Solved: Re: Different guest portal based on Device type ?

ggriesse@cisco.com · ‎09-28-2017

GUEST - Can we redirect based on device type "profile" to a different portal ?

For example a LAPTOP user will get redirected to a Sponsor approval guest portal , but a MOBILE user gets redirected to a Self reg / hotspot portal ?

Thx

Greg

Jason Kunst · ‎09-28-2017

I don’t see this as a viable option

You would need to know what the device is before you hit the portal and there really isn’t enough data until it hits the portal to get the user agent string from the browser

Then how you would be redirected to another portal after your profile has changed?

You could try setting coa terminate by bouncing session but this would result in user confusion

Not a supported or recommended solution

There would have to be an enhancement to change the requirements on same portal but not something likely to provide as it would be a really new request that I have never heard before

I don’t understand the differentiation requirement either

View solution in original post

Jason Kunst · ‎09-28-2017

I don’t see this as a viable option

You would need to know what the device is before you hit the portal and there really isn’t enough data until it hits the portal to get the user agent string from the browser

Then how you would be redirected to another portal after your profile has changed?

You could try setting coa terminate by bouncing session but this would result in user confusion

Not a supported or recommended solution

There would have to be an enhancement to change the requirements on same portal but not something likely to provide as it would be a really new request that I have never heard before

I don’t understand the differentiation requirement either

paul · ‎09-28-2017

Actually this could work and would only affect the user the first time they are ever seen by ISE. You can use the CoA reauth action in your Mobile Device vs. Laptop profiles in ISE to make this work. You can setup 3 redirect rules in your policy set:

If profiled as mobile device send to hotspot/self-reg portal.

If profiled as laptop send to sponsor only portal

else send to Figure Out Device Type Portal

The Figure Out Device Type Portal is simply a hotspot portal with no AUP so all you would normally see is the success message. Instead of the success message you say something like "Please wait while we identify your device type in order to send you to the correct guest portal. Click here to continue."

The word "here" would be a hyperlink to any web site. It doesn't matter which one. As soon as they hit the portal, ISE will gather the User Agent and reprofile them to your laptop vs. mobile profiles and the CoA reauth will be sent. By the time the user reads the text and clicks "here" they will already be sitting at the correct redirect on the WLC. The click "here" will result in them getting redirected to the correct portal.

This is all theory, but the tools are all there in ISE to do it. Not saying I would do this or how this will all look in the psuedo browsers on the mobile devices but it should work. Again this would only happen the first time the ISE sees the MAC address. Every time they connect after that they are profiled correctly and hit the correct portal.

Jason Kunst · ‎09-28-2017

good point paul! Keep in mind that this would require the plus license as well