Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
2
Replies

ISE 2.3 - Can a client be in multiple identity groups

deyster94
Level 5
Level 5

‎01-26-2018 09:36 AM - last edited on ‎02-21-2020 11:41 PM by Community Manager

Is it possible to for an endpoint to be in multiple identity groups.  Here is the reason I ask:

 

My client only wants to allow certain types of devices to connect to their guest wireless.  However, they don't want to have users enter any sort of creds (this is a retirement facility).  So, I figured the best portal in ISE would be the hotspot which is configured to put users in the GuestEndpoints ID group.  The way ISE is configured now, the endpoints are stuck in a redirect loop.  I have attached the authZ policy that is causing the problem.  If I remove the GuestEndpoints ID group from the first rule, then devices like Windows 10 get internet access without being redirected first since they profile differently than an Android/IOS device that uses the HTTP probe.  

 

If that isn't possible, is it possible for a Logical Endpoint Identity group to be part of the Endpoint Identity Groups (i.e. Profiled, Blacklist, etc).  Then I could add that to the hotspot portal.

 

Let me know if you need further information.

 

TIA,

 

Dan

Labels:
Preview file
165 KB
0 Helpful
2 Replies 2

Octavian Szolga
Level 4
Level 4

‎01-26-2018 12:54 PM

Hi,

 

I think you figured out the answer yourself.

You're in a loop just because the condition above the hotspot rule is not matching.

It's not clear from the description you've provided why it's wrong to simply allow anyone to use the hotspot functionality in order to gain internet access. Do you want it only for Android and Apple IOS?

 

Thanks,

Octavian

0 Helpful

deyster94
Level 5
Level 5
In response to Octavian Szolga

‎01-26-2018 12:58 PM

Thanks for the reply. 

 

The goal is to only allow certain devices like laptops, tablets, phone, etc, but no streaming/gaming/printer devices.  The way the authz policy is configured, is that all devices can connect to the hotspot splash page.  However, after they click accept and go back through the authz policy, they only want the allowed devices to be able to connect.  Maybe this is easier with a blacklist?  I don't know....I've never setup a guest wireless network with these restrictions.  

0 Helpful
Customers Also Viewed These Support Documents