ISE 2.0 - Hotspot Policy

In this post, I'm going to configure Hotspot access. Hotspot access is a little different than regular guest access in ISE. The use case for Hotspot is where you might want to allow guests to access the internet without issuing them credentials or directly identifying them but still have some level of control. An example of this is if you own a chain of retail stores and you want to give your customers guest access to the internet and you don't want them to have to self-register or disclose information about their identity. With Hotspot access, you can have a branded portal for marketing reasons, have the user accept an AUP for legal reasons, redirect them to your company's page or maybe a webpage with the latest deals/coupons, and (optionally) can even have them enter an access code that you have displayed in this location to reduce random connections to the network from users not located in the establishment. 

The configuration for Hotspot access is pretty  straightforward and I'll be reusing a lot of the policy elements I created in the previous post. To modify the Hotspot portal, I have to navigate to Guest  Access>Configure>Guest Portals and modify the Hotspot Guest (Default) portal. 

The settings on this page are almost identical to the guest portal settings so I'm going to just focus on adding an access code on the AUP page settings:

After saving the settings on this page, I'll need to add an authorization profile by navigating to Policy>Policy Elements>Results>Authorization>Authorization Profiles and creating the following profile:


  • Check the VLAN box and type in VLAN ID 70
  • Check the box for Web Redirection, change it to HotSpot from the drop-down, type in GUEST-REDIRECT for the ACL, and choose HotSpot Guest Portal from the drop-down

After I am done configuring my authorization policy, I'll create my policy by navigating to Policy>Policy Sets and creating a new policy set. I'll name it Hotspot Wireless with the following top-level conditions:
DEVICE:Device Type EQUALS All Device Types#Wireless Controller
Radius:Called-Station-ID ENDS WITH SecurityLabHotspot

Under the Authentication Policy, I'll add the following rule:

Name: MAB
If: Wireless_MAB
Allowed Protocols: Default Network Access
Use: Internal Endpoints (Also set if user not found to Continue in the drop-down)


For the Default Rule, I am just going to have the identity source sequence set to All_User_ID_Stores:

Under the Authorization Policy, I'm going to create the following policy rules:

Name: Hotspot Access
If: GuestEndpoints
Condition(s): <None>

For the Default catch-all rule, I'm going to change the following:
If no matches, then: HOTSPOT-REDIRECT

After saving the policy, I can test this out by navigating to Operations>RADIUS Livelog and using a test device to connect to the SecurityLabHotspot SSID I sent up. 

Note: If you're using the same test device in each of these exercises, navigate to Administration>Identities>Endpoints and delete the endpoint between tests.

On the RADIUS Livelog, I should see the following:

From the end-user's perspective, the flow would look like this:

Step 1 - User is redirected to an AUP page. Since I require an access code to gain access, there is a field on this page to fill it in

Step 2 - After entering the access code and accepting the AUP, I am successfully connected to the network and can now browse with internet access.