cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
251
Views
0
Helpful
2
Replies

ise portal help needed

muhsi_2015
Level 1
Level 1


Hi,

I have the following scenarios ,how can i acheive this in the ise

1)

The user associates to the TEST1 (SSID), which is in fact open+macfiltering and no Layer 3 security.
The user opens the browser.
The WLC redirects to the guest portal.

users : internal users

2)

The user associates to the TEST2 (SSID), which is in fact open+macfiltering and no Layer 3 security.
The user opens the browser.
The WLC redirects to the custom portal.

users : domain users
security group : domain.local/employees

option 3 : how can i integrate option 1 and 2

for example use the single portal for both SSID and different vlan


Please help

2 Replies 2

nspasov
Cisco Employee
Cisco Employee

Hi there, you can definitely do that. You will need to:

1. Create an Identity Store Sequence (Administration > Identity Management > Identity Source Sequences"

2. Include both "Internal User and AD" in the sequence

3. Make sure you select the option "Treat as if the user was not found and proceed to the next store in the sequence"

4. Then assign that Identity Store Sequence to your Guest Portal (Located under the "Portal Settings > Authentication Method")

5. Create Authorization Rule for internal users

6. Create Authorization Rule for AD users

I hope this helps!

Thank you for rating helpful posts!

Joseph Johnson
Level 1
Level 1

The authentication rules would have to allow access to internal users and the AD group in the identity sequence.

You would use the Radius:Called-Station-ID attribute in the authorization rule. If it contains TEST1, the policy result sends to portal 1. If it contains TEST2, the policy result sends to portal 2.

As for the authenticated access, you will tie the Radius:Called-Station-ID contains TEST1 and Internal users to allow access through portal 1 for authenticated access. You will tie Radius:Called-Station-ID contains TEST2 and External Groups contains domain.local/employees (or whatever domain group) to allow access through portal 2 for authenticated access.

If you want to use a single SSID (e.g. TEST3), you would have to either do ACL assignment to differentiate allowed access based on the login used or VLAN assignment based on the login.