05-22-2025 11:41 PM
Hello team,
I have set up a Sponsored Guest Portal with ISE and WLC9800.
Everything works as intended but I have an issue that I don't know if it's solvable.
When a guest submits a request for credentials to the sponsor, their device is effectively connected to the Guest SSID but not yet Authenticated. To become Authenticated they need to receive an email with the guest credentials and input them in the sign-in portal. So far it works as intended.
However my issue is this: if a guest tries to connect not their laptop, but their mobile device to the SSID, they expect to receive the email on said mobile device (using LTE 4G/5G connectivity). However as the device understands that it is connected to the Guest WiFi, it turns off 4G.
So they stay in this "limbo" where they have no LTE connectivity to receive the email, but are not yet authenticated on the Wifi.
I feel like there should be a way to avoid disconnecting and re-connecting to the Guest SSID just to receive the email with the credentials. I would like to avoid "grace periods" of unauthenticated access as the approval from the sponsor is not always immediate.
Can somebody please explain to me if there's a way around this issue?
thanks a lot
Fabio
05-29-2025 03:48 PM
I suppose that is a valid dilemma, since the mobile device's OS has an IP address on its Wi-Fi interface, but also an additional default gateway - and I would assume that the interface weighting is higher on wifi than on mobile interfaces, so the default gateway of the wifi adapter wins - but you can't yet route to the internet - stuck in the mud. Changing that behaviour would require more nerd knobs that I think the manufacturers would never add - for good reason.
ISE might have a solution for you - it's called "Grace Access" since ISE 2.7 - have you seen this discussion? I have not used it myself, but it might be a solution.
05-29-2025 04:41 PM
Hi Fabioairoldi,
You’ve raised a valid concern regarding the authentication flow for guests using different devices. It’s indeed tricky when the mobile device prioritizes the Wi-Fi connection, which can lead to that "limbo" state.
As Arne mentioned, one potential solution to explore is Grace Access in ISE 2.7. This feature allows unauthenticated users limited access to the internet, which could help guests receive their credential emails without needing to disconnect. While I haven’t implemented it personally, it might be worth looking into how it can be configured in your setup.
Additionally, you might want to check if any settings on the WLC can help manage the routing behavior for connected but unauthenticated devices. Sometimes, tweaking those settings can provide a more seamless experience.
06-10-2025 07:52 AM
I wished to avoid Grace Access Periods.
However this setting allows Guests to stay in the login page and go further beofre receiving credentials, which I guess is just as good.
thanks for the replies
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide