Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2462
Views
0
Helpful
1
Replies

Cisco ISE visitor/employee portal

Go to solution
daan.celie
Level 1
Level 1

‎11-11-2020 04:29 AM

Hello community

 

We're about to fully redesign our guest portal. Currently we have 2 SSIDs, one is for visitors which redirects them to a sponsor-based registration portal. A second SSID is for employees to "register" their BYOD devices and uses very simple MAB. Helpdesk currently manually adds the MAC addresses in ACS after which the employee can login on the WIFI with their personal phone. As most employees are not technically-savvy it's often a hurdle to obtain the MAC address of their device.

 

The idea for the new setup is to combine these 2 SSIDs into one. When a visitor/employee connects to this SSID they first receive a web page on which they must choose between Employee or Visitor. Depending on what they're clicking, they need to receive the correct registration form. For employees a registration form that asks them for their name and company ID, for visitors just a classic registration form (name, company, host, duration of stay, etc.) .

 

I've seen this kind of setup with ISE in another company, but am clueless how it was setup. Maybe they used a simple web server for providing the first page. I'm not sure whether this functionality is integrated in ISE. How do I proceed with this?

 

Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎11-11-2020 05:14 AM

Hi,

You can do the following:

1. Single SSID for both visitors and employees.
2. When they connect to the SSID, they will get redirected to guest portal
3. It will ask to login or create an account if you don't have one
4. Visitors should login with their x-days account if they already created
one or create new account
5. Employees can login using their AD accounts (you can enable this option
in Guest Portal configuration by allowing BYOD in guest portal and assign
endpoint group)
6. Employees will complete the enrollment steps by entering the
Name/Description and finish the process.
7. Once the process is completed, the MAC address should be already
assigned to endpoint group listed in step 5. This is done automatically.
8. You should have an authorization rule above your guest portal rule which
should match the endpoint group in step 5 and allow access (whatever DACL
you assign).


***** please remember to rate useful posts

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎11-11-2020 05:14 AM

Hi,

You can do the following:

1. Single SSID for both visitors and employees.
2. When they connect to the SSID, they will get redirected to guest portal
3. It will ask to login or create an account if you don't have one
4. Visitors should login with their x-days account if they already created
one or create new account
5. Employees can login using their AD accounts (you can enable this option
in Guest Portal configuration by allowing BYOD in guest portal and assign
endpoint group)
6. Employees will complete the enrollment steps by entering the
Name/Description and finish the process.
7. Once the process is completed, the MAC address should be already
assigned to endpoint group listed in step 5. This is done automatically.
8. You should have an authorization rule above your guest portal rule which
should match the endpoint group in step 5 and allow access (whatever DACL
you assign).


***** please remember to rate useful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents