Solved: ISE Guest Access atdifferent locations

tim.heidemann · ‎04-19-2018

Hello folks,

my customer want to provide guest access at different locations. Each location should have one username/password for all guest at this location and this username/password should not work at another location. Guest have to access guest net by Web Page.

I could not find a solution how to solve this with the ISE.

Can you help out ?

Regards Tim

Jason Kunst · ‎04-19-2018

Try this out, how many locations are you talking about?

you can create a guest type for each location. Have a sponsor portal created guest account for each location under each respective guest type.

Then create authorization rules

if network access device location X and guest type X then permit access

Do same for scenario Y

To catch those that don’t comply

If mab and guest flow then redirect to html page (need 2.2 or higher) that says you don’t have access because of tour policy

If mab redirect to guest portal

View solution in original post

Jason Kunst · ‎04-19-2018

Try this out, how many locations are you talking about?

you can create a guest type for each location. Have a sponsor portal created guest account for each location under each respective guest type.

Then create authorization rules

if network access device location X and guest type X then permit access

Do same for scenario Y

To catch those that don’t comply

If mab and guest flow then redirect to html page (need 2.2 or higher) that says you don’t have access because of tour policy

If mab redirect to guest portal

tim.heidemann · ‎04-19-2018

Hello Jason,

we just tried it out and it works. Thank you.

One additional question : What happens when the device of the user lose the WiFi connection ? Do he have to login again ? When do the "user" purge out ?

Regards Tim

Jason Kunst · ‎04-19-2018

If you don’t want them to login again then you will need to base access off endpoint group

Setup endpoint groups for each location

Under Each guest type correspond to a specific endpoint group

In the authorization rule you can use the following additional rules at the top (please place accordingly in order)

If locationX and guestendpointX then permit access

Because of this you can remove the if guesttype rules as they replace those

The devices will last however long you setup the endpoint purge policies depending on endpoint group

The guest accounts will last (since they are shared) for as long as you set them up for

tim.heidemann · ‎04-23-2018

Hey Jason,

thank you very much for your quick answer. You showed me the right way....

Do you know how many guest types the ISE support ?

Jason Kunst · ‎04-23-2018

we don’t have those numbers, how many are you talking about? Likely 100 or so should be fine. It might be better to try and think if there is a way to do this dynamically as well. For example instead of 1 guest authz rule per guest type a way to match the guesttype to a location, this maybe more difficult however as you would need to name the guest type as the same as the location. Let me know if you would like to pursue

tim.heidemann · ‎04-23-2018

customer is thinking about more then 200 Location. So I would really appreciate if you could describe the dynamic solution to me...

Jason Kunst · ‎04-23-2018

I am evaluating this but in training this week. berbee or arne.bier might have some ideas as well already baked