Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1447
Views
5
Helpful
5
Replies

ISE: differentiate Guest's accesses depending on the device

gabrieleferrari
Level 1
Level 1

‎09-22-2012 01:45 AM - edited ‎03-10-2019 07:34 PM

Hi All,

I'm running an ISE 1.1.1 and i need to authenticate guest users.

The goal is apply different Authorization profile to the same guest user based on the thevice he use to connect to the guest wlan.

I.E.:

if guest user "user1" connect to the guest WLAN using a windows laptop, than apply "Guest" authorization profile

if guest user "user1" connect to the guest WLAN using an Apple iPad, than apply "Mobile" authorization profile

I've tried to deployed the following 2 authorization policy:

1)if "Apple-Device" and "IdentityGroup:Name EQUALS Guest" then "Mobile"

2)if "Guest" then "Guest"

ISE126.png

but the first rule never match and even if I use and iPad to access the guest network the "Guest" authorization Profile is matched

I've verified that the iPad is correctly recognized as an Apple-Device changing for test purposes the rule table in

1)if "Apple-Device" then "Mobile"

2)if "Guest" then "Guest"

ISE127.png

and the "Mobile" profile is correctly applied.

Any suggestion on how define a condition to match a Device and an Identity Group?

Thank You

Regards

Gabriele

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎09-22-2012 10:19 AM

Hi,

Can you take a look at the endpoint entry in ISE for the device you are connecting with. See if it matches the apple-ipad policy, that could be your reason. As a workaround please disable the apple-ipad profiling policy so it stick in the apple-device group. Delete the endpoint and try your test again.

Also if you can post a screeshot of the authentications page i would like to see the entry when the guest authenticates.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

gabrieleferrari
Level 1
Level 1
In response to Tarik Admani

‎09-23-2012 02:49 AM

Hi,

thank You for the answer.

Checking the Endpoint Identity I can confirm that it is correctly profiled

I've disabled the "apple device" condition in the authorization policy but the rule still don't match.

Rule

Authorization result

Authorization result detail

I've deleted the device from the profiled endpoint and I've repeated the test but the result is the same

Do You have any other suggestion?

Thanks for your help

Regards

Gabriele

0 Helpful

Giuliano Gerardi
Level 1
Level 1
In response to gabrieleferrari

‎10-14-2012 12:33 PM

very similar problem here... did you manage to solve?

this looks like a bug... critical...

0 Helpful

gabrieleferrari
Level 1
Level 1
In response to Giuliano Gerardi

‎10-15-2012 09:22 AM

If You want to matching internal user group under other conditions, use InternalUser:IdentityGroup instead.

For example,

InternalUser:IdentityGroup EQUALS User Identity Groups:Guest

Regards

Gabriele

Giuliano Gerardi
Level 1
Level 1
In response to gabrieleferrari

‎10-15-2012 09:39 AM

i did it by matching the word "Guest" without success

I'll try as you recommended

grazie mille

G

edit:

this way works        

thank you!!

0 Helpful
Customers Also Viewed These Support Documents