Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1908
Views
0
Helpful
3
Replies

ISE Multiple Guest Portals - Users

gugonza2
Cisco Employee
Cisco Employee

‎03-15-2019 03:19 AM

Hi Team,

 

Please your help, I´m configuring ISE for WiFi Guest Access, and I created 2 Guest Portals; Guest and Providers.

The idea is to give different access depending of the type of user.  The problem is;  when a user try one portal and create a temporal user for access, this user can get access in both portals.  

How can I separate the access to Guest users ?   

If a user gets the temporal account using Guest Portal, is it possible to restrict the access to Provider portal and vice-versa ?

How can I separate the access depending of the Portal used to create the account ?

 

Thank you very much in advance.

0 Helpful
3 Replies 3

bern81
Level 1
Level 1

‎03-15-2019 04:20 AM

Hi,

 

Create 2 CWA-PHASE1 authorization policies and in each one redirect to the specified portal.

 

0 Helpful

gugonza2
Cisco Employee
Cisco Employee
In response to bern81

‎03-15-2019 07:49 AM

Ok, I understand that we can create the redirect in authorization profiles to select the portal, but when the user gets the temporal account, how may I control the access to specific portals ?  I meant, if a user gets the account in Guest portal, is it possible to restrict the access to Provider portal and vice-versa ?

0 Helpful

paul
Level 10
Level 10

‎03-15-2019 06:06 AM

Are these on two different SSIDs?  If so then you don't have to allow access to the guest types on one SSID to access the other SSID.  They may be able to sign into each others portal, but they won't get on the Internet.  Each guest type has its own identity group and each SSID should have its own policy set. 

 

Also you could block the guest identity group from each others SSID from connecting to the other.  So lets say you have two guest types:

 

Regular_Guests maps to Regular_Guests endpoint identity group

Provider_Guests maps to Provider_Guests endpoint identity group

 

SSID Regular_Guest would have its own policy set:

  1. If MAC in Regular_Guests endpoint identity group give Internet access.
  2. If MAC in Provider_Guests endpoint identity group deny access
  3. Redirect everything else to Regular Guest portal

SSID Provider_Guest would have its own policy set:

  1. If MAC in Provider_Guests endpoint identity group give Internet access.
  2. If MAC in Regular_Guests endpoint identity group deny access
  3. Redirect everything else to Regular Guest portal

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents