Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1009
Views
5
Helpful
6
Replies

Guest Portal Scenarios

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-25-2019 09:43 AM

I would like to figure out if either of these scenarios are configurable using the ISE Guest Portal:

 

Scenario1: Have users that fail dot1x fallback to mab, get redirected to a guest portal that is basically a splash screen that tells the user to contact the help desk if they require network access.  Is there a way to call this error string in a condition in ISE:

ui_portal_disabled_error?  For example, I know I can call network access:SessionLimitExceeded EQUALS True which if matched would throw the session exceeded error to the guest.

 

Scenario2: Is there a way to strip the guest portal of all fields and buttons, and only display an AUP and text field stating to contact the help desk?

 

My ideal use case would be this:

 

Have a default mab policy that redirects user to either scenario above.  Configure another portal that will allow users to authenticate using an account created from the sponsor portal that would then dump the user in the requested VN from a ticket they submitted.  Then separate the use cases via different authz conditions/profiles.

 

Any help/thoughts are appreciated!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎02-25-2019 09:52 AM

Scenario1: Have users that fail dot1x fallback to mab, get redirected to a guest portal that is basically a splash screen that tells the user to contact the help desk if they require network access.  Is there a way to call this error string in a condition in ISE:

ui_portal_disabled_error?  For example, I know I can call network access:SessionLimitExceeded EQUALS True which if matched would throw the session exceeded error to the guest.

 

JAK> you can make a custom portal file in ISE 2.2 and higher

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010000.html#id_34829

or

Hotspot as a message portal on the follow page

http://cs.co/ise-guest

 

Suggest if still questions open a separate thread for each

 

Scenario2: Is there a way to strip the guest portal of all fields and buttons, and only display an AUP and text field stating to contact the help desk? see above

 

My ideal use case would be this:

 

Have a default mab policy that redirects user to either scenario above.  Configure another portal that will allow users to authenticate using an account created from the sponsor portal that would then dump the user in the requested VN from a ticket they submitted.  Then separate the use cases via different authz conditions/profiles.

 

JAK how are you going to separate them in authorization? are you going to have a separate SSID? Or register their MAC address and redirect after that?

 

 

 

View solution in original post

6 Replies 6

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎02-25-2019 09:52 AM

Scenario1: Have users that fail dot1x fallback to mab, get redirected to a guest portal that is basically a splash screen that tells the user to contact the help desk if they require network access.  Is there a way to call this error string in a condition in ISE:

ui_portal_disabled_error?  For example, I know I can call network access:SessionLimitExceeded EQUALS True which if matched would throw the session exceeded error to the guest.

 

JAK> you can make a custom portal file in ISE 2.2 and higher

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010000.html#id_34829

or

Hotspot as a message portal on the follow page

http://cs.co/ise-guest

 

Suggest if still questions open a separate thread for each

 

Scenario2: Is there a way to strip the guest portal of all fields and buttons, and only display an AUP and text field stating to contact the help desk? see above

 

My ideal use case would be this:

 

Have a default mab policy that redirects user to either scenario above.  Configure another portal that will allow users to authenticate using an account created from the sponsor portal that would then dump the user in the requested VN from a ticket they submitted.  Then separate the use cases via different authz conditions/profiles.

 

JAK how are you going to separate them in authorization? are you going to have a separate SSID? Or register their MAC address and redirect after that?

 

 

 

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎02-25-2019 11:04 AM

Thank you for the helpful response! I am thinking in order to keep them separate register their MACs and then redirect. I need to handle the default splash page first and then get there. The Cisco ISE Portal Builder is something I was unaware of too so that is helpful. However, I still dont see a way to remove buttons. Thoughts?

The way I see it is I need to either do the default splash page & allow guest access only by submitting tickets, and creating accounts via sponsor portal that dumps user in the respective VN based on types. Or, figure out how to configure a drop down on the self-register portal that will let users select what SDA VN they should be a part of, require approval, then register the endpoint address based on VN selection. Thoughts on this?
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎02-25-2019 11:11 AM

ISE portal builder I don’t recommend as you need a simple page.

What are wrong with the options I gave you?
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎02-25-2019 11:21 AM

Sorry for confusion I just realized I can use the hotspot portal and Disable the AUP page. Then I can just tweak the text that simply says to contact help desk etc. etc. That definitely works for the default splash page so thank you! Now I just need to figure out the ticket process with sponsored account creation to dump separate users into their respective SDA VN with SGT etc. Thanks again!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎02-25-2019 11:25 AM - edited ‎02-25-2019 12:09 PM

If you have the MAC address then you can say if guest endpoint group then redirect to the guest portal

You can look at http://cs.co/ise-guest prescriptive guest guide for example ruleset

 

You can say if guest flow and guest type then give a specific VN

 

Per that guest guide however you shouldn’t be doing VLAN changes with guest. After they login you might have to disconnect them and reconnect again.

Or put specific macs into special endpoint groups and forced them into special authz rules.

 

We might need a call to go over this. Please email me direct jakunst@cisco.com

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎03-10-2019 09:07 AM

@JasonKunst

I ended up introducing user PACs into the NAM environment to alleviate the headache of attempting to keep 8021x process failures for no user cert present from defaulting to mab. Now the default mab policy is redirect to the guest portal. On the portal I have username/password logon with some additional text stating to call the help desk, etc. if you require network access. I could not figure out a condition to keep the two mab scenarios separate so I found that this was the best way. I appreciate your help!
0 Helpful
Top