Solved: Re: WiFi Guest access redirect to login portal after WiFi reconnect issue

Alexander Dorozhkin · ‎05-23-2019

Hello,

I want to allow AD users to connect to WiFi network after logging into Guest Portal.

How can I force ISE to remember users and do not ask for credentials after each reconnection?

For AD auth I made LDAP Identity Source.

Comparing 2 sessions - Guest portal auth and after reconnect root cause if this issue looks like in Radius.User-Name attribute. In first case it contains user name, in second case - MAC address of device.

During connection RADIUS log contains step: Found Endpoint in Internal Endpoints IDStore

Each Endpoint contains GuestUserName attribute with correct user name (not MAC).

I made authorization policy containing AD group check: "WiFi_Guest_Users·ExternalGroups" EQUALS "CN=WiFi_Group,DC=domain,DC=com" to check user permissions in case if user removed from group, looks like Authorization fails in this step.

Tracing connection I substituted user-name MAC with real user name - Permit policy works fine, so looks like have to sync user attributes somehow, force use GuestUserName after reconnect.

How can I use Endpoint user details when reconnect to WiFi to avoid Guest Portal redirect?

Surendra · ‎05-23-2019

You can use GuestEndpoints identity group in the authorization policies instead of the AD group. Using endpoint identity group is the most common way to do this. Then based on the type of Guest type, the endpoint is removed from the guest endpoint group after a certain duration, a day/30 days/90 days etc.

View solution in original post

Surendra · ‎05-23-2019

You can use GuestEndpoints identity group in the authorization policies instead of the AD group. Using endpoint identity group is the most common way to do this. Then based on the type of Guest type, the endpoint is removed from the guest endpoint group after a certain duration, a day/30 days/90 days etc.

Alexander Dorozhkin · ‎05-23-2019

Thanks for your reply.

As I understand using GuestEndpoints means that user will not prompted for credentials until endpoints purge.

For example if I purge once a day users will be redirected to Guest portal also once a day. AD groups checked only during Guest portal login.

But in my case I want to make configuration where users will be prompted for credentials only once during initial WiFi connection, just to bind device to user, when user removed from AD group - redirect to Guest portal. AD group should be checked each time when device connected.

Is it possilbe to implement such configuration?

Jason Kunst · ‎05-23-2019

I am pretty sure you cannot do straight MAB and match that to an AD user information. You would need to clear your endpoints daily or register for a long time and run a script to clear them out if you’re concerned with that

Surendra · ‎05-24-2019

That is not possible at the moment. ISE can only check the groups if the users provide credentials. If they don’t ISE doesn’t as we do not cache any credentials as such mapped to endpoints or in any way.

Jason Kunst · ‎05-23-2019

I would recommend you look at the guest guide and remember me information at the prescriptive guide under http://cs.co/ise-guest