cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5016
Views
4
Helpful
12
Replies
scamarda
Cisco Employee

ISE Guest Flow with Multiple Endpoint Identities

Customer has guest wireless controlled via ISE.  Employees are allowed to use the guest wireless with their personal devices when they log in through active directory.   Once the employee logs in via the portal page, they are registering the device so the system does a MAB on the second and subsequent logins for that device.  What they are asking is to be able put certain users in separate identity groups.  This is to be able to purge the registered devices at specific intervals.  For example, Executives would log in one time and not have to enter credentials  again for 365 days (after the device is purged).  Employees would log in from the guest portal and their device would be purged out after 30 days.  In the guest portal and byod portals it only shows 1 identity group to assign the user.  Can I assign more then one identity group in a guest flow?  I think what I am looking for is DRW with multiple identity groups.

Is there another way to be able to assign guest users to different policies and then purge them at a specific interval?

1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee

Since both of these type of users are in the same Identity store and considered employees to the guest portal thank I think you could do it the following way.

This would assume you have an AD group for execs vs employees or perhaps LDAP attribute?

  1. Create endpoint groups for employees and another for execs. Purging policy as needed.
  2. Create a hotspot portal for employee devices and another for executives and choose the corresponding endpoint groups.
  3. Setup authorization rule above the standard redirect rule to say if guest flow and employees then redirect to employee hotspot portal. Make another rule above that for Executives group.

View solution in original post

12 REPLIES 12
Jason Kunst
Cisco Employee

Since both of these type of users are in the same Identity store and considered employees to the guest portal thank I think you could do it the following way.

This would assume you have an AD group for execs vs employees or perhaps LDAP attribute?

  1. Create endpoint groups for employees and another for execs. Purging policy as needed.
  2. Create a hotspot portal for employee devices and another for executives and choose the corresponding endpoint groups.
  3. Setup authorization rule above the standard redirect rule to say if guest flow and employees then redirect to employee hotspot portal. Make another rule above that for Executives group.

View solution in original post

Followed your instructions below. I have three rules plus the CWA. Hotspot 1, Hotspot 2 and a Guest Access depending on the Hotspot assigned identity.

I've enabled the policy - user hits CWA then is redirected to appropriate Hotspot portal. The hotspot portal is set up to put the endpoint in a specific endpoint identity. Flow goes through hotspot but the endpoint assignment does not happen. The endpoint identity stays as Unknown and I loop back to CWA.

What am I missing ?

What version of ise ?

I have heard something similar where endpoint is not being registered into group

Is regular hotspot working?

ISE 2.0 no patch. Will have to test regular hotspot functionality.

I know there was a problem with ISE 2.0 with no patch not registering correctly

Can you apply latest patch and then make sure you are sending to an AUP page where they have to hit accept?

Upgrading to 2.0.1.130 seems to have fixed the issue.

Thanks.

Sam

ajamerica
Beginner

This is a very interesting setup.  Could you share a quick screen capture of your Auth policies?  I am looking at applying the same method.

scamarda can you share

scamarda
Cisco Employee

Usernames are loaded in AD.  Originally the use CWA.  The different AD user types are directed to their respective hotspot portal.  Once they hit the portal there are assigned a unique identity.  There is an AUP in between CWA and the Hotspot.  Other than that, not interaction.  The identities are defined with different purge times.

Hotspot Category.png

ok assuming you have authz rules above that with the different endpoint groups

if executiveEndpoint then permitExecutive permissions

if UserEndpoint then permitUser permissions

scamarda
Cisco Employee

This was on the guest network so no permission differences. Customer wanted to have execs renew AUP every 365 days and Employees using the Guest Wifi every 8 days.  Needed a way to purge devices that were using the Guest WiFi.  Once purged, AUP was redisplayed.  Also a way to clean up the DB clutter.

ajamerica
Beginner

Thanks for sharing!  I am working on setting up the same scenario for a customer as well.  We are now trying to configure identity mapping to identify the users on these open connections.

Content for Community-Ad