01-08-2018 08:27 AM
I have setup a hotspot page for my client in ISE. They are using this for their guest wireless, but it is locked down to only allow certain types of devices on it (i.e. PC's, tablets, etc....not streaming devices like Roku's). At any rate, they asked if there is a way to have a deny page come when someone tries to connect with a device like a Roku. They feel that they will get a lot of phone calls without a deny page. Not sure if this can be done or not.
TIA,
Dan
Solved! Go to Solution.
01-08-2018 10:08 AM
You said its locked down to certain devices? How are they doing that? Or is this just a policy that they don’t want to allow it but they aren’t actually restricting it now because they don’t know how?
For this to work you would need to identify the groups of devices that are allowed and then using Plus licensing and profiling setup policies
The problem I see however is that when you first come in you will be redirected to the hotspot portal and only then recognized by the browser user agent string on the roku. Then you will have to do a Change of authorization with the profile change to get the new authz policy
Does the roku even have a web browser where they could see this message?
Here is how it may work but you would have to lab it up. It might prove problematic.
If wireless mab and guestendpoints and notallowed then redirect to message portal
If wireless_mab and guestendpoints and alloweddevices then permit access
If wireless_mab then redirect to hotspot portal
If you can get this to work then here is a way to make a message portal.
https://communities.cisco.com/docs/DOC-64018
Look for hotspot as a message portal
For ISE 2.2 and higher you can use the Custom portal files to host an HTML file to redirect to
See powerpoint at this top of that page what’s new in ISE 2.2, look at slide 15
https://communities.cisco.com/docs/DOC-64018#jive_content_id_ISE_22
01-08-2018 09:04 AM
You could redirect them to a custom portal like Blacklist Portal
Heres a thread on the topic
Blacklist for Registered Corporate MAC's on Guest??
How To Whitelist or Blacklist an Endpoint by Endpoint Profile
How To Whitelist or Blacklist an Endpoint by MAC Address
Thanks,
Danny
01-08-2018 10:08 AM
You said its locked down to certain devices? How are they doing that? Or is this just a policy that they don’t want to allow it but they aren’t actually restricting it now because they don’t know how?
For this to work you would need to identify the groups of devices that are allowed and then using Plus licensing and profiling setup policies
The problem I see however is that when you first come in you will be redirected to the hotspot portal and only then recognized by the browser user agent string on the roku. Then you will have to do a Change of authorization with the profile change to get the new authz policy
Does the roku even have a web browser where they could see this message?
Here is how it may work but you would have to lab it up. It might prove problematic.
If wireless mab and guestendpoints and notallowed then redirect to message portal
If wireless_mab and guestendpoints and alloweddevices then permit access
If wireless_mab then redirect to hotspot portal
If you can get this to work then here is a way to make a message portal.
https://communities.cisco.com/docs/DOC-64018
Look for hotspot as a message portal
For ISE 2.2 and higher you can use the Custom portal files to host an HTML file to redirect to
See powerpoint at this top of that page what’s new in ISE 2.2, look at slide 15
https://communities.cisco.com/docs/DOC-64018#jive_content_id_ISE_22
01-08-2018 10:37 AM
Jason,
Thanks for the response.
The solution was sold as follows. When a device connects, ISE will profile the device and if it it matches an allowed profile, it can access the guest wireless, otherwise they are blocked. This wireless is for guests and residents (this is a retirement community).
Honestly, I think it would be easier to send a letter out to the residents to let them know what only certain devices can connect, or vice versa. You do bring up a good point of some devices won't be able to display a deny access page.
Dan
01-08-2018 10:42 AM
OK well like I said it might be problematic on what you expect to work. With profile changes and COAs and correctly identifying allowed devices vs not allowed devices.
I suggest that its validated and tested in a lab to see if it can work per expectations.
01-08-2018 10:58 AM
I talked to them more about this that most, if not all, the devices that will be blocked won't have the ability to display a deny page. Once they thought about it, they agreed to leave it be for now.
Thanks again.
01-08-2018 11:05 AM
Great! Makes sense
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: