- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2019 09:43 AM
I would like to figure out if either of these scenarios are configurable using the ISE Guest Portal:
Scenario1: Have users that fail dot1x fallback to mab, get redirected to a guest portal that is basically a splash screen that tells the user to contact the help desk if they require network access. Is there a way to call this error string in a condition in ISE:
ui_portal_disabled_error? For example, I know I can call network access:SessionLimitExceeded EQUALS True which if matched would throw the session exceeded error to the guest.
Scenario2: Is there a way to strip the guest portal of all fields and buttons, and only display an AUP and text field stating to contact the help desk?
My ideal use case would be this:
Have a default mab policy that redirects user to either scenario above. Configure another portal that will allow users to authenticate using an account created from the sponsor portal that would then dump the user in the requested VN from a ticket they submitted. Then separate the use cases via different authz conditions/profiles.
Any help/thoughts are appreciated!
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2019 09:52 AM
Scenario1: Have users that fail dot1x fallback to mab, get redirected to a guest portal that is basically a splash screen that tells the user to contact the help desk if they require network access. Is there a way to call this error string in a condition in ISE:
ui_portal_disabled_error? For example, I know I can call network access:SessionLimitExceeded EQUALS True which if matched would throw the session exceeded error to the guest.
JAK> you can make a custom portal file in ISE 2.2 and higher
or
Hotspot as a message portal on the follow page
Suggest if still questions open a separate thread for each
Scenario2: Is there a way to strip the guest portal of all fields and buttons, and only display an AUP and text field stating to contact the help desk? see above
My ideal use case would be this:
Have a default mab policy that redirects user to either scenario above. Configure another portal that will allow users to authenticate using an account created from the sponsor portal that would then dump the user in the requested VN from a ticket they submitted. Then separate the use cases via different authz conditions/profiles.
JAK how are you going to separate them in authorization? are you going to have a separate SSID? Or register their MAC address and redirect after that?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2019 09:52 AM
Scenario1: Have users that fail dot1x fallback to mab, get redirected to a guest portal that is basically a splash screen that tells the user to contact the help desk if they require network access. Is there a way to call this error string in a condition in ISE:
ui_portal_disabled_error? For example, I know I can call network access:SessionLimitExceeded EQUALS True which if matched would throw the session exceeded error to the guest.
JAK> you can make a custom portal file in ISE 2.2 and higher
or
Hotspot as a message portal on the follow page
Suggest if still questions open a separate thread for each
Scenario2: Is there a way to strip the guest portal of all fields and buttons, and only display an AUP and text field stating to contact the help desk? see above
My ideal use case would be this:
Have a default mab policy that redirects user to either scenario above. Configure another portal that will allow users to authenticate using an account created from the sponsor portal that would then dump the user in the requested VN from a ticket they submitted. Then separate the use cases via different authz conditions/profiles.
JAK how are you going to separate them in authorization? are you going to have a separate SSID? Or register their MAC address and redirect after that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2019 11:04 AM
The way I see it is I need to either do the default splash page & allow guest access only by submitting tickets, and creating accounts via sponsor portal that dumps user in the respective VN based on types. Or, figure out how to configure a drop down on the self-register portal that will let users select what SDA VN they should be a part of, require approval, then register the endpoint address based on VN selection. Thoughts on this?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2019 11:11 AM
What are wrong with the options I gave you?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2019 11:21 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2019 11:25 AM - edited 02-25-2019 12:09 PM
If you have the MAC address then you can say if guest endpoint group then redirect to the guest portal
You can look at http://cs.co/ise-guest prescriptive guest guide for example ruleset
You can say if guest flow and guest type then give a specific VN
Per that guest guide however you shouldn’t be doing VLAN changes with guest. After they login you might have to disconnect them and reconnect again.
Or put specific macs into special endpoint groups and forced them into special authz rules.
We might need a call to go over this. Please email me direct jakunst@cisco.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2019 09:07 AM
I ended up introducing user PACs into the NAM environment to alleviate the headache of attempting to keep 8021x process failures for no user cert present from defaulting to mab. Now the default mab policy is redirect to the guest portal. On the portal I have username/password logon with some additional text stating to call the help desk, etc. if you require network access. I could not figure out a condition to keep the two mab scenarios separate so I found that this was the best way. I appreciate your help!
