Assign Guest Type Dynamically?

btoderian · ‎08-30-2016

Hello,

Here is our scenario that are are attempting to accomplish. We currently have a Guest Portal set up for AD authentication that stores a users MAC address in an Endpoint Group that stores it for 365 days. The policies will allow anyone on to the network who's machine is in that group after authenticating, so that they don't see a login page every day, just once a year.

The issue is that we have dynamically created Public Access accounts used for WiFi and Machine logins that we sign out for outside users. These accounts are added to a group that is used in AD for various permissions. Is it possible to dynamically adjust any machine these users register to move from the default Endpoint Group to another? We want these machines to only be stored for 7 days and then wiped (Forced to log in again after 7 days and if they never come back to campus their machines aren't stored for 365 days for instant access) but can't do that with a single portal as only one guest type is assigned by that portal. Can we dynamically assign guest type based on AD group? Is there even a way to catch the AD Group in the policies and send to a different portal?

Is there a different method to do than what we are trying?

Joseph Johnson · ‎08-30-2016

Not sure that is possible due to the AD account being treated as employees. You would need a separate portal for outside users versus employee users.

Edit: Scratch that. You can do it but it is a two step process. You would have to create a log in portal (which you already have) and then a hotspot portal (one for each AD type). The guest flow would take the login and redirect them, based on AD group assignment, to a hotspot portal. The hotspot portal will then assign the machine to a group. You can configure the hotspot to not require an AUP page so they basically jump straight to the success page.

The problem with this approach is that you lose the portal user information. Once it jumps from the login portal to the hotspot portal and authenticates, the portal user is now the MAC address of the machine.

More info in this thread: ISE Guest Flow with Multiple Endpoint Identities

btoderian · ‎08-31-2016

I'll look more into this again. We attempted the Hotspot solution as you mentioned, but the Originating URL, Success Page, or a custom URL (our companies website) all caused a weird delay in getting a COA to work as the iPad we tested would just get stuck on the portal page with it waiting. We had to hit cancel then the hotspot appeared. If I can tweak it to be seamless then that will be something we will end up doing.

Thanks!

Joseph Johnson · ‎08-31-2016

Yes, I've seen that as well in a test I ran a few months ago. I forgot about that scenario but remembered and found the emails with my client. Even after disabling the initial hotspot AUP page (no acceptance required, AUP already accepted from login portal) and jumping straight to the success page, there was a long delay between login success > hotspot success > URL redirect after success. Not sure how to get around it but would like to hear if you are able to do so.