Solved: Endpoint Identity with EPS Quarantine Device and Hotspot Redirect

scamarda · ‎09-06-2016

ISE 2.1. WLC 7.6. Wireless CWA Guest flow. I am setting up a hotspot redirect page to a device that has been quarantined via pxGrid. That works correctly. The issue I have is once the user hits the Hotspot portal, the endpoint gets put into an Endpoint Identity group of the Hotspot portal. The classification does not allow me to hit any other policy rule except for the UnQuarantine Exception rule. This does not not allow me to have the endpoint hit the CWA rule again to allow the Guest to login. What am I missing

Is it possible to change the Endpoint classification via policy or is that something needs to be done manually by the administrator? Also, the documentation also states after UnQuarantine, the device gets FULL access to the network on its original VLAN. Does that imply that after an UnQuaratine event that it is not possible to add the user's original AuthZ policy?

Thanks.

Sam

Jason Kunst · ‎09-07-2016

Sam do you have the AUP option to show on page enabled? And the script to hide it that I provided? If the user is not accepting the AUP their endpoint group shouldn't change right?

jeppich can comment on the EPS perhaps.

View solution in original post

Jason Kunst · ‎09-07-2016

Sam do you have the AUP option to show on page enabled? And the script to hide it that I provided? If the user is not accepting the AUP their endpoint group shouldn't change right?

jeppich can comment on the EPS perhaps.

scamarda · ‎09-07-2016

No I did not have the AUP option enabled. I have enabled it now. I looked for the script on the community but did not find it.

Jason Kunst · ‎09-07-2016

Please check out the article, Hotspot as a message portal on the following page. If AUP is enabled and not clicked (or hidden in the case of the the script provide) it shouldn't move into another endpoint group, this is what you want right?

ISE Guest & Web Authentication

scamarda · ‎09-07-2016

Problem solved. Thanks Jason.