Re: Sponsored Guest Portal Profiled Devices

doodles 6970 · ‎09-24-2018

Hello,

Hoping someone might be able to help me.

I have a situation with a sponsored guest portal. It appears that some guests are not required sponsored guest portal, guests, portal to sign up. Instead they are authenticated to the network bypassing CWA.

It appears to me that this is because their devices have been profiled and entered into the profiled identity group. As a result, these devices are bypassing CWA. I have checked the Profiled identity group and I see the device MAC address there but I cannot delete it.

Thanks,

Ryan

paul · ‎09-24-2018

It sounds like you don't have your rules ordered correctly or more really you aren't utilizing policy sets to break your ISE rules into use cases. You should have a policy set dedicated to just your guest SSID. You guest policy set wouldn't have any rules for profiled devices and you would have no chance of this issue happening. You can use the RADIUS called station ID or normalized SSID attribute in ISE to create the policy set:

Policy set admission= RADIUS called station ID contains <guest SSID name>

Authentication- Internal Endpoints with user not found set to continue

Authorization:

If MAC in guest endpoint identity group then give Internet access.
Send to guest portal

doodles 6970 · ‎09-24-2018

Hi Paul,

@paul wrote:

It sounds like you don't have your rules ordered correctly or more really you aren't utilizing policy sets to break your ISE rules into use cases. You should have a policy set dedicated to just your guest SSID. You guest policy set wouldn't have any rules for profiled devices and you would have no chance of this issue happening. You can use the RADIUS called station ID or normalized SSID attribute in ISE to create the policy set:

Policy set admission= RADIUS called station ID contains <guest SSID name>

Authentication- Internal Endpoints with user not found set to continue

Authorization:

If MAC in guest endpoint identity group then give Internet access.

Send to guest portal

I have just checked and that's exactly what I have.

DEVICE:Device Type = Cisco WLC

RADIUS:Called-Station-ID = SSID

Auth

Allow Protocols : Default Network Access Internal Endpoints

Authz

if GuestEndpoints and Wireless_MAB then Permit Access

if Wireless_MAB then Guest_WebAuth

paul · ‎09-24-2018

Then the profiling group shouldn't matter at all. The devices will get profiled, but they have no bearing on your rules. Are you purging your GuestEndpoints correctly?

doodles 6970 · ‎09-24-2018

The funny thing is these devices have never actually been presented with a web auth page.

They connect and then they are on the network.

I have attached a screenshot to this reply.

paul · ‎09-24-2018

I would look at the WLC side to see what is happening. Assuming your redirect rule is written right the screen shot you are showing in ISE looks correct. The WLC side should show it in the WebAuth Required state.

doodles 6970 · ‎09-24-2018

@paul wrote:

I would look at the WLC side to see what is happening. Assuming your redirect rule is written right the screen shot you are showing in ISE looks correct. The WLC side should show it in the WebAuth Required state.

I have already checked that. I have the client on the controller and the NAC State is ACCESS. This is what led me to believe it was ISE that was passing this which it is.

Security Policy Completed
Policy Type
Auth Key Mgmt
Encryption Cipher
EAP Type
SNMP NAC State
Radius NAC State
CTS Security Group Tag
AAA Override ACL Name
AAA Override ACL Applied Status
AAA Override Flex ACL