Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1486
Views
56
Helpful
3
Replies

Guest portal Redirection not getting the right endpoint group

Go to solution
dvul
Level 1
Level 1

‎03-01-2022 08:42 AM

Hi all, 

I have created an hotspot portal with two buttons, one for each type of guests I have, using redirection to self-registering portals with different sponsors and guest types by clicking on the button.

The redirection is working fine.

On the hotspot portal, the endpoint identity group is 'GuestEndPointToLogg'.

On the self-registering portals, I have another endpoint identity group, the default 'GuestEndPoints'.

My authorization rules and results are :

 

1. Access for guest if (guestflow, and Endpoint Id Group = GuestEndpoints)

2. CWA for web redirection to the hotspot portal

The problem is that I always fall into the redirection rule, never the access, because the endpoints are in the 'GuestEndPointToLogg', and not the GuestEndpoints.

I made the difference of Endpoint groups to allow access only il the guest has successfully logged on.

 

Thank you in advance for your help !

 

Deborah

 

2 Accepted Solutions

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-05-2022 04:03 PM

You have now shown your actual authorization rules which ultimately determine whether or not users are redirected.

ISE has default authorization policies defined (but disabled) that show you how you can do guest access.

image.png

You may duplicate these within your default policy or replicate them in your other policy sets if necessary.

Make sure they are enabled and that they match the correct endpoint groups.

If something is failing with ISE Authorization Rules, you need to look at the ISE Live Logs and understand WHY it is choosing the authorization rule or or a different one.

Please see How to Ask The Community for Help  for including the necessary policy and log details for us to understand the EXACT error or mismatch in policy from what you expect.  We have no idea what else you have for your policy causing you problems.

View solution in original post

Go to solution
dvul
Level 1
Level 1

‎03-16-2022 01:43 AM

Hi all, 

Thank you for all your answers. My problem was actually that the sessionId attribute was not correctly passed to the next portal, so the endpoint could'nt relate to the right endpoint group.

 

Deborah

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎03-03-2022 02:40 PM

Hi @dvul 

 

I am not quite sure I understand the complexity of your use-case. In regular deployments the guest user is in one of two 'states'

  1. Unauthenticated: This means ISE has redirected the user to the Guest Portal and also applied an ACL on the Switch or WLC that restricts the user to DNS and ISE Portal Only. The ACLs are the key to making this happen
  2. Authenticated: This means the user has logged into the portal successfully (or accepted the AUP in the Hotspot portal) and the CoA was sent to the WLC/Switch. When the next guest packet arrives at the switch/WLC then ISE will process that MAB request and determine that the user is authenticated by either:
    1. GuestFlow = True (i.e. RADIUS Accounting Start was sent) - guest is allowed as long as this flag is true. Apply a different ACL that allows DNS, ISE Portals, blocks RFC1918 and then finally, permit all
    2. RememberMe feature : The guest's endpoint (MAC address) was found in the correct Endpoint Identity Group. Apply a different ACL that allows DNS, ISE Portals, blocks RFC1918 and then finally, permit all

That's the standard way that the guest internet access is 'controlled'. 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-05-2022 04:03 PM

You have now shown your actual authorization rules which ultimately determine whether or not users are redirected.

ISE has default authorization policies defined (but disabled) that show you how you can do guest access.

image.png

You may duplicate these within your default policy or replicate them in your other policy sets if necessary.

Make sure they are enabled and that they match the correct endpoint groups.

If something is failing with ISE Authorization Rules, you need to look at the ISE Live Logs and understand WHY it is choosing the authorization rule or or a different one.

Please see How to Ask The Community for Help  for including the necessary policy and log details for us to understand the EXACT error or mismatch in policy from what you expect.  We have no idea what else you have for your policy causing you problems.

Go to solution
dvul
Level 1
Level 1

‎03-16-2022 01:43 AM

Hi all, 

Thank you for all your answers. My problem was actually that the sessionId attribute was not correctly passed to the next portal, so the endpoint could'nt relate to the right endpoint group.

 

Deborah

0 Helpful
Customers Also Viewed These Support Documents