Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
1
Helpful
3
Replies

Limit Individual Sponsor Access to Attribute Resources

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎09-20-2016 10:57 AM

ISE 2.0 customer has a condo complex where each owner has their own wireless set up.  Owners use the ISE sponsor portal to provision guest access.  Each owner has their own account to the sponsor portal.  Customer wants to  have Access differentiated via VLAN. Customer is looking for a way to configure portal field to capture the required VLAN setting and then send it in authorization policy to the NAD. Need to know how I can send the VLAN attribute to a NAD in a Guestflow.

Additionally, the customer wants to limit sponsors from seeing or using each other's VLAN selection information on the Portal page.  He has tried several iterations but they all seem to be offer all the configuration attributes to tall sponsors. This leads to some sponsors using the VLAN configuration of their neighbors instead of their own.   How can I isolate the attributes between sponsors? 

Have had a TAC case on this previously

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-20-2016 11:08 AM

Sounds like you want the sponsor to use a custom attribute to assign to a guest and use this attribute in the authorization flow?

You want to set authz profile VLAN group AVP equal to guest type?

Why not restrict access based off guest type instead?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-20-2016 11:08 AM

Sounds like you want the sponsor to use a custom attribute to assign to a guest and use this attribute in the authorization flow?

You want to set authz profile VLAN group AVP equal to guest type?

Why not restrict access based off guest type instead?

0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎09-20-2016 08:51 PM

That can work but the customer is looking to assign a specific VLAN to each condo owner. Thinking about it now, I can assign a VLAN but the client will need a to do a Release/Renew but I believe this is only supported on Windows clients in a Guest Flow.  The users will have devices of all types.   So I don't think I can use a guest flow because a L3 address is assigned to the client.

We originally tried to do this by creating internal endpoints and using MAB.  But we are not able to to pass a VLAN attribute to the WLC.  The customer was trying to use the description. See CSCvb21076.  I am testing assigning static Identity Groups now.

What I need is the DRW flow but not have it tied to the Hotspot Portal.  This way I can do MAB after the first connection and not have to worry about renewing the  L3 address address assigned to the client.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to scamarda

‎09-21-2016 03:05 AM

By default, DRW and Hotspot will send CoA Session Terminate so client should always get new IP address.

Customers Also Viewed These Support Documents