Solved: Sponsor Guest Portal

Elli97 · ‎06-06-2019

Hey guys,

Currently I am trying to configure a Sponsor guest portal. But unfortunately I can not get it to work.

First I create a Guest Portal calles "Test-ISE".

For the guest type I chose the default Contractor.

In the next step, I configured the DACL to have access only to the ISE

Here is my configuration for the Authorization Profile

For the guest portal I created a Policy called WLAN GAST.

I use MAB for authentication and check the SSID when authorizing

If successful, reference is made to the CAW profile.

However, if I want to log in to the SSID test ISE, the authentication fails due to the following sentence:

"Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results."

But I don't wanna use the matching authorization.

So what do I have to do to be able to open the portal for authentication when logging in to the SSID "Test ISE"?

Thank you for your help

Elli

Jason Kunst · ‎06-06-2019

Please start over and use the guide I provided. You made changes to the authentication policy that’s not needed for basic configuration. Reset what you’re doing and look through the validated flows in the guide

If you’re still have problems I would recommend a tac case in real time.

View solution in original post

Jason Kunst · ‎06-06-2019

Did you look at the prescriptive guest guide under http://cs.co/ise-guest to start?

This is a step by step guide

Otherwise did you check why you’re hitting the bottom default policy why it’s not matching to redirect? Perhaps share your policy set authorization rules?

Elli97 · ‎06-06-2019

Hi Jason,

Thank you for your answer. Unfortunately the guide could not help me.

Here is my policy set for the guest Portal Policy set.PNG

and the report, why it's not matching to redirect.

Mike.Cifelli · ‎06-06-2019

Have you confirmed that your DACL works? Have you tried creating an endpoint group that registers your guests MAC to the group and using that as an authz condition? As an FYSA, your redirect ACL should look something like this:

Extended IP access list ACL_WEBAUTH_REDIRECT
deny ip any host ISE
deny ip any host ISE
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny udp any any eq domain
deny udp any eq bootpc any eq bootps

Jason Kunst · ‎06-06-2019

Please start over and use the guide I provided. You made changes to the authentication policy that’s not needed for basic configuration. Reset what you’re doing and look through the validated flows in the guide

If you’re still have problems I would recommend a tac case in real time.

Elli97 · ‎06-06-2019

Hi Jason,

I can not handle the guide. Where can I find a valid flow for the SponsorPortal, where, for example, the rules are explained?

It's really hard for me to get started, as I've never worked in this field before.

So I don't know which authentication policy is not needed. And I don't know which parts of this guide is relevant to me.

Sorry for my inexperience.

Elli97 · ‎06-06-2019

Hi Mike,

thank your for your answer.

I have created the group and configured the ACL in the same way. Unfortunately, I do not know what to do because I generally have little experience in this field.

Jason Kunst · ‎06-06-2019

The guide is step by step with your flow. I would suggest reaching out to tac or cisco partner if you need more handholding.