Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE 2.3 - Can a client be in multiple identity groups

Is it possible to for an endpoint to be in multiple identity groups.  Here is the reason I ask:


My client only wants to allow certain types of devices to connect to their guest wireless.  However, they don't want to have users enter any sort of creds (this is a retirement facility).  So, I figured the best portal in ISE would be the hotspot which is configured to put users in the GuestEndpoints ID group.  The way ISE is configured now, the endpoints are stuck in a redirect loop.  I have attached the authZ policy that is causing the problem.  If I remove the GuestEndpoints ID group from the first rule, then devices like Windows 10 get internet access without being redirected first since they profile differently than an Android/IOS device that uses the HTTP probe.  


If that isn't possible, is it possible for a Logical Endpoint Identity group to be part of the Endpoint Identity Groups (i.e. Profiled, Blacklist, etc).  Then I could add that to the hotspot portal.


Let me know if you need further information.





Octavian Szolga



I think you figured out the answer yourself.

You're in a loop just because the condition above the hotspot rule is not matching.

It's not clear from the description you've provided why it's wrong to simply allow anyone to use the hotspot functionality in order to gain internet access. Do you want it only for Android and Apple IOS?




Thanks for the reply. 


The goal is to only allow certain devices like laptops, tablets, phone, etc, but no streaming/gaming/printer devices.  The way the authz policy is configured, is that all devices can connect to the hotspot splash page.  However, after they click accept and go back through the authz policy, they only want the allowed devices to be able to connect.  Maybe this is easier with a blacklist?  I don't know....I've never setup a guest wireless network with these restrictions.  

Content for Community-Ad