Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
721
Views
0
Helpful
2
Replies

ISE Guest portal Self registration no redirect

Go to solution
jtimmer1
Level 1
Level 1

‎09-12-2018 01:13 AM

Hello All,

 

I've a question about the rediricting on the Guest-Selfservice portal.

We can go to the guest portal, after we fill in the Username and password, we need to redirect to the normal network with an COA.

 

This dont work, when i do an ipconfig /release /renew on my workstation. i get the other IP and everything works fine

 

For the redirect Guest we use an other VLAN than for the access-guest

I've followed this link: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

 

But that dont help me with the automatic redirecting.

I've also changed the COA on Administration--> settings--> profiling

That dont work aswel.

 

Could you please help me?

 

Portconfig:

switchport mode access
switchport voice vlan 319
ip access-group permitany in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎09-12-2018 05:31 AM

As paul stated vlan change not a good practice. As you can see the endpoint has no idea of the change.

Would recommend at least ISE 2.2

Another option if absolutely necessary to have wired mab with CWA is to put different types of endpoints into different groups

Setup hotspot portals with different endpoint groups and coa disconnect

Setup authorization profiles with differentVlans to match

For example:

If mab and endpointgroupY then permitVLANY
If mab and endpointgroupX then permitVLANX
If mab and guesttype is guest1day then redirect to hotspot for 1day endpoint registration
If mab and guesttype is contractor then redirect to hotspot for contractor endpoint registration
If mab then redirect to web auth

Here is a wired smart port example


https://community.cisco.com/t5/identity-services-engine-ise/solution-for-change-of-vlan-for-wired-guests-using-smart-port/td-p/3432614

View solution in original post

0 Helpful
2 Replies 2

Go to solution
paul
Level 10
Level 10

‎09-12-2018 05:22 AM

VLAN moves when doing wired guest are always tricky an honestly not worth attempting in my opinion.  I usually have most of my customers ditch the notion of wired guest all together as what is the real use case since you have wireless guest.  

 

You can check out some autosmart port examples of doing VLAN moves with a port bounce, but I have had so/so luck using it.  

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎09-12-2018 05:31 AM

As paul stated vlan change not a good practice. As you can see the endpoint has no idea of the change.

Would recommend at least ISE 2.2

Another option if absolutely necessary to have wired mab with CWA is to put different types of endpoints into different groups

Setup hotspot portals with different endpoint groups and coa disconnect

Setup authorization profiles with differentVlans to match

For example:

If mab and endpointgroupY then permitVLANY
If mab and endpointgroupX then permitVLANX
If mab and guesttype is guest1day then redirect to hotspot for 1day endpoint registration
If mab and guesttype is contractor then redirect to hotspot for contractor endpoint registration
If mab then redirect to web auth

Here is a wired smart port example


https://community.cisco.com/t5/identity-services-engine-ise/solution-for-change-of-vlan-for-wired-guests-using-smart-port/td-p/3432614
0 Helpful
Customers Also Viewed These Support Documents