Solved: Re: ISE Guest Redirection Everytime

NETAD · ‎05-06-2019

Hello, I'm currently redirecting the guest users to a hotspot portal and that's working just fine. Once they disconnect and attempt to re-connect they're not being redirected to the portal anymore. How can I configure ISE to redirect the guest users everytime they connect to the guest wireless. I guess what I'm asking is if there's a way to purge the guest account automatically everytime they disconnect from the wireless.

NETAD · ‎05-14-2019

I ended up creating a purging policy that purges endpoints every 8 hours which is the minimum. This is working fine. Thanks for all your inputs.

View solution in original post

howon · ‎05-06-2019

Closest option is to use 'Endpoints: LastAUPAcceptanceHourse' condition to force them to accept AUP at set interval.

NETAD · ‎05-06-2019

Thanks Howon, what's the minimum that can be set. We're on 2.4 latest patch. Also do I have have to synch that timeout with the session timeout on the WLC?

Aravind Ravichandran · ‎05-07-2019

Is it possible to share the policy screenshot?

-Aravind

NETAD · ‎05-07-2019

Here it is. I just not sure what value I should be configuring to redirect the wireless user to the portal everytime they connect to the wireless even if they connect back to back.

Aravind Ravichandran · ‎05-07-2019

1. Redirection policy with conditions as wireless mab & SSID name -> redirects to the guest portal.

2. Guest access policy with the condition as Network access: UseCase equals to Guest Flow -> Guest Access

Similar to this one.Guest policy-redirects at every reconnection

-Aravind

Jason Kunst · ‎05-07-2019

See this section of the guide
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01111.html#task_B11E9389EBF24FFF98ED40C1501F6E8B

NETAD · ‎05-07-2019

Thanks Jason, so the period can't be less than 24 hours? I went through this doc and it says I can set the minimum to be 1 hour.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/TECSEC-3672.pdf

Will my authz policy work the way it's created to prompt the guest for the AUP if they haven't accepted it in the last hour?

Jason Kunst · ‎05-07-2019

@NETAD wrote:

Thanks Jason, so the period can't be less than 24 hours? I went through this doc and it says I can set the minimum to be 1 hour.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/TECSEC-3672.pdf

Will my authz policy work the way it's created to prompt the guest for the AUP if they haven't accepted it in the last hour?

Its showcasing a time range, saying < 24 hrs then dont prompt. The minimum time is 1 hour. The admin guide needs to be fixed. Why are you wanting to accept every time, this is going to be awful for user everytime they sleep their mobile device..

hslai · ‎05-11-2019

Another way might be to use the regular guest portal with username and password, rather than hotspot. I believe there a way to pre-filll the credentials, if needed.

Also, if CoA Reauthenticate selected as the CoA type in a hotspot portal, we might be able to use some attributes, such as GuestFlow as proposed by Aravind Ravichandran, to authorize the endpoints with proper access.

NETAD · ‎05-14-2019

I ended up creating a purging policy that purges endpoints every 8 hours which is the minimum. This is working fine. Thanks for all your inputs.