You are here
SEC0058 - ISE 1.1 Sponsor and Guest (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video explores Cisco ISE capabilities to provide guest login and sponsorship. We will look at how we can create a sponsor group and configure sponsor group policy to allow a sponsor to manage their guest accounts. We will configure a guest portal with a simple portal customization, and allow guest to perform self-service. As part of our testing, we will create a guest account through a sponsor portal page and test login over wired network. We will also test creating a guest account through self-service over wireless.
In part 1, we will concentrate on completing guest settings and policies configuration on ISE.
Topic:
- Guest Portal Theme
- Guest Multi-Portal Config
- Guest Time Profile
- Guest Sponsor Group
- Guest Sponsor Group Policy
- Authentication Policy (WLAN MAB)
-
Policy Element Result
- Authorization (Downloadable ACL)
- Authorization (Authorization Profile)
- Authentication Policy
- Authorization Policy
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
19 comments
Web authentication
In your video, your config set up is definitely different from the standard Cisco documentation. I noticed that in the WLAN SSID settings, you didn't enable Layer 3 web policy. I have tried your config on a 4400 WLC with ISE and the web authentication page doesn't come up. Any hints?
Web authentication
There are actually two ways of configurations. One is to use L3 authentication on the SSID to redirect user to ISE but you will need to know the exact URL of the ISE guest portal. The other, which is shown in this video, is to use wireless MAB and configure ISE to return RADIUS attribute of redirect URL under authorization profile. It depends on which way you go with.
Web authentication
I use L3 authentication on my guest network but on WLC 5500. I had a look at the ISE 1.2 compatibility matrix and noticed that MAB isn't supported for WLC 4400. I guess that's why it didn't work.
Web authentication
I remember runing into intermittent issue doing the L3 auth way. Since then, I always use wireless MAB (ie. MAC filtering) and it been working just fine. Although you need to make sure the WLC runs code that has MAC Filter option under the SSID.
Web authentication
The problem with Mac filtering is that it isn't a scalable solution from the network support standpoint. Imagine adding and removing client mac addresses on the WLC for many guest users
Web authentication
MAC Filter here has nothing to do with allowing connection based on a list of MAC address. What it does is it allows you to have an open SSID and still have WLC send RADIUS request to ISE so ISE can return a redirect URL for guest portal to user. This is the basis for wireless MAB.
Web authentication
Thanks for the clarification.
Figured out the issue
Thanks
MAB
You created a authentication rule MAB to Internal endpoints and a authorization w condition any+WLC, How a endpoint that never join in the network can pass through the authentication rule?
MAB
Under authentication policy, you need to configure User not found to 'continue' as by default it is set to reject. This way if user is not known, they will still pass authentication regardless and then you can redirect them to a guest portal page using authorization rule
In my lab that did not work
In my lab that did not work, when I plug in a laptop wired or wireless, MAB fails because there is no MAC address in the table of endpoints, after the first attempt, the ISE does profiled and identifies the MAC, then the second attempt works MAB and then goes to authorization.
I understood that MAB does not use the user, but the MAC address has to be known by the ISE to pass the authentication and the laptop in question never accessed the network, How can ISE know that MAC? Or I'm not quite understand, sorry.
ISE does not need to have the
ISE does not need to have the device MAC address in the database in order to pass authentication but you need to set authentication advance condition for device not found to Continue. Profiling however may not work right away as ISE requires sometime to gather device info especially if you have device type as part of authorization condition.
Now I can see... thanks again
Now I can see... thanks again for your hard work..
24432 Looking up user in Active Directory - 00:19:D2:72:24:2E
24412 User not found in Active Directory
24210 Looking up User in Internal Users IDStore - 00:19:D2:72:24:2E
24216 The user is not found in the internal users identity store
24209 Looking up Endpoint in Internal Endpoints IDStore - 00:19:D2:72:24:2E
24217 The host is not found in the internal endpoints identity store
24631 Looking up User in Internal Guests IDStore
24633 The user is not found in the internal guests identity store
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22060 The 'Continue' advanced option is configured in case of a failed authentication request
15036 Evaluating Authorization Policy
15004 Matched rule
15048 Queried PIP
15048 Queried PIP
15016 Selected Authorization Profile - TUPY-WIRELESS-CWA
11002 Returned RADIUS Access-Accept
Yep.. you got it, although I
Yep.. you got it, although I would create a separate line with MAB being the condition and only point to Internal Endpoint so it does not have to keep looking through all Identity Stores.
Ok! :D
Ok! :D
In authorization profile, I created redirect to the portal and also want to change the VLAN, everything works fine at first. The user is redirected to the the portal with the new VLAN. It's possible to login and gain permission all to access the Internet, however after accepting the policy and start browsing, the connection is "lost". When I do not set the VLAN in the authorization profile works fine. Is there some issue for redirect to the portal together VLAN assignment?
Not that I am aware of. When
Not that I am aware of. When the connection is lost, what's the authorization state on the switchport. Did the VLAN switched back to the original VLAN?
That's what happens, switched
That's what happens, switched back to the original VLAN. The original VLAN is 100 and the new is 172.
MAB authentication:
%MAB-5-SUCCESS: Authentication successful for client
%AUTHMGR-5-VLANASSIGN: VLAN 172 assigned to Interface Fa0/9
%EPM-6-AAA: POLICY xACSACLx-IP-ISE-ONLY-54047e20
29_TEST_ISE#show int status | include Fa0/9
Fa0/9 connected 172 a-full a-100 10/100BaseTX
MAB authorization:
%MAB-5-SUCCESS: Authentication successful for client
%EPM-6-POLICY_REQ: IP 10.x.y.z
%EPM-6-AAA: POLICY xACSACLx-IP-INTERNET-ONLY-54008f86| EVENT DOWNLOAD-REQUEST
%EPM-6-AAA: POLICY xACSACLx-IP-INTERNET-ONLY-54008f86| EVENT DOWNLOAD-SUCCESS
%AUTHMGR-5-SUCCESS: Authorization succeeded for client
29_TEST_ISE#show int status | include Fa0/9
Fa0/9 connected 100 a-full a-100 10/100BaseTX
any suggestions?
I set vlan assigment to the
I set vlan assigment to the authorization profile that Permit Internet Only too, and now works fine! :D
Sounds like a solution..
Sounds like a solution.. Thanks for sharing.