Solved: Register Guest devices without using a portal?

Josh Morris · ‎10-03-2018

I currently have a hotspot portal for guests with an AUP. I am considering getting rid of the AUP. I still want guest endpoints to be registered to the GuestEndpoints group, however, so I can purge them daily. How can I get guest endpoints to get registered to the group without providing a portal? I have tried using a hotspot portal without the AUP page, but you still get a 'Success' page, which would break devices that don't have the ability to access the portal page.

Jason Kunst · ‎10-03-2018

I am not sure I follow what the purpose is. Also I don’t think there’s anyway to get that to work. Can you please explain more why you need this and why you couldn’t just sit up straight open network

View solution in original post

Jason Kunst · ‎10-04-2018

Sorry there isn’t a way to not present a portal page and have some browser interaction that I know of. Not really a purview of Ise guest. It’s the whole function of the portal to place into that group guestendpoints.

It would sound simpler for you to just have an open ssid without using ise? Perhaps using prime to track?

I don’t get the reference to employee database. There is no tie in and it had no relevance

View solution in original post

Jason Kunst · ‎10-03-2018

I am not sure I follow what the purpose is. Also I don’t think there’s anyway to get that to work. Can you please explain more why you need this and why you couldn’t just sit up straight open network

Josh Morris · ‎10-03-2018

Because I want to keep the guest devices purged every day. As far as I know, the only way to purge guest devices is to have them hit a portal, where they will be automatically registered to the GuestEndpoints group. Then I can set a purge rule against that group to remove them everyday. It's all in an effort to keep Guest usability high while keeping the number of registered endpoints low.

Jason Kunst · ‎10-03-2018

I still don’t understand. The only thing that purging does is remove from that group. They are still going to be in the employee database until it’s full Which is up to 1.5 million endpoints. And you didn’t provide enough information on why this is important. The guests system is meant to supply pages to the end point and it’s not meant for dumb devices that don’t have browsers. You can always do some sort of basic profiling and put them into groups that way.

Or use the my devices portal to have the users manage devices themselves

Josh Morris · ‎10-04-2018

So I had an issue where my endpoint database had exceeded 70,000 endpoints when realistically, I had closer to 30,000. What I found was happening was that there were many guest endpoints hitting the guest portal, but not accepting or declining the EULA. So that endpoint never actually made it into the GuestEndpoints group. They just sat there and we'rent being purged by my GuestEndpoint purge rule or any other purge rules. So the endpoint count kept growing. I have fixed this issue by writing a custom script that eliminates those endpoints stuck in limbo.

As a hospital that prioritizes the guest experience, I want to meet the following goals with my guest network.

All endpoints come through ISE
Users are not presented with a portal page, but are automatically allowed on
All device types are given access without needing custom profiling rules (Amazon Echos, gaming systems, weird devices that don't profile well)
These devices can utilize the GuestEndpoint group (or something similar) to be purged regularly.

Regarding what you said about the employee database, that is something I'm not familiar with. I thought the endpoint database was the one stop for endpoint retention. If there is another database for endpoints, then I would like to find a way to see it.

Thanks for these questions.

Jason Kunst · ‎10-04-2018

Sorry there isn’t a way to not present a portal page and have some browser interaction that I know of. Not really a purview of Ise guest. It’s the whole function of the portal to place into that group guestendpoints.

It would sound simpler for you to just have an open ssid without using ise? Perhaps using prime to track?

I don’t get the reference to employee database. There is no tie in and it had no relevance

ciscom-admxn · ‎04-09-2025

I faced the same challenges within ISE. Within your WLC, you can simply use a WLAN with Mac filtering and AAA override both disabled. This presents a residual wireless option.

If your want to control this through ISE, I setup the following for testing:
- Your WLC WLAN needs Mac filtering and AAA Override enabled

Within ISE,
- Create an endpoint profile policy named after SSID
- Set a condition for the RADIUS Called-Station-ID ENDS WITH <SSID>
- Set the certainty to 100... Or any number to to 65535 if the devices aren't hitting
Save

Within AuthZ Profiles,
- Add new AuthZ profile named as your SSID
- Access-Accept is defaulted
Scroll down to the Advanced Attribute Settings
- Set the Cisco-av-pair with psk-mode=ascii and Cisco-av-pair with psk=GUEST-dev!
In the Common Tasks
- Set the Reauthentication to 28800
- You can also assign a VLAN, if you want
- You should also assign a DACL to restrict guest devices from internal resources
Example Internet only DACL:
- - permit udp any any eq 67 68
- - permit udp any host DNS-IP eq 53
- - permit udp any host NTP-IP eq 123
- - deny ip any 10.0.0.0 255.0.0.0
- - permit ip any any
Save

Within the Policy Sets,
- Set the initial policy sets condition with the radius called-station-ID attribute ENDS WITH <SSID>
- Set authC policy default if user not found a CONTINUE
- Set authZ policy condition with the endpoint policy attribute select the endpoint profile policy you previously created
- Assign the AuthZ Profile
Save

Random Mac is enabled by default per SSID
Connect and enjoy