cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
2
Helpful
6
Replies

ISE Hotspot deny page

deyster94
Level 5
Level 5

I have setup a hotspot page for my client in ISE.  They are using this for their guest wireless, but it is locked down to only allow certain types of devices on it (i.e. PC's, tablets, etc....not streaming devices like Roku's).  At any rate, they asked if there is a way to have a deny page come when someone tries to connect with a device like a Roku.  They feel that they will get a lot of phone calls without a deny page.  Not sure if this can be done or not.

TIA,

Dan

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

You said its locked down to certain devices? How are they doing that? Or is this just a policy that they don’t want to allow it but they aren’t actually restricting it now because they don’t know how?

For this to work you would need to identify the groups of devices that are allowed and then using Plus licensing and profiling setup policies

The problem I see however is that when you first come in you will be redirected to the hotspot portal and only then recognized by the browser user agent string on the roku. Then you will have to do a Change of authorization with the profile change to get the new authz policy

Does the roku even have a web browser where they could see this message?

Here is how it may work but you would have to lab it up. It might prove problematic.

If wireless mab and guestendpoints and notallowed then redirect to message portal

If wireless_mab and guestendpoints and alloweddevices then permit access

If wireless_mab then redirect to hotspot portal

If you can get this to work then here is a way to make a message portal.

https://communities.cisco.com/docs/DOC-64018

Look for hotspot as a message portal

For ISE 2.2 and higher you can use the Custom portal files to host an HTML file to redirect to

See powerpoint at this top of that page what’s new in ISE 2.2, look at slide 15

https://communities.cisco.com/docs/DOC-64018#jive_content_id_ISE_22

View solution in original post

6 Replies 6

ldanny
Cisco Employee
Cisco Employee

Jason Kunst
Cisco Employee
Cisco Employee

You said its locked down to certain devices? How are they doing that? Or is this just a policy that they don’t want to allow it but they aren’t actually restricting it now because they don’t know how?

For this to work you would need to identify the groups of devices that are allowed and then using Plus licensing and profiling setup policies

The problem I see however is that when you first come in you will be redirected to the hotspot portal and only then recognized by the browser user agent string on the roku. Then you will have to do a Change of authorization with the profile change to get the new authz policy

Does the roku even have a web browser where they could see this message?

Here is how it may work but you would have to lab it up. It might prove problematic.

If wireless mab and guestendpoints and notallowed then redirect to message portal

If wireless_mab and guestendpoints and alloweddevices then permit access

If wireless_mab then redirect to hotspot portal

If you can get this to work then here is a way to make a message portal.

https://communities.cisco.com/docs/DOC-64018

Look for hotspot as a message portal

For ISE 2.2 and higher you can use the Custom portal files to host an HTML file to redirect to

See powerpoint at this top of that page what’s new in ISE 2.2, look at slide 15

https://communities.cisco.com/docs/DOC-64018#jive_content_id_ISE_22

Jason,

Thanks for the response. 

The solution was sold as follows.  When a device connects, ISE will profile the device and if it it matches an allowed profile, it can access the guest wireless, otherwise they are blocked.  This wireless is for guests and residents (this is a retirement community). 

Honestly, I think it would be easier to send a letter out to the residents to let them know what only certain devices can connect, or vice versa.  You do bring up a good point of some devices won't be able to display a deny access page. 

Dan

OK well like I said it might be problematic on what you expect to work. With profile changes and COAs and correctly identifying allowed devices vs not allowed devices.

I suggest that its validated and tested in a lab to see if it can work per expectations.

I talked to them more about this that most, if not all, the devices that will be blocked won't have the ability to display a deny page.  Once they thought about it, they agreed to leave it be for now. 

Thanks again.

Great! Makes sense

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: