09-20-2016 10:57 AM
ISE 2.0 customer has a condo complex where each owner has their own wireless set up. Owners use the ISE sponsor portal to provision guest access. Each owner has their own account to the sponsor portal. Customer wants to have Access differentiated via VLAN. Customer is looking for a way to configure portal field to capture the required VLAN setting and then send it in authorization policy to the NAD. Need to know how I can send the VLAN attribute to a NAD in a Guestflow.
Additionally, the customer wants to limit sponsors from seeing or using each other's VLAN selection information on the Portal page. He has tried several iterations but they all seem to be offer all the configuration attributes to tall sponsors. This leads to some sponsors using the VLAN configuration of their neighbors instead of their own. How can I isolate the attributes between sponsors?
Have had a TAC case on this previously
Solved! Go to Solution.
09-20-2016 11:08 AM
Sounds like you want the sponsor to use a custom attribute to assign to a guest and use this attribute in the authorization flow?
You want to set authz profile VLAN group AVP equal to guest type?
Why not restrict access based off guest type instead?
09-20-2016 11:08 AM
Sounds like you want the sponsor to use a custom attribute to assign to a guest and use this attribute in the authorization flow?
You want to set authz profile VLAN group AVP equal to guest type?
Why not restrict access based off guest type instead?
09-20-2016 08:51 PM
That can work but the customer is looking to assign a specific VLAN to each condo owner. Thinking about it now, I can assign a VLAN but the client will need a to do a Release/Renew but I believe this is only supported on Windows clients in a Guest Flow. The users will have devices of all types. So I don't think I can use a guest flow because a L3 address is assigned to the client.
We originally tried to do this by creating internal endpoints and using MAB. But we are not able to to pass a VLAN attribute to the WLC. The customer was trying to use the description. See CSCvb21076. I am testing assigning static Identity Groups now.
What I need is the DRW flow but not have it tied to the Hotspot Portal. This way I can do MAB after the first connection and not have to worry about renewing the L3 address address assigned to the client.
09-21-2016 03:05 AM
By default, DRW and Hotspot will send CoA Session Terminate so client should always get new IP address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide