04-11-2018 01:23 PM - edited 02-21-2020 10:53 AM
ISE 2.2 Patch 6
I just noticed I had over 20,000 endpoints that had not been purged by my GuestEndpoint purge rule. Further investigation shows that the guests hitting the portal were not getting added to teh guestEndpoints identity group as instructed in the hotspot portal configuration.
I have 3 authorization rules for this process.
1) If GuestEndpoints then allow ("Remember Me")
2) If from guest SSID and using Guest Flow then allow
3) If call check and from guest SSID then redirect to hotspot (only using AUP)
deny
Looking back at this, I honestly don't remember why i put that second rule. A couple years ago, I was using a CWA with un/pw before switching to a hotspot. I'm thinking that is old configuration that I don't need. Regardless, I don't think that's the reason that users are hitting the hotspot rule, but not getting put in the GuestEndpoints group. Could they be hitting the AUP and not accepting, therefore are stuck in limbo? That's the only thing I can think of.
04-12-2018 06:04 AM
After some testing today, I believe the issue is that clients are making it to the hotspot portal, but not accepting the AUP. Therefore, they never make the transition to GuestEndpoints and get redirected to the 'remember me' rule. Can anyone think of a way for me to purge these clients daily? If I could figure out how to get them in an endpoint identity group, I could purge that group but I'm currently not sure how to force them into a group.
04-16-2018 11:15 AM
Hi Josh,
I have an answer for you BUT the purge process on ISE sometimes does not work as expected so you need to give a try to that part. I am NOT using CWA for Guest access and I am forcing them to accept the AUP Page with the decline button provided by the customized portal. In addition to that, using the GUEST TYPE/Sponsor Group you can assign an specific Guest Account to an Endpoint Group once the guest is authenticated. See the following screenshot sequence.
1.-The AD Sponsor Group should create a guest type account which would point to an specific Endpoint Group. That means, you probably need multiple type of guest accounts for different administrators (AD Groups).
2.-You need to enable automatic Endpoint Group registration for the Guest Portal
3.-Once the Guest user is authenticated. (I AM NOT USING CWA)..The MAC is added to the expected Endpoint Group.
4.-For the purge process , try something like the following BUT I have seen issues with that on ISE.
5.-I am using the DECLINE button in the AUP Page so all the Guest are required to accept that page. It does not affect the Endpoint Group registration for the Guest device.
04-16-2018 11:46 AM
Abraham,
Thank you for the detailed response. I see how this method would work with a CWA, but I am trying to do the same with the Hotspot portal instead, so there doesn't have to be any user interaction besides accepting the AUP. I will think about switching to CWA though, since it clearly allows for more endpoint control.
04-19-2018 06:40 AM
I have a couple other ideas that I'm having issues conceptualizing...
1) Is it possible to assign a custom attribute with an authorization policy? If so, I can assign a custom attribute to the portal rule, so every host that hits it, regardless of whether they accept, would be assigned that attribute. Then, I feel like I can find a way to get any host with that attribute purged regularly.
2) In a similar fashion, what about assigning all hosts that hit that a rule an SGT? I know you can do that as a result in the authZ rule. I feel like once I get a solid classification method, I can find a way to get them purged.
04-30-2018 07:55 AM
My current thought process is that I will change my Called Station ID type from System MAC address to AP MAC Address:SSID. Then I will create a profiling policy in ISE to look for the called station is and profile them to a group. I will then purge this group every night. When a client accepts the AUP, they get put into GuestEndpoints. But if they don't accept, they will get purged based on this new setup.
I would prefer to use the SSID NAS-ID field instead, but I can't seem to get that attribute to persist all the way to ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide