ISE Guest Web Auth Portal with Get Quick Access (Hotspot) button
SEE ATTACHED PDF FOR MORE DETAILS
The option listed here is to have a Hotspot Button Embedded on a Credentialed Portal, this gives the administrator the ability to configure a single portal that will allow different types of users to access the network. These different types of users can go through different flows and be provided a differentiated level of access.
This should work with ISE 1.3+ was validated on 1.4. Please keep in mind that support for these are best effort with no guarantees are they not built-in flows.
If you're going to base authorization off an endpoint group by registering the endpoint to the guest account then a guest type is only allowed to register up to 999 endpoints. If you have more than 999 endpoints using the portal and you're basing access off the endpoint group then you will hit that limit as devices are purged at minimum after 24 hours, this also depends on your purging time. If the endpoint comes in at 8am and your purging happens at 3am then the device won't be purged until 3am on the 2nd day.
If you would like more than that amount then you can use the 2nd script that shows 3 embedded accounts.
Otherwise you can uncheck the box in the guest type and base your policy off the user idle timeout value on the WLC. This will remember the session for a while so every time the device sleeps they don't have to come back and hit the portal page.
Examples on usage
Device redirected to SponsoredGuestPortal
User clickshotspot to auto-login with embeddedcreds
Canalsologin with a differenttype of account (sponsored)
Device is registered and COA reauthauthorizesbyendpointgroup
Device getsaccess for 24hrs (configuredunderguesttype for Xdays) beforepurged
- Alternateflowcanbeused to differentiateaccessusingno devicereg
Create a specialendpointgroup(uniquegroup)
CreateGuestType for HotSpotCreds
Create a staticinternalaccountusingHotSpotCredsgroup
Note if you have same portal setup for BYOD flow for your employees then when they click this button they will be forced through this flow) if need this option on same portal then will need to remove that option in your portal and split out your authorization rule to redirect your employee group to the NSP portal directly
Create new SponsoredGuestportal (if needed)
CreateAuthzprofiles and rules
Paste the following script into the Optional Content 2 on the login page
Recently a particular DNS request is being dropped by the rule “MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt” and this is affecting our access to that external resource. We looked over that event packet i...
We have Cisco ASA in "active-active" clusters , if there is a change of roles from master to slave (or vice versa) on any member of the cluster, there is a chance that the NAT pool ownership may not get transferred in the process. As a result, the new mas...
Every Cisco multi-context firewall allows non-admin staff to access the admin context of the firewalls.The firewall contexts (both admin and non-admin) support AAA authorisation to prevent people doing things they shouldn’t but the system space does not s...
In this episode of Unhackable, Mike Storm (@mistorm) with his co-host and producer, Sean discuss the Unhackable Principle: Authentication. This is where they talk about passwords, multi-factor authentication, and what it takes to keep you safe when you ...
Currently I have scheduled ISE backup (both configuration and operational) to run daily. The operational backups are about 10 x as big as the configuration backup, and I am wondering if there is a need to backup this up so frequently. My under...