cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

299
Views
0
Helpful
6
Replies
Highlighted

VLAN change based on guest user type

Hi,

I'm new in ISE, doing some test and PoC's right now and I have a question - is it possible to move a guest user (authenticated on a webauth page) to a specific VLAN based on the guest type?

 

My idea is to create different guest types with different "network access levels" - for example "new guests" are moved to a "limited access" VLAN, but "known guests" are put into a "full access" one.

 

Is it doable in ISE 2.7 or the only option is to use a different SSID's?

 

Regards,

Piotr

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: VLAN change based on guest user type

There are two typical associations related to Guest services... Guest Type and Endpoint Identity Group.

The Guest Type is assigned by the Sponsor at the time of the Guest account creation. A Sponsor with the right permissions (e.g. Sponsor All with 'can create accounts' with the relevant Guest Types) can also change the Guest Type after the initial account creation. ISE automatically creates a User Identity Group for each Guest Type.

The endpoint MAC Address is associated with the Endpoint Identity Group as part of the Guest Registration flow (default is GuestEndpoints). The common documented Guest flows use this EIG association to allow registered endpoints to connect without the Guest user having to constantly login to the Guest Portal.

 

You could use either (or both) of these attributes in your AuthZ Policy to provide differentiated access between your 'limited' and 'full' access guests/endpoints.

Example:

Screen Shot 2020-04-14 at 10.21.16 am.png

 

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Re: VLAN change based on guest user type

Dynamic VLAN assignment is possible on a Cisco WLC. See this TechNote for an example.

The difficulty with your scenario is answering questions like:

  1. What constitutes a 'new guest' vs. a 'known guest'?
  2. When does a 'new' become a 'known' and what attribute can ISE use to differentiate between them?

There are various examples of Guest configuration and scenarios at cs.co/ise-guest that might give you some ideas.

Highlighted

Re: VLAN change based on guest user type

Let me explain the baseline - one of our clients has a network (wireless VLAN) with a lot of restrictions regarding applications (e.g. YouTube is completely blocked). When any of employees wants to use YouTube, has to ask for it and there is a different SSID temporarily enabled (different VLAN) with full Internet access.

 

My idea was to create (manually) a guest user for anyone who wants to use YouTube and put this user into a "YouTube' user group. After webauth, such user is being switched to a full access VLAN (based on the group). Is it a good idea?

 

I know that there is a lot of features which help to control users, but in this case the network admin want's to have a manual control over full Internet access. I'm just trying to find a best solution having C9800 as a controller, 3 FlexConnect locations, AD and ISE 2.7

Highlighted
Collaborator

Re: VLAN change based on guest user type

Hi,

 

   As long as the required policy are already in place (i mean to which resources does the WIFi user get access to), and ISE just needs to put the user in the proper VLAN, this is a simple task. You'll be having two different groups of users, and based on the group membership, ISE assign a different VLAN.

 

Regards,

Cristian Matei.

Highlighted

Re: VLAN change based on guest user type

Yes, but is it possible regarding guest users that are not in the AD?

Highlighted
Cisco Employee

Re: VLAN change based on guest user type

There are two typical associations related to Guest services... Guest Type and Endpoint Identity Group.

The Guest Type is assigned by the Sponsor at the time of the Guest account creation. A Sponsor with the right permissions (e.g. Sponsor All with 'can create accounts' with the relevant Guest Types) can also change the Guest Type after the initial account creation. ISE automatically creates a User Identity Group for each Guest Type.

The endpoint MAC Address is associated with the Endpoint Identity Group as part of the Guest Registration flow (default is GuestEndpoints). The common documented Guest flows use this EIG association to allow registered endpoints to connect without the Guest user having to constantly login to the Guest Portal.

 

You could use either (or both) of these attributes in your AuthZ Policy to provide differentiated access between your 'limited' and 'full' access guests/endpoints.

Example:

Screen Shot 2020-04-14 at 10.21.16 am.png

 

View solution in original post

Highlighted

Re: VLAN change based on guest user type

Thank you Greg, that is what I was looking for :)

I will try to test it now and check the result.