Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
757
Views
5
Helpful
3
Replies

Cisco ISE Guest Portal Customization Ask

Keith Simmons
Cisco Employee
Cisco Employee

‎09-17-2018 08:35 PM

Experts,

 

 I have a unique ask for Guest Portal Customization.

 

Use Case:

Two Types of Guest Users

1) Traditional Guest - Click Through AUP Guest Flow - Guest Access Lifetime Expires in 4 hrs

2) Employee Guest Access - Username and Password Guest Flow with AD as the Identity Source - No Guest lifetime Expiry

 

Ask:

Customer wants to combine both use cases using one ssid, is this possible with scripting

Guest Flow would look like the following:

1) Traditional Guest

    Endpoint Connects to Guest SSID -> Click Through AUP Page ->Accepts AUP -> Internet Access

2) Employee Guest Access

    Endpoint Connects to Guest SSID -> Employee clicks on button from the Click Through AUP Page that takes them to the Guest Login Portal Page -> Employee enters AD Credentials -> Internet Access

 

0 Helpful
3 Replies 3

paul
Level 10
Level 10

‎09-18-2018 06:39 AM

As I have said on other posts, how are you going to enforce the 4 hour time limit?  Are you going to set the session timeout on the guest SSID to 4 hours?  The only way to force the 4 hour limit is to make sure the device is reauthenticated in that time frame. 

 

I always push back on this with customers and say they are making things way too complicated for guest access.  Simply map your guests into an endpoint identity group that is purged every night.  So once a day the guests have to see the AUP.

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎09-18-2018 07:25 AM

https://community.cisco.com/t5/identity-services-engine-ise/linking-one-guest-portal-to-another-guest-portal/m-p/3467537

You can combine with what Charlie said and use this as well

https://community.cisco.com/t5/identity-services-engine-ise/how-to-limit-guest-access-to-1-hour-within-a-24-hour-period/td-p/3567858

Please be aware the apple Captive network assistant (mini browser) may not play nice with javascript and multiple redirects. You may need to enable captive portal bypass on the WLC to make sure it suppresses the mini browser so full browsers are required to be used
0 Helpful
Top