02-07-2019 04:19 PM
Hello,
We are using ISE 2.4 (patch 5) for guest portal setup. We have setup self-registered Guest_portal with alternate Employee_login_portal using SAML-login credentials. We have enabled client provisioning for Employee_login_portal by using Cisco Temporal agent. For Windows and Macs, we are able to posture check using the temporal agent except for mini/pseudo browsers (which fail to posture check). For phones, device security check fails and we aren't able to figure out a way to bypass the client provisioning page. We want the users to see same landing page they see when they login via laptop which enables them to enter their credentials.
I have tried the following:
Cisco support advised to create duplicate portals for mobile devices without client provisioning and enable feed profiler, Enable profiling on the WLAN on Cisco WLC, create Mobile Devices logical profile w/ add apple-device and android, map authorization profile for mobile devices to get to mobile_device_portal.
Problem: Initially, be it macbook or iphone or ipad; ISE profiles it as apple-device and all devices go to mobile devices portal rather than the guest_portal. Same issue with android, it gets detected at linux-workstation. Eventually after logging in or creating credentials, ISE is able to determine it's OSX_workstation or Apple_iPhone. But it's too late: authorization profile neither changes nor the mini-browser on the mobile device refreshes to reflect the change.
Any help is much appreciated.
Solved! Go to Solution.
02-13-2019 11:24 AM
Possible reason the endpoints are not being identified is that the posture update hasn't been done. I suggest making sure the posture update has been done recently so ISE identifies the endpoints properly.
02-08-2019 12:13 PM
You should only be sending iPads, iPhones, etc to the mobile portal not Apple-Devices, but you have two problems
So even if you got #1 working right your solution may not work because of #2. I have done a similar trick in the past when CoA on reprofile worked.
02-13-2019 10:46 AM
02-08-2019 12:15 PM
Have you considered using option below to exempt unsupported devices. You need to set it to Compliant:
02-13-2019 10:48 AM
02-13-2019 11:24 AM
Possible reason the endpoints are not being identified is that the posture update hasn't been done. I suggest making sure the posture update has been done recently so ISE identifies the endpoints properly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide