09-10-2018 01:28 AM
Hi Guys,
I have a portal configured for internet access that requires the users to login using AD credential. Recently I got a requirement to create local users on ISE and those local users should be able to login to the same portal I mentioned before. Below are my conditions:
1. I created the local users on ISE using the InternalUser category.
2. I already set the portal to seek for AD then InternalUser for authentication list.
3. I set the "Employees using this portal as guests inherit login options from" setting to InternalUser.
Using the setting above, the local users able to login to the portal. But here is the thing. I want to treat those users differently. Let's say the users that login using AD credential can have up to 10 device registered and 10 concurrent login. On the other hand, I want to set the local users can only have up to 5 device registered and 5 concurrent login.
With my settings above, if I change the internal user settings, the AD account also got affected. Is there any way to treat the sources differently?
Thank you.
Solved! Go to Solution.
09-10-2018 05:34 AM
09-10-2018 04:35 AM
You need to change the setting in your 3rd point to something different than internal users, I always use Employee.
Then under guest type you can change the Employee settings and it will affect them different then the guest setting.
09-10-2018 05:34 AM
09-12-2018 08:10 PM
Hi Jason,
Where should I put the script into? Is it on the optional content portal page customizations? Or somewhere else?
FYI, most of the mobile device on my company unfortunately are apple devices. Is there any other workaround other than this? Since you put an earlier notification regarding the apple captive assistant.
Thanks.
09-12-2018 08:36 PM
09-10-2018 05:44 AM
Hi Cory,
I just changed the account type to guest and contractor type. I am able to connect using the different account type but somehow unable to connect to the internet. And after a few minutes the system keep asking me for relogin. But when I login using the usual account type, it works normally.
Any idea why? Thank you.
09-10-2018 05:47 AM
09-12-2018 08:02 PM
Hi Jason,
Sorry for late reply. I was on something else lately.
Here are my current rules:
-When the device is connected to the SSID, ISE will check whether the MAC address is already registered previously. If so, the device will continue to internet access. We already set the period of time of a device listed on registered device. If the device is not registered yet, a captive portal will appear.
-The portal itself has the authentication method of Guest_Portal_Sequence. I don't know whether this one is default rule or not, but the login checking sequence is like this: AD, Internal User, Guest Users.
-For the guest inherit option, I picked InternalUser. I suppose it is not default. And regarding the guest user type I will be using on the portal will be InternalUser and Guest (from my understanding, these two are on Internal User sequence). The only differences are the period of account validity and devices allowed to be registered.
Thanks.
09-10-2018 06:39 AM
Each Guest Type should map to its own unique Endpoint Identity Group. My typical portal setup looks something like this:
Then the authorization rules simply state:
09-10-2018 06:49 AM
09-10-2018 06:56 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: