FIND A COMMUNITY

Buy or Renew

Cisco Community
 English Register Login

This board  Options

Search Security Documents 

Cisco /  Technology and /  /  Security

Community Support Security Documents
/  ISE Guest Access Prescriptive Deployment Guide

ISE Guest Access Prescriptive Deployment Guide

Identity Services Engine (…
Labels:

87632 102 7
 VIEWS
 HELPFUL
 COMMENTS

Jason Kunst

03-26-2018 12:06 PM
Edited On: 01-14-2020 10:02 AM

For an oine or printed copy of this document, simply choose ⋮ Options > Printer Friendly
Page. You may then Print, Print to PDF or copy and paste to any other document format you like.

 
 

Author: Jason Kunst

Table of Contents
Introduction
About Cisco Identity Services Engine (ISE)
What is Covered in This Guide?
What is Not Covered in This Guide?
Dene
What is Guest Access?
Guest Access with Hotspot Guest Portals
Licensing
Design
ISE Deployment Model Considerations
Survivability
Conguration Best Practices for Cisco WLC
Apple Captive Network Assistant (CNA)
IP Address and VLAN changes
Caveats
Wireless Deployment Models
Deploy
Conguring the WLC for ISE Web Authentication
Congure ISE as RADIUS Authentication Server on WLC
Congure a Guest WLAN (SSID)
Congure an ACL to Redirect Guest Devices to the ISE Guest Portal
Congure a Catalyst Switch for Guest Access
Switch Capabiliities
Example Switch Conguration
Congure ISE for Guest Access
Add the Network Access Device to ISE
Policy Set for Credentialed Guest Access
 Understanding Guest Flow
Using Guest_Flow to Match Guest User Type
ISE Authorization Policy for Contractor Guest Type
Guest User Experience
The Guest “Remember Me” Feature
Guest User Experience with “Remember Me”
Policy Conguration for the Guest “Remember Me” Feature
Using an Authorization Prole to Redirect Guest Endpoints to ISE
Access Control for Guest Trac
Congure the Minimum Settings for Self-Registered Guest Flow
Conguring Guest Type Access Times, Location, and Time Zone
Conguring From First Login
About the “From Sponsor-Specied Date” Option
Working with Locations and Time Zones
Congure Settings for the Sponsored Guest Flow
Guest Portal for the Sponsored Flow
Congure Sponsored Guest Access
Congure Authorization Prole and Policy for Sponsored Guest Access
Working with Sponsor Accounts
Using Sponsor Accounts from Active Directory
Set Up the Active Directory Sponsor Group in All_Accounts
Set Up ISE Sponsor Portal FQDN-Based Access
Congure Basic Portal Customization
Setting up a Well-Known Certicate
Create a Certicate-Signing Request and Submit it to a Certicate Authority
Import Certicates to the Trusted Certicate Store
Bind the CA-Signed Certicate to the Signing Request
Operate
Validation of ows
Testing Web Portals
Clearing Guest Endpoints
Monitoring Guest Connections
For Self-Registered Guest Flow
Viewing the Guest Users List
Access without Sponsor Portal
Access with Sponsor Portal
Troubleshooting Common Issues
Troubleshooting checklist
DNS issues
How Do I Get Support?

Introduction
 

About Cisco Identity Services Engine (ISE)

Figure1: Cisco Identity Services Engine

Cisco ISE is a leading, identity-based network access control and policy-enforcement system. It is a
common policy engine for controlling end-point access and network device administration for
enterprises. ISE allows an administrator to centrally control access policies for wired, wireless, and VPN
endpoints in a network.

ISE builds context about endpoints, including users and groups (Who), device type (What), access time
(When), access location (Where), access type (Wired/Wireless/VPN) (How), threats, and vulnerabilities.
By sharing vital contextual data with technology partner integrations and the implementation of a Cisco
Software Dened Segmentation policy, ISE transforms a network from a conduit for data into a security
enforcer that accelerates the time-to-detect and time-to-resolution of network threats.

About This Guide

This guide describes the process and best practices for conguring ISE with a Cisco Wireless LAN
Controller (WLC) or a Cisco switch to provide guest access.

This guide is designed to be used in an environment where WLC and ISE have already been set up.

The purpose of this guide is to help you with common setup and deployment questions, and to describe
congurations with a Cisco WLC, Cisco switch, and ISE. Note that the guide does not cover more
complex congurations, such as conguring load balancing or foreign/anchor controllers.
Figure2: ISE for Guest Implementation Flow

There are four major sections in this document. The Dene section shows how to dene problem areas,
plan for deployment, and other considerations; the Design section shows how to design a guest access
network; the Deploy section provides guidance about the various congurations and best practices; and
lastly, the Operate section shows how to manage a guest network controlled by Cisco ISE.

What is Covered in This Guide?

This guide provides information about the following congurations:

Basic portal settings in ISE 2.3.

Authorization polices and rules for hotspot, self-registered, and sponsored Guest portals.
Minimum settings required for a guest ow.
Conguring a Cisco WLC 8.5 and later with any type of Guest portal in ISE.
Conguring a Cisco switch, for example, Cisco Catalyst 3850 Series Switch for guest access.

What is Not Covered in This Guide?

This guide does not cover the following topics:

Tools required to congure multiple controllers and switches

Deployment models and modes, such as:
SDA/DNA
VRF
Other Wireless systems, such as:
Mobility Express
CMX
ISE Third-Party NAD Proles and Congs
How To: Integrate Meraki Networks with ISE
ISE and Catalyst 9800 Series Integration Guide
Easy setup wireless tools, such as:
 Wireless Easy Simplied Controller Setup
ISE Secure Access Wizard
ISE Proling Guide
ISE Load Balancing
ISE Guest & Web Authentication

Dene
What is Guest Access?
When people outside your company attempt to use your company’s network to access the internet or the
resources and services in your network, you can provide them with network access using Guest Access
portals. Guests typically include authorized visitors, contractors, customers, or other temporary users who
require access to your network.

The two types of Guest Access portals supported by this guide are:

Guest Access with Hotspot Guest Portals

Guest Access with Credentialed Guest Portals

Guest Access with Hotspot Guest Portals

A Hotspot Guest Portal provides network access to guests without requiring usernames and passwords.
This type of guest access eliminates the overhead required to manage each individual guest account.
When guests connect to a network, they are redirected to the ISE Hotspot Guest Portal where they must
accept an Acceptable Use Policy (AUP) to gain access to the network, and eventually, the internet.

Guest Access with Credentialed Guest Portals

A Credentialed Guest Portal requires guests to have a username and password to gain access. Using a
self-registration portal, guests can create their own account credentials, which they can then use to log in
to the Guest portal. Credentials can also be created for a guest by a sponsor. A sponsor can be an
employee or a lobby ambassador. When guests connect to a network, they are redirected to a portal.
They log in to that portal using the credentials that they created through self-registration, or were
provided by a sponsor. After guests log in, they may be required to accept an AUP before they can
access the network, depending on the portal. Access can also be set up using a Sponsored Guest Portal,
which requires users to have the credentials created by a Sponsor.

For more information about Guest portals and features, refer to the “Cisco Guest Access” section in the
Cisco Identity Services Engine Administrator Guide.

Licensing
ISE guest access requires base license for each guest endpoint. For more information about licensing,
see the community page for ISE Licensing.

Design
ISE Deployment Model Considerations
A frequent question that is asked is about safely deploying an ISE Guest portal in DMZ. While multiple
options exist, it is the customers' prerogative to determine the best approach, based on their
requirements. The following are some general guidelines:

ISE PSN in the DMZ — You must enable

communication between the PSN and the PAN
and MNT nodes for database synchronization.
Note that in this context, this PSN is only used
for Guest portals. You should use more than
one PSN for redundancy. Your sponsors
connect to a PSN inside the network to create
guest accounts.

ISE PSN with an interface in the DMZ - You

will have a separate interface on the internal ISE
PSN for Guest portal trac by having an
interface in the DMZ. Here, you will only allow
communication to the PSN from the wireless
controllers and clients for RADIUS and the
Guest portal. This same PSN can be utilized to
oer the Sponsor portal. Two PSNs with
interfaces in the DMZ are recommended for
redundancy.
 Separate ISE deployment in the DMZ – For
customers who are extremely security-
conscious, you can dedicate a separate ISE
deployment for handling guest access.
Depending on how many locations you want to
service, you could start with a high-availability
standalone setup with 2 PAN +MNT/PSNs
located in your DMZ.

Survivability
If a PSN loses contact with the PAN, you will see one of behaviors listed below. This list provides an
overview of the major issues you may encounter. We recommend that you plan for WAN redundancy to
mitigate these risks.

Sponsors are unable to create, update, or delete guest accounts related to users connecting to a
specic PSN.
Sponsor portal operations are severely impacted.
Hotspot and self-registration ows will fail.
Existing guest accounts will be able to access the network.

Conguration Best Practices for Cisco WLC

The wireless controller team has incorporated conguration options in their GUI in order to implement
best practices for quicker conguration of ISE. These changes were introduced in Version 8.5, which is
the version referred to in the conguration sections of this document. In the WLC GUI, see the following
options and associated shortcut information:

Please reference TAC Recommended AireOS Builds for best code version.

1. SECURITY > AAA > RADIUS > Authentication Servers > Apply Cisco ISE Default Settings —
Checking the Apply Cisco ISE Default Settings check box enables Change-Of-Authorization (CoA),
sets the RADIUS authentication port to 1812/UDP, and duplicates and creates the settings for a
RADIUS accounting server.
2. WLAN > Security > AAA Servers > Apply Cisco ISE Default Settings — Checking the Apply Cisco
ISE Default check box enables Allow AAA Override, sets NAC State = ISE NAC, and enables Radius
Client Proling for DHCP/HTTP Proling (Probes).
 Note: The NAC State setting of ISE NAC (RADIUS NAC, prior to AireOS Version 8.5) enables
ISE to send a CoA request, which allows a user to authenticate and access the network.
Essentially, this setting gives ISE the ability to change the state of a client on the y, without
requiring a new session. For example, after being redirected to ISE for portal authentication, the
client is authenticated and allowed access to the network. Please reference TAC
Recommended AireOS Builds for best code version.

For more information about best practices and timers with Cisco Wireless Controller, refer to:

ISE+9800: ISE and Catalyst 9800 Series Integration Guide

ISE+AireOS: AireOS WLC conguration for ISE

Apple Captive Network Assistant (CNA)

When connecting to guest networks with Apple iOS devices, Apple uses a mini pseudo browser called
the Captive Network Assistant (CNA). This browser is not the native Safari browser. The CNA pops up
automatically when the device gets into a captive portal situation. Sometimes, the CNA window is hidden
behind a splash page, such as a hotspot or Guest portal, and the users cannot see it, and cannot gain
access to the internet. Cisco ISE supports CNA only for basic guest access. The CNA browser may be
limited in its capabilities to support BYOD (device onboarding), social login for guest access, and SAML
SSO-based logins. Hence, it is not recommended for these workows.

If you have to suppress the Apple CNA, you can do so per WLAN, or globally, using the captive portal
bypass feature on WLC. For most guest use cases, you do not have to enable the bypass feature. For
more information, see the following links:

Conguring Captive Network Assistant Bypass per WLAN (GUI)

Dealing with Apple CNA (AKA Mini browser) for ISE BYOD
Dual SSID BYOD with Apple Captive Network Assistant (CNA) Browser

IP Address and VLAN changes

Another frequently asked question is whether you can change the IP addresses of the guests after they
log in to the portal, for example, if you have distinct VLANs for guests, contractors, and employees. ISE
has no control over the endpoints when it is connected to an open network because there is no
supplicant involved. In 802.1x networks, the supplicant has the intelligence to release/renew the IP
address on the machine. However, we recommend that you do not change the IP address after login, for
the following reasons:

Dynamic VLAN changes work only on Windows operating systems.

You can perform IP address renewal when new VLAN authorization takes place by running activeX and
Java controls on the browsers. However, this is not supported today in most of the browsers; besides,
running them requires local administrator rights on the endpoint.
 The connection must be to an open network, without encryption, which is not true separation.

In order to support network separation, we recommend that you set up a Guest WLAN with 802.1X, set
up guest types as Guests and Contractors, and allow them to bypass the web login. However, note that
you will not be able to utilize the settings in the guest types, such as allowed login hours, or how many
times a user can log in to the portal with dierent devices.

If it is absolutely necessary to separate guest trac with web authentication and not 802.1X, we
recommend that you set up a low DHCP timer for initial network access so that when a device switches
networks, it can renew its IP address in the new VLAN. Alternatively, you can use Cisco Software Dened
Segmentation solution, and deploy scalable group tags for segmentation.

Caveats
At the time of publishing this document, we have the following caveat:

IPv6 is not supported on ISE Guest portals.

Wireless Deployment Models

We recommend that your deployment model use wireless auto-anchor mobility (also called guest
tunneling), where guest trac is tunneled through the anchor controller. This model requires the controller
to be in the DMZ.

This document describes a high-level recommendation; it does not discuss the dierent wireless models.
For more information about wireless design and WLC auto anchor, see wireless design guides:

ISE+9800: ISE and Catalyst 9800 Series Integration Guide

ISE+AireOS: AireOS WLC conguration for ISE

 
 Note:

Because of the caveat specied in CSCul83594, you cannot enable RADIUS accounting on two
WLCs. Both WLCs sending accounting start and stop messages with dierent session IDs, will
confuse ISE. When this occurs, an "Error 500" message is displayed to end users (typically, when
they are redirected to the ISE portal). This issue occurs on a per WLAN basis. If you have other
WLANs that are not using ISE services, this issue might not occur. The issue lies with the new
simplied conguration check box on the WLC named “Apply Cisco ISE Default Settings”. When
enabling the check box, it automatically congures an authentication server and an accounting
server with the same IP and settings. The same settings are ported to the WLAN conguration too.
The problem occurs when you congure enable the checkbox on both WLCs. Accounting needs to
be congured on the foreign controller.

In WLC version 8.6+, the session id will be shared between anchor and foreign controllers and
accounting will then be possible to enable on both.

Please reference TAC Recommended AireOS Builds for best code version.

If you are using FlexConnect, we recommend that you use central switching mode. Local switching does
not support URL-based DNS ACLs. If you want to use FlexConnect Local switching, for example, branch,
be aware of the following caveat:

Without using URL-based ACLs, you cannot easily implement ACLs that open up cloud-based SSO
providers, such as SAML or social media access. One workaround is to permit access to all the internet
and enable URL-redirect only for internal sites (for example, for employee SAML SSO). Writing IP ACLs
for social media access could be cumbersome because they typically resolve to several IP addresses.

Deploy
Conguring the WLC for ISE Web
Authentication
This section shows how to congure the necessary security settings on the WLC to work with ISE. If you
are working with a switch, see Congure a Switch for Guest Access.

Note: This section provides information about how to set up a single controller. If you want to
create a conguration using a foreign anchor model, see the documents listed under Wireless
Deployment Models.

Congure ISE as RADIUS Authentication Server on

WLC
1. Log in to the WLC server’s GUI using admin credentials.
2. Click Advanced.
3. Choose Security > AAA > RADIUS > Authentication from the left menu, as shown in the following
gure:

4. Click New.

The RADIUS Authentication Server window is displayed, as shown in the following gure:

5. Enter the ISE IP address for Server IP address and the RADIUS shared secret for Shared Secret
elds.
6. Check the Apply Cisco ISE Default Settings check box.
Note: Checking the “Apply Cisco ISE Default Settings” check box enables support for CoA,
which is required for ISE. It also duplicates this setting for RADIUS Accounting.
7. Click Apply.
8. Click the Security tab and choose, Security > AAA > RADIUS > Accounting.

ISE will be automatically congured as a RADIUS accounting server, as shown in the following gure:

Congure a Guest WLAN (SSID)

1. Click the WLANs tab.

From the drop-down list on the right side of the window (see the gure below) choose Create New
and click Go.
2. Enter a Prole Name and SSID.

3. Enable the Status check box, and from the Interface/Interface Group(G) drop-down list, choose your
interface, in this case, guest.

4. Click the Security tab.

5. Choose None for Layer 2 Security conguration.
Note:

From WLC Version 8.3.102, ISE guests with WPA+PSK are supported. This is not related to
Identity PSK (IPSK). For more information, see Release Notes for Cisco Wireless Controllers and
Lightweight Access Points for Cisco Wireless Release 8.3.102.0.

Please reference TAC Recommended AireOS Builds for best code version.

This allows enterprises to protect their network from users on other oors or in the parking lot
from connecting to your OPEN SSID, and exhausting the DHCP pools or ISE base licenses. To
enable this feature, perform the following procedure:

Under Security > Layer 2, choose WPA+WPA2.

Check the MAC Filtering check box.
Set Authentication Key Management to PSK.
 6. Check the MAC Filtering check box

7. Click the AAA Servers tab.

8. Check the Apply Cisco ISE Default Settings check box.
9. Under Authentication Servers and Accounting Servers, check the Enabled check boxes, and from
the Server 1 drop-down lists, choose your ISE server, as shown in the gure below:

10. Click the Advanced Tab.

The Advanced Tab options are displayed, as shown in the following gures:

The following defaults are enabled when you selected Apply Cisco ISE Default Settings in the AAA
servers window:
Allow AAA Override – Enabled
NAC State – ISE NAC
Changes the state from a web redirection state to permit access state.
 Radius Client Proling - DHCP Proling and HTTP Proling are enabled.
Used for identifying your device type, for example, whether you are using an iPad or iPhone; the
WLC packages the device-identifying data and sends it to ISE via RADIUS accounting packets.
11. Uncheck the FlexConnect Local Switching, Enabled check box.
Note:

If you are using local switching (see Wireless Deployment Models), leave this enabled.

12. Click Apply.

13. Navigate to Security > Layer 3, and from the Captive Network Assistant Bypass drop-down list,
choose Disable, as shown in the following gure:

Note:

When you apply Cisco ISE Default Settings, it enables Captive Portal Bypass, which suppress
the Apple mini browser. We recommend that you disable Captive Portal Bypass to make the
mini browser (Captive Network Assistant) pop up automatically when connecting to a guest
network, and use it for guest access.

Captive Network Assistant Bypass options:

None - Uses the current global Captive Portal Bypass setting.
Disabled - Disables CNA on the WLAN, regardless of the global Captive Portal Bypass setting.
Enabled - Enables CNA on the WLAN, regardless of the global Captive Portal Bypass setting.
14. Click Apply to save your WLAN conguration.

Congure an ACL to Redirect Guest Devices to the

ISE Guest Portal
This section describes how to congure an ACL on the WLC. The objective is to congure an ACL that
allows guest clients to access guest services.

1. In the WLC GUI, choose Security > Access Control Lists > Access Control Lists.
The Access Control Lists window is displayed, as shown in the gure below. This window lists the
ACLs that are congured on the WLC. It also enables you to edit or remove any of the ACLs.
2. Click New to create a new ACL

3. In the Access Control List Name eld, enter ACL_WEBAUTH_REDIRECT as the ACL name, as shown
below:
4. Click the ACL name, to edit it

5. Click Add New Rule.

6. The Access Control Lists > Rules window is displayed.

7. Congure the rules, as shown in the following gure:

Note:

198.18.133.27 is the IP address of ISE in this example. We recommend that you use your ISE IP
address, and add all the PSN nodes that are servicing the Guest portal with this ACL. If you
change the TCP port number for your Guest portal, make the same change here (from 8443 to
the new port number).

