Thanks a lot Marvin for your note. In fact, AUP Page is the main reason because we would upgrade from 1.2.1 to 1.4. So based on your note, I am proceeding to talk to Cisco about this.

I will keep this post active because I would like to get more information about this version. Looks like is not only what you mentioned.

regards

AC

You're welcome.

For what it's worth, AUP appears to work OK for the BYOD portal and Device Registration. It's only when using it with Hotspot portal that the issue manifested.

Is it periodic AUP re-acceptance by guests that you need? I think that's the only AUP-related enhancement in 1.4 that's not already in 1.3

Hi Marvin,

Thanks for your note.

We currently have 4 SSIDs for student, staff, guest and WLAN (certificate based). The first 3 use web-authentication so the AUP is presented and those clients have to accept it. Like you said, this is a periodic AUP reacceptance (user has to reauthenticate if the session timeout is surpassed).

Now we are moving those 3 SSID's to 802.1X so when the user would authenticate using the login page built-in on their own device but the AUP must be presented. This feature is only present on 1.4 version.

So looks like we should not have any issue because our scenario is different to the one you mentioned at the beginning of this post.

Any other comment from you is appreciated.

regards

Hi Marvin,

I just installed 1.4 patch 3 and started doing my tests. Looks like I hit another bug which is pretty similar to the one you found. The situation is the following and I am working now with the TAC. Based on a requirement for the wireless network I need all the BYOD clients not using EAP-TLS to accept the AUP Page before getting access to internet and I am using PEAP.

Peap works straighforward on the AUTHC part so my AUTHZ Policy detects those PEAP connections and makes a redirect to the ISE DefaultHotSpot Portal which provides the AUP option we need and once you accept it, it sends you to the success page.

When I checked the HotSpot Portal it says: "GUEST FLOW PAGE" but looks like it does not work because when I get the success page and I try to open another browser window or type in in the success page the URL I want to go, it stays in a loop sending me back to the success page. However, the IPAD is registered on the Guest ISE Endpoint group automatically as expected. I think this is pretty much like DRW.

Knowing that this AUTHZ redirects to the HotSpot Portal works in a similar way to CWA, I added the corresponding AUTHZ Policy to avoid the loop, I mean I added a AUTHZ policy that IF GUESTFLOW then Permit Access (internet access right away) but looks like ISE does not recognize the flow coming from the Hot Spot Portal AUP acceptance/Success Page like GUEST FLOW even though is indicated in the work-flow diagram on the right side of the ISE page for that Hot Spot Portal.

I tried using the default ISE guest portal option that includes the AUP acceptance and duration on that AUP register and it works but we do not want double authentication taking into account we are using PEAP for AUTHC.

If you have a more recent information please let me know, I will be posting the final results on this case here.

regards

BTW, the answer to your question is yes. I need re-acceptance periodically.