cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

404
Views
1
Helpful
6
Replies
Highlighted
Contributor

ISE Hotspot portal only allow certain devices

I am working on configuring ISE for my client's guest wireless.  They only want to allow certain devices (i.e. laptops, tablets, phones) and not streaming/gaming devices.  With that being the case, I have profiling running to detect what type of devices is connecting to their wireless network.  However, I am running into an issue with the devices that are allowed getting constantly redirected.  What I have for my authorization policies are as follows:

Rule 1: if you are part of the GuestEndpoints identity group and this allowed profiled group, you are allowed on

Rule 2: WebAuth redirect

Rule: deny access

From what I can tell, a device cannot be part of two identity groups.  Since that is the case, I need suggestions on how to get this to work.  If i remove the condition from Rule 1 of having to be part of the GuestEndpoints Identity group, devices that are already profile (usually Windows devices) are allowed on without going to the splash page and get internet access.  We cannot use any portal that requires credentials being enter as this is for a retirement community, hence the Hotspot portal.

ISE is version 2.3, patch 2

Two ISE VM's running in HA mode

Let me know if you need any other information.

TIA,

Dan

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

What about using the lastaupacceptance value

If profiled and lastaupacceptance is greater than x hours the permit

If profiled and lastaupacceptance is less than x hours then redirect to portal

If wireless mab then redirect to portal

If not allowed then redirect to bad page

View solution in original post

6 REPLIES 6
Highlighted
Advocate

A MAC address can belong to a endpoint profile group and an endpoint identity group.  The hotspot process maps the MAC address to an endpoint identity group and doesn't touch the endpoint profile group.  So your rule should be able to work with an endpoint profile group and endpoint identity group specified.

I would personally do the profile check at the redirect rule.  Why even bring unwanted users to the portal.  Keep it easier by using a logical profile of the profiles you want to allow.

If GuestEndpoints then Internet Access

If Allowed_Guest_Logical_Profile then redirect

else Deny Access

The only reason to bring everyone into the portal is if you are relying on the collection of the HTTP header information to help with profiling things correctly then it would be:

If GuestEndpoints and Allowed_Guest_Logical_Profile then Internet Access

else Redirect

Highlighted
Cisco Employee

What about using the lastaupacceptance value

If profiled and lastaupacceptance is greater than x hours the permit

If profiled and lastaupacceptance is less than x hours then redirect to portal

If wireless mab then redirect to portal

If not allowed then redirect to bad page

View solution in original post

Highlighted

That works as well, but no reason the endpoint identity group and the endpoint profile group/logical profile can’t be used in the same rule.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Highlighted

Paul,

I tried do what you suggested.  However, some devices, like Android and IOS have to be able to reach the WebAuth page to be profiled correctly.  Android and IOS use the HTTP probe to be profiled with ISE. 

-Dan

Highlighted

That is fine then just do the first flow I mentioned. Use a logical profile + guest endpoints.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Highlighted

Jason,

Thanks for the suggestion.  I will give it try Monday and report back.

Dan

Content for Community-Ad