ISE with two CWA portals | Restrict guest users from accessing the contractor portal

SHABEEB KUNHIPOCKER · ‎04-23-2018

Hi All,

I have a customer having one SSID for guest access and another SSID for contractor access. He needs self registration for guest users and sponsored access for contractors. I implemented two portals for him, one for guest and one for contractor. The setup works fine , but recently we noticed that when a guest user puts his credentials in the contractor portal he is able to get an authentication success page. But when he try to browse he is again redirected to contractor portal. Is there any way that we can get an authentication failed page from the contractor portal when a guest user enters his credentials?.

Octavian Szolga · ‎04-23-2018

Hi,

A guest would get back to the authentication page because it's in a loop.

I guess your solution would be to add a rule between Contractor_SSID_Redirect and Contractor_SSID_Access that would say something like:

If Contractor_SSID and GuestFlow and Guest_User => Blacklist/BlackholePortal or whatever portal ISE has for Denied Access.

Your contractors would not hit this rule because they don't belong to a guest user identity group.

This way your guest users logging in using the contractor portal won't get looped anymore.

Thanks,

Octavian