Hi Nielsen,

I tried that as follows:

rule name: guest-wireless

condition: wireless_mab  & Called-Station-ID CONTAINS or END-WITH Guest-SSID

result: centralize web auth......redirect acl .....sponsor guest portal.

Then I was able to connect guest ssid but not web redirection or not able to connect mobile ssid, it was showing connecting.....

Is there anything I am missing?

Thanks

Kamlesh

Try not using two conditions for your Called-Station-ID, just use CONTAINS

Hi Nielsen,

I tried one by one both condition in guest rule, one condition at a time.

Whenever, I am configuring the above condition then mobile phone also getting rejected and guest portal is not getting web redirection.

What would be the policy sequence, I put Mobile policies first then guest CWA.

Thanks

Kamlesh

Thats odd, the order of the rules should not matter when the conditions are specific to an SSID, because only the correct rule will match.

You should try enabling the guest cwa rule, with just Called-Station-ID CONTAINS "Guest-SSID", and then show take a screenshot of the detail log for the mab requests where you say the mobile gets rejected and guests don't get redirected-

Hi Nielsen,

Attached is screenshot of policy & live logs.

When I am changing condition from Wireless_MAB to CONTAINS GUEST-SSID then no one wireless ssid is connecting and match default deny rule.

Thanks

Kamlesh

We need the whole page of the details log not just the top of it, if you cant capture that, then you should look for the Called-Station-Id attribute in the detail log of a denied request, it sounds like your WLC is not sending the SSID name in that av-pair, this is configurable in the WLC. That would explain why it's not matching your auth rule conditions

Hi Nielsen,

I think I am done, now I changed CONTAINS to END-WITH Guest ssid. Then I am able to achieve the requirement. Let me do some more testing, will update you.

What would be the WLC configuration for av-pair.

Thanks for your support.

Kamlesh

Hi Nielsen,

We have done testing in 10-15 mobiles phone and now it is going as per requirement. I think this was not working in "Contains" due to all 4 ssid starting with same name.

I have done all ssid policy configuration such as:

• Rule Name - VIP Wireless
• Conditions - VIP and Radius:Called-Station-ID END-WITH VIP-SSID
• Permissions - PermitAccess

For guest need to web redirection.

Now everything is working, thanks for your support Nielsen.

Thanks

Kamlesh

Hi,

In av-pair there is audit session-id, attached is log file.

Thanks

Kamlesh

Hi

Your issue seems to be corrected now.

Just 1 information: When you have multiple SSID and you want to do different authentication methods, you can activate PolicySet feature. It will allow you to have different authentication and authorization rules depending on your SSIDs.

With PolicySet, you can differentiate SSIDs by using WLAN-ID as criteria. This WLAN-ID could be seen on your WLC.

This method is good because you can a better organization view on ISE.

Thanks

Hi,

Can you drop us a screenshot of your ISE policy rules?

Also, are you sure it's not just your phone that is auto-connecting to the open ssid, when it gets rejected on the VIP SSID, thats a very normal thing for a phone to do ?