Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
1
Helpful
6
Replies

ISE Hotspot portal only allow certain devices

Go to solution
deyster94
Level 5
Level 5

‎01-26-2018 02:21 PM

I am working on configuring ISE for my client's guest wireless.  They only want to allow certain devices (i.e. laptops, tablets, phones) and not streaming/gaming devices.  With that being the case, I have profiling running to detect what type of devices is connecting to their wireless network.  However, I am running into an issue with the devices that are allowed getting constantly redirected.  What I have for my authorization policies are as follows:

Rule 1: if you are part of the GuestEndpoints identity group and this allowed profiled group, you are allowed on

Rule 2: WebAuth redirect

Rule: deny access

From what I can tell, a device cannot be part of two identity groups.  Since that is the case, I need suggestions on how to get this to work.  If i remove the condition from Rule 1 of having to be part of the GuestEndpoints Identity group, devices that are already profile (usually Windows devices) are allowed on without going to the splash page and get internet access.  We cannot use any portal that requires credentials being enter as this is for a retirement community, hence the Hotspot portal.

ISE is version 2.3, patch 2

Two ISE VM's running in HA mode

Let me know if you need any other information.

TIA,

Dan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-26-2018 02:41 PM

What about using the lastaupacceptance value

If profiled and lastaupacceptance is greater than x hours the permit

If profiled and lastaupacceptance is less than x hours then redirect to portal

If wireless mab then redirect to portal

If not allowed then redirect to bad page

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paul
Level 10
Level 10

‎01-26-2018 02:35 PM

A MAC address can belong to a endpoint profile group and an endpoint identity group.  The hotspot process maps the MAC address to an endpoint identity group and doesn't touch the endpoint profile group.  So your rule should be able to work with an endpoint profile group and endpoint identity group specified.

I would personally do the profile check at the redirect rule.  Why even bring unwanted users to the portal.  Keep it easier by using a logical profile of the profiles you want to allow.

If GuestEndpoints then Internet Access

If Allowed_Guest_Logical_Profile then redirect

else Deny Access

The only reason to bring everyone into the portal is if you are relying on the collection of the HTTP header information to help with profiling things correctly then it would be:

If GuestEndpoints and Allowed_Guest_Logical_Profile then Internet Access

else Redirect

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-26-2018 02:41 PM

What about using the lastaupacceptance value

If profiled and lastaupacceptance is greater than x hours the permit

If profiled and lastaupacceptance is less than x hours then redirect to portal

If wireless mab then redirect to portal

If not allowed then redirect to bad page

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Jason Kunst

‎01-26-2018 02:48 PM

That works as well, but no reason the endpoint identity group and the endpoint profile group/logical profile can’t be used in the same rule.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
deyster94
Level 5
Level 5
In response to paul

‎01-26-2018 08:21 PM

Paul,

I tried do what you suggested.  However, some devices, like Android and IOS have to be able to reach the WebAuth page to be profiled correctly.  Android and IOS use the HTTP probe to be profiled with ISE. 

-Dan

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to deyster94

‎01-26-2018 08:23 PM

That is fine then just do the first flow I mentioned. Use a logical profile + guest endpoints.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
deyster94
Level 5
Level 5
In response to Jason Kunst

‎01-26-2018 08:22 PM

Jason,

Thanks for the suggestion.  I will give it try Monday and report back.

Dan

0 Helpful
Customers Also Viewed These Support Documents