Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE Multiple SSIDs using CWA

I am using ISE 1.2.198 primarily to authenticate guest users.

I have 2 types of guest - day visitors and longer term visitors.

I am using 2 separate SSIDs on a 5760 controller.

On the ISE I have authentication conditions to differentiate between the different SSIDs and apply the relevant policy set.

I am using CWA with wireless MAB for both policy sets.

Everything is working fine using different portals for each SSID.

I have Sponsors set up to create accounts, to assign different roles (guest or partner) and to apply different time profiles. That all works and the account details get emailed to the recipient successfully.

The issue I have is that the sponsored account credentials can be used to authenticate a user on either SSID.

If the sponsor creates an account and assigns it to the guest role that user can authenticate successfully to both the guest and partner SSIDs with the same credentials. Similarly, if the account is assigned to the partner role, the user can again authenticate to both SSIDs.

There must be a way to differentiate between different roles within the authorization policies.

I can't find a way within the Policy Sets to separate the 2 types of users. Adding any conditions to the authorization rules that include the Network Access UseCase equals Guest Flow doesn't seem to have any affect.

Has anyone managed to do this type of thing successfully?

Cisco Employee

Roger,If you are using Active


If you are using Active Directory as your Identity Source, then that is your issue.  As you know, ISE 1.2 is limited in AD Authentications.  What I would suggest is to go to Administration > Identity Management > External Identity Sources and set up an LDAP connection to the AD group from which you would like to authenticate.  One for each type of guest and choose only the AD Group that Guest type uses:

Once this is done, create an new Identity Source Sequence for each Guest type:

Then go to Administration > Web Portal Management > Settings and choose the Guest Portal you want to modify.  Click The Authentication tab and choose the Identity Store Sequence you just created for that portal.

That should fix the issue.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton


New Member

Thank you for the reply but I

Thank you for the reply but I'm not using AD to authenticate guest or partner accounts.

I am creating sponsored accounts.



Cisco Employee

Roger, Sorry to have missed



Sorry to have missed that.  The Internal Users database is a single pool of users created through the Sponsor Portal and cannot be segmented to work in the manner you would like.  I have just looked through ISE 1.3 and did not see any setting for Internal User group segregation in that version, either.

Charles Moreton

New Member

Hi Charles. That's more or

Hi Charles. That's more or less the conclusion I'm coming too although I'm a bit perplexed as to the purpose of the guest roles. You would think that by assigning a guest role you would be able to do some form of mapping or filtering. At the moment I can't see the point of assigning different guest users to different roles.


If you can get your sponsors

If you can get your sponsors to put in say the word "contractor" in optional field 1 under the guest when they create the account, you can use that information to distinguish between regular guests and contractors. I did a mockup of the authz rule.

See the attached screenshots.

New Member

Hi JanMany thanks for this -

Hi Jan

Many thanks for this - it is a very helpful suggestion. Do you think it's possible to actually use the guest role that you can assign on the Sponsor page?



I have not actually tried it,

I have not actually tried it, but i would think that since you can assign "roles" which in fact maps to an identity group, you would also be able to match on those in you authorization rules, by using the first field before the conditions, here you should be able to select any identity group. I did a basic example and attached some screnshots, i haven't tested it though

CreatePlease login to create content