01-26-2018 02:21 PM
I am working on configuring ISE for my client's guest wireless. They only want to allow certain devices (i.e. laptops, tablets, phones) and not streaming/gaming devices. With that being the case, I have profiling running to detect what type of devices is connecting to their wireless network. However, I am running into an issue with the devices that are allowed getting constantly redirected. What I have for my authorization policies are as follows:
Rule 1: if you are part of the GuestEndpoints identity group and this allowed profiled group, you are allowed on
Rule 2: WebAuth redirect
Rule: deny access
From what I can tell, a device cannot be part of two identity groups. Since that is the case, I need suggestions on how to get this to work. If i remove the condition from Rule 1 of having to be part of the GuestEndpoints Identity group, devices that are already profile (usually Windows devices) are allowed on without going to the splash page and get internet access. We cannot use any portal that requires credentials being enter as this is for a retirement community, hence the Hotspot portal.
ISE is version 2.3, patch 2
Two ISE VM's running in HA mode
Let me know if you need any other information.
TIA,
Dan
Solved! Go to Solution.
01-26-2018 02:41 PM
What about using the lastaupacceptance value
If profiled and lastaupacceptance is greater than x hours the permit
If profiled and lastaupacceptance is less than x hours then redirect to portal
If wireless mab then redirect to portal
If not allowed then redirect to bad page
01-26-2018 02:35 PM
A MAC address can belong to a endpoint profile group and an endpoint identity group. The hotspot process maps the MAC address to an endpoint identity group and doesn't touch the endpoint profile group. So your rule should be able to work with an endpoint profile group and endpoint identity group specified.
I would personally do the profile check at the redirect rule. Why even bring unwanted users to the portal. Keep it easier by using a logical profile of the profiles you want to allow.
If GuestEndpoints then Internet Access
If Allowed_Guest_Logical_Profile then redirect
else Deny Access
The only reason to bring everyone into the portal is if you are relying on the collection of the HTTP header information to help with profiling things correctly then it would be:
If GuestEndpoints and Allowed_Guest_Logical_Profile then Internet Access
else Redirect
01-26-2018 02:41 PM
What about using the lastaupacceptance value
If profiled and lastaupacceptance is greater than x hours the permit
If profiled and lastaupacceptance is less than x hours then redirect to portal
If wireless mab then redirect to portal
If not allowed then redirect to bad page
01-26-2018 02:48 PM
That works as well, but no reason the endpoint identity group and the endpoint profile group/logical profile can’t be used in the same rule.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
01-26-2018 08:21 PM
Paul,
I tried do what you suggested. However, some devices, like Android and IOS have to be able to reach the WebAuth page to be profiled correctly. Android and IOS use the HTTP probe to be profiled with ISE.
-Dan
01-26-2018 08:23 PM
That is fine then just do the first flow I mentioned. Use a logical profile + guest endpoints.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
01-26-2018 08:22 PM
Jason,
Thanks for the suggestion. I will give it try Monday and report back.
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide