Hi all,

I have setup a captive portal using ise v2.4. Created 2x authorization policies in my policy set as below.

1) 1st authorization policy have the following conditions and once matched will bounce the user to the vlan that has internet access

a) network access: usecase equals host lookup

b) radius called-station-ID matches .*(:Guesthotspot)$

c) identitygroup:name equals endpoint identity groups:Guestendpoints

2) 2nd authorization policy have the following condition and once matched will redirect the user to my hotspot portal configured in ise.

a)normalised radius radiusflowtype equals wirelessmab

b)radius.called-station-id matches .*(:Guesthotspot)$

In ise, under the default hotspot portal, i have selected GuestEndpoints as the identity group such that once the user click accept on the AUP page the client machine mac address would be added to the GuestEndpoints.

During my test using a pc, i notice that after the user click accept on the aup page, i can get the connection successful page but would be redirected to the aup page again. From the ise logs i notice my attempts kept bypassing my 1st authorization policy and kept hitting the 2nd authorization policy which was configured to redirect the user machine to the hotspot portal. I notice my machine mac address is not added to the GuestEndpoints which should not be the case since i selected GuestEndpoints in the ise hotspot portal. If i use a phone to connect to the hotspot portal, the mac address of my phone would be registered to GuestEndpoints identity group. Why is this so?