cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

641
Views
0
Helpful
4
Replies
Highlighted
Cisco Employee

Endpoint Identity with EPS Quarantine Device and Hotspot Redirect

ISE 2.1.  WLC 7.6. Wireless CWA Guest flow.  I am setting up a hotspot redirect page to a device that has been quarantined via pxGrid.  That works correctly.  The issue I have is once the user hits the Hotspot portal, the endpoint gets put into an Endpoint Identity group of the Hotspot portal. The classification does not allow me to hit any other policy rule except for the UnQuarantine Exception rule.  This does not not allow me to have the endpoint hit the CWA rule again to allow the Guest to login. What am I missing

Is it possible to change the Endpoint classification via policy or is that something needs to be done manually by the administrator?  Also, the documentation also states after UnQuarantine, the device gets FULL access to the network on its original VLAN.  Does that imply that after an UnQuaratine event that it is not possible to add the user's original AuthZ policy?

Thanks.

Sam

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Endpoint Identity with EPS Quarantine Device and Hotspot Redirect

Sam do you have the AUP option to show on page enabled? And the script to hide it that I provided? If the user is not accepting the AUP their endpoint group shouldn't change right?

jeppich can comment on the EPS perhaps.

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: Endpoint Identity with EPS Quarantine Device and Hotspot Redirect

Sam do you have the AUP option to show on page enabled? And the script to hide it that I provided? If the user is not accepting the AUP their endpoint group shouldn't change right?

jeppich can comment on the EPS perhaps.

View solution in original post

Highlighted
Cisco Employee

Re: Endpoint Identity with EPS Quarantine Device and Hotspot Redirect

No I did not have the AUP option enabled.  I have enabled it now.  I looked for the script on the community but did not find it.

Highlighted
Cisco Employee

Re: Endpoint Identity with EPS Quarantine Device and Hotspot Redirect

Please check out the article, Hotspot as a message portal on the following page. If AUP is enabled and not clicked (or hidden in the case of the the script provide) it shouldn't move into another endpoint group, this is what you want right?

ISE Guest & Web Authentication

Highlighted
Cisco Employee

Re: Endpoint Identity with EPS Quarantine Device and Hotspot Redirect

Problem solved.  Thanks Jason.