-into-one/ta-p/3875968

 

The Authorization Policies would send back the RADIUS attributes to set the per-user rate limits to the WLC as required.

Each VIP type would be a separate GUEST TYPE. And you can check/test for that during authorization and then send the appropriate RADIUS attribute to the WLC.

If you're doing Remember-Me, then you can also check which Endpoint Identity Group the MAC address was found in, and return the same bandwidth attributes.

 

BTW I don't know how to get the portal screen to look exactly as you require - in my case I (ab)used the Self-Registration link of the Sponsored Portal to link to a "Hotspot" page with AUP.  I think it might be possible to change the portal layout, but in my experience I don't like to involve JQuery because it can end up breaking the Apple CNA (Captive Network Assistant).  Maybe there is another way.

 

Highlighted
Cisco Employee

Re: Customizing ISE Guest Portal to allow both direct Internet access and VIP login

Thank you Arne. This is very much something I'm looking for to start with. I had gone through your post and a quick question is, is it possible to assign different authorization when the user is from 'Get Instant Internet Access' VS from 'Sign on'?

As of my understanding, they are from different 'type' and will have different 'expired date' in the backend system.
What we want to do is assign different bandwidth to those users and so I'm thinking of find a way to create authorization rule like below:

If from 'Get Instant Internet Access' , then give 5m bw + internet only
If from 'Sign on' and VIP type1, then give 10m bw + internet only
If from 'Sign on' and VIP type 2, then give 20m bw + internet only

I will go ahead testing base on your post and see if this is possible. Once it is achieved, I will have a check if it is possible where those VIP users are from ODBC.