cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1739
Views
4
Helpful
10
Replies

ISE and Web portal daisy chaining

Mats Nilson
Level 1
Level 1

Hello

I have been trying in vain to combine two authentication portals, Hotspot/AUP and Sponsored Guest portal.

The issue is that redirection to another portal is no problem, but the session ID seems impossible to maintain to the next portal.

Has anyone succeded in using two webauth methods on the same SSID?

Below is how the initial hotspot portal is configured with the link to Sponsored user portal in the Optional Content field.

SLL-Guest Portal AUP w link_2.png

Rules for Guest Authorization. Both results(WLC_CWA and Cisco_Webauth) in the same rule doesnt work.

(WLC_CWA maps to the Hotspot portal and Cisco_Webauth maps to the Sponsored Guest portal)

Regler SLL.PNG

The customer wants to have both a "Free WiFi Hotspot" service with limited bandwidth AND Registered(Sponsored) Guest service with unlimited bandwidth.

Anyone has solved this or is this not possibble?

Sincere Regards

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Did you see 2nd option here?

https://communities.cisco.com/docs/DOC-64018?mobileredirect=true#jive_content_id_Special_Flows

View solution in original post

10 Replies 10

Jason Kunst
Cisco Employee
Cisco Employee

Did you see 2nd option here?

https://communities.cisco.com/docs/DOC-64018?mobileredirect=true#jive_content_id_Special_Flows

Hi Jason.

Great, I will start to test this and evaluate.

Maybe not the look I want, but it could work...

The concept is to show the daisy chaining

There are other examples on the page linking one portal to another

Hi Jason.

I misunderstood you and found the entry under Special Flows

- ISE Guest Web Auth Portal with Get Quick Access (Hotspot) button

I assume you were refering to this link:

Linking one guest portal to another guest portal

This is exactly what I need. I will test in my lab before doing it at the customer.

Many thanks. I will post my progress asap

#2 Success!

Thanks Jason, and authors of this guide (Gunnar Thermaenius, Charles Moreton)

It worked like a dream, and I can think of many of my collegues that will benefit from this script.

It is worth mentioning that it is important to put your own portal url within the correct limits in the script.

jQuery('.cisco-ise-body').append(' <center><a href="https://'+hostname+':8443/portal/PortalSetup.action?portal=3c379d60-fceb-11e5-b628-005056a49fb9&sessionId='+WebSessionId+'&action=cwa"

Otherwise it will fail.

Well Jason.

Next time you're in Sweden I will buy you a beer or two...

Cheers!

Hi Jason.

My cheerfulness was perhaps a bit premature.

When I add this script into the pre-production envirnonment, the second option url won't make a hit on the desired page.

I have used the preview URL from the Sponsored User Portal. (https://xxx.xxx.xxx.xxx:8843/portal/PortalSetup.action?portal=e80798a0-51e6-11e8-a645-4a6b9a119985) in the script below:

*******************************************

<script>

    jQuery(window).ready(function() {

    var hostname = window.location.hostname;

    var WebSessionId = window.location.href.substr(window.location.href.search("\\?")).split("=")[2];

    jQuery('.cisco-ise-body').append(' <center><a href="xxx.xxx.xxx.xxx:8843/portal/PortalSetup.action?portal=e80798a0-51e6-11e8-a645-4a6b9a119985&sessionId='+WebSessionId+'&action=cwa" style="color: rgb(0,255,0)"><font color="212121"><button type="submit">Gå till långtidsinloggning</button></font></a></center>');

    });

    </script><br _moz_editor_bogus_node="TRUE" />

*******************************************

The ISE has added the above string after the scrip ending.

I really don't understand what I am doing wrong since I have used exactly the same method (not URL).

Both ISE are version 2.4.0.357 and the only difference are the portals.


/Regards

I suggest you debug with tac maybe why one might be working and not the other. If they can’t figure it out we can perhaps have debugging call

Hi Jason.

Forgot to report back of the solution.

- The root cause was the web portal that I had copied from the default Sponsored Guest Portals was indeed broken.

Creating a new from scratch solved the issue and the redirect worked like a charm.

I have one more issue with giving rate limiting to guest users depending on type of user (day, week, contractor)

While the are in state webauth-rqd they have a rate limit applie, but after thay are in state RUN there is no limit at all.

Any ideas on why?

Please ask different requests on new thread

However this looks to be totally a wireless issue ? Please ask wireless team

Hi Jason.

No it's not a wireless issue.

I can't get the authorisation rules apply to the different guest types - daily/weekly/contractor.

I have opened a new thread - How can I authorize guest clients bandwidth restrictions based on guest type in ISE 2.4?

Please check it out - I followed "ISE_Guest_Deployment_Guide_Mar2018.pdf"

Is it ISE 2.4 that isn't working properly?

Looking forward to your response...