8. (Optional) Congure Guest ACL

If your deployment is set up in a DMZ, and your guest network already has ACLs in place, you can skip
on to the next section. If you have setup your guest network in a conguration where your network has
access to internal resources then you will need to congure an ACL to permit guest access to the
internet and block access to internal resources after guest authorization. To ensure that the rules of the
 new ACL to permit guest access to the internet. This ACL must permit access to the internet, your ISE
PSN IP address(s), and the internal resources that you want them to have access to as seen in the
screenshot below. You can use the same procedure above to setup a permit internet ACL using the
following example.

Note:

In the above example, 198.18.133.0/24 is the internal network that guests cannot access. If
your guest network is in a DMZ, you will not have to limit access to your internal network since
the DMZ is outside the internal network.

Congure a Catalyst Switch for Guest Access

This section covers the minimal required conguration on a Catalyst Series switch to work with ISE guest.
This was validated with IOS and IOS-XE platforms.

When using network devices with ISE, make sure they are running the minimum code version provided in
the corresponding compatibility guide. If you need a higher code revision, you should test it in a lab
before going into production. The ISE team does not test all the devices with all the code versions. If you
need additional support, reach out to the respective device teams at Cisco.

If your switch is not listed, and you have a question about its compatibility with ISE, see the community
post, Does ISE Support My Network Access Device?

Additionally, if deploying with SGT’s then review the validated hardware and software versions within the
latest capability matrix.

Use the following links for information about general best practices on Cisco Catalyst switches with ISE.

ISE Secure Wired Access Prescriptive Deployment Guide

Cisco TrustSec Quick Start Conguration Guide

Switch Capabiliities
Your switch must meet the following requirements to work in an ISE guest setup:

Layer 3 SVI for your guest network – the switch requires a routable Layer 3 interface that can
communicate with endpoints in order to redirect the browser to the ISE Guest portal.
Note: If the access layer switches are layer 2 only then this routable interface can exist on an
upstream device. Example your access switch only has an management network (port/SVI) and
cannot communicate with the endpoint networks.
For more information (this applies to many switching platforms) : ISE Trac Redirection on the
Catalyst 3750 Series Switch
Ip device tracking – usually enabled by default but critical on tracking the endpoint. For IBNS 2.0
device tracking please refer to the ISE Secure Wired Access Prescriptive Deployment Guide
Switch management IP – Communicates with ISE via RADIUS in order to control AAA functionality.
Global RADIUS and AAA congurations – The switch is congured for AAA using ISE.
Pre-Auth ACL – This is manually congured on the switch. When a user device initially connects to
the network, this ACL restricts what that device can access until authenticated by ISE. The device must
at least be able to communicate with ISE to see the Guest portal. You can also open access to a
company portal by adding a link to the Guest portal. For example, you might want to give access to a
hospital’s welcome page containing information about the hours of operation, a directory of
departments, and so on.
Redirect ACL – This is manually congured on the switch to identify trac that will be redirected to
the Guest portal. Here, you can also identify trac that is not redirected, for example, to the company
website mentioned previously.
Enable HTTP service – This conguration on the switch redirects the endpoint HTTP requests to the
Guest portal. Note: HTTPS redirection is not recommended. For more information about this, see ISE
Guest CWA and HTTPS redirection.
Change of Authorization (COA) – Cisco Network Access Devices utilize RADIUS COA to allow
changes in the Guest use case from a redirect state to a permit state. For example: A device connects
to the wire. When its rst authorized its based of simple MAB (MAC Authentication Bypass). ISE is
setup to redirect any basic MAB from unknown endpoints to the Central Web Authentication (CWA)
portal. This portal can host an Acceptable Use Policy (AUP) page like a hotspot or a credentialed login
portal. The user clicks to accept or enters their credentials. At this point ISE sends a COA to the switch
with a new authorization result. This time without a redirect ACL and likely with a permit ACL that
allows internet access. For more information on RADIUS COA see Chapter: RADIUS Change of
Authorization in the Authentication, Authorization, and Accounting Conguration Guide, Cisco IOS
Release 15SY
DOT1X System Auth Control required to enable authentication manager on a port.

Example Switch Conguration

This sample conguration gives full network access even if the user is not authenticated; therefore, you
might want to restrict access to unauthenