Solved: Re: ISE redirecting to another SSID

KelvinT · ‎02-21-2023

Hello,

Is there a way to redirect an end device/user to a different SSID from where the originally attempt to connect?

So user connect to SSID-A --> end-device meets a condition that results in redirect to SSID-B.

Is this possible?

Aref Alsouqi · ‎02-21-2023

Please take a look at this link:

Cisco ISE BYOD Prescriptive Deployment Guide - Cisco Community

View solution in original post

Aref Alsouqi · ‎02-21-2023

Please take a look at this link:

Cisco ISE BYOD Prescriptive Deployment Guide - Cisco Community

KelvinT · ‎02-21-2023

Thanks Aref!

It seems it can be done with NSP only.

Thanks again

RockstarWiFi · ‎07-26-2023

Can I ask why you are trying to do this? Why not just migrate users to the new SSID? You can redirect to a splash page with Instructions that your moving to a new SSID for any users who could read the instructions. It wouldn't help devices understand they need to move, but could direct users to use the new SSID. The best for mobile devices is a 3rd party MDM which can push changes to your mobile devices for you such as inTune, AirWatch, Jamf, and many others. That way your not locked down to any one method, as long as they are managed with MDM you can change network settings from anywhere, at anytime. Additionally this is the ONLY way to lock down your supplicants from a security perspective in bulk for non-windows devices. Almost every enterprise has too many SSIDs for what they really need, and it's a PITA to decommission once they are built. My advise is to take a "You get 3 SSIDs, SELL Me on a reason you need more", and let ISE handle the policy, and you're golden, with an uncluttered RF environment.

KelvinT · ‎07-26-2023

Hello RockstarWiFi,

For the 2 occasions where this was attempted the reasons were:

Scenario 1-

--- 2 SSID: CorpSSID and BYODSSID. CorpSSID required AD user cred and MDM registered iPhone. BYODSSID only required AD creds.

--- If someone intentionally attempt to log onto CorpSSID with the AD user account but a personal iPhone, they would get redirected to BYODSSID.

Note: It was a few years ago but I do remember successfully configuring this.

Scenario 2-

--- Client with a very large user base plan to decommission an old SSID. They wanted a way to redirect the users who are still on the old SSID to the new one. Yes, I know, there are a list of better ways to handle this. And yes, from that list, this is not the best options. I was just exploring all the options. In this scenario, we did not use ISE as an option.

Hope this answered your question.

Thanks

RockstarWiFi · ‎07-26-2023

Cool, Scenario 1 - you can do just by setting up ISE to block device types for a specific SSID, when the device fails to auth if it knows the other SSID, it should try to join the other SSID. Most wireless clients/supplicants like to be connected/authenticated and if not will keep trying profiles until they get internet. Essentially you're forcing the client to an SSID they can actually authenticate successfully with.

Scenario 2 - This greatly depends on the types of devices/endpoints. As you already mentioned an MDM, it's easy enough to use the MDM to push a new profile to the device and remove the old profile. That's the way I would recommend doing this. Decommissioning SSIDs is a painful process, which is why I always tell clients you get 3 SSIDs, you have to SELL ME on a reason to get any others, and there are VALID reasons, like WPA3 6E, but should never just have service set's to differentiate network access, policy, and even QoS levels, as we can handle all of this today with dynamic polices. Hope it helps.