ISE Guest Web Auth Portal with Get Quick Access (Hotspot) button
SEE ATTACHED PDF FOR MORE DETAILS
The option listed here is to have a Hotspot Button Embedded on a Credentialed Portal, this gives the administrator the ability to configure a single portal that will allow different types of users to access the network. These different types of users can go through different flows and be provided a differentiated level of access.
This should work with ISE 1.3+ was validated on 1.4. Please keep in mind that support for these are best effort with no guarantees are they not built-in flows.
If you're going to base authorization off an endpoint group by registering the endpoint to the guest account then a guest type is only allowed to register up to 999 endpoints. If you have more than 999 endpoints using the portal and you're basing access off the endpoint group then you will hit that limit as devices are purged at minimum after 24 hours, this also depends on your purging time. If the endpoint comes in at 8am and your purging happens at 3am then the device won't be purged until 3am on the 2nd day.
If you would like more than that amount then you can use the 2nd script that shows 3 embedded accounts.
Otherwise you can uncheck the box in the guest type and base your policy off the user idle timeout value on the WLC. This will remember the session for a while so every time the device sleeps they don't have to come back and hit the portal page.
Examples on usage
Device redirected to SponsoredGuestPortal
User clickshotspot to auto-login with embeddedcreds
Canalsologin with a differenttype of account (sponsored)
Device is registered and COA reauthauthorizesbyendpointgroup
Device getsaccess for 24hrs (configuredunderguesttype for Xdays) beforepurged
- Alternateflowcanbeused to differentiateaccessusingno devicereg
Create a specialendpointgroup(uniquegroup)
CreateGuestType for HotSpotCreds
Create a staticinternalaccountusingHotSpotCredsgroup
Note if you have same portal setup for BYOD flow for your employees then when they click this button they will be forced through this flow) if need this option on same portal then will need to remove that option in your portal and split out your authorization rule to redirect your employee group to the NSP portal directly
Create new SponsoredGuestportal (if needed)
CreateAuthzprofiles and rules
Paste the following script into the Optional Content 2 on the login page
Hi everyone 1. When apex/plus anyconnect licenses are added, should I install activation-key again or not?2. After purchasing 50 licenses if i purchases 25 licenses again in 3months, is it correct that 75 licenses are available during 9 m...
Hello everyone,I am facing the issue with being unable to open asdm for one asa appliance (ASA5512). I assume that the issue is caused by the ssl encryption currently set as des-sha1.I would like to get it changed to ssl encryption aes256-sha1.&...
Hi Friends.all traffic routing by FTD all Port are open and access list any any.. everthing look good i use internet so etc. i have one problem .Smart Home panel Applications does not work with wifi i see connection error. how can i solve this problem.but...
I'd like to enter privileged EXEC mode on the ASA console through TACACS+ and ISEThe login works but when I enter 'enable' the authentication on ISE fails.The TACACS log on ISE shows that the TACACS protocol contains "Authentication Service -> Enable" ...