View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0196 - ISE 1.3 Guest Access with Hotspot (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video demonstrates the first guest access deployment model on Cisco ISE 1.3 called Hotspot. We will be configuring ISE to allow our guest users to perform a single-click type of login to access internet, including an access code enforcement. We will also show how to provide better user experience by not having user encountering login portal after first login using automatic device registration, or if desired control how often users should be redirected back to the login page using Endpoint Purge.
Part 2 of this video focuses on guest login and device reconnect testing
  • WLAN SSID Configuration
  • Endpoint Identity Group
  • Hotspot Guest Portal
  • Authentication Policy (WLAN MAB)
  • Policy Element Result
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authorization Policy
  • Endpoint Purge

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new technologies.


Is connection between wireless client and AP secured or encrypted in Hotspot?

The SSID Authentication is Open so unencrypted.

1)How can i make such way that ISE "forgets" client and i can make the procedure of registration again?

2) I tried to create custom identity group, but my devices allways go to registered group and 2nd authorization rule doesnt work because of this fact, why this happens?

1)  You can use Endpoint purging rule to periodically remove endpoints from ISE, hence forcing them to re-login

2) Not sure which registered group you are refering to but you should be able to assign endpoint logging into hotspot to any endpoint group you want.

2) I'm speaking about identity group from video "LM_HOTSPOT_ENDPOINT"

am i supposed to add mac address of a device to this group manually?
ISE after authorization places device to "Registered" group

If you configure your guest portal to have device registered automatically after login then no, the deviec MAC should be added to the specified group for you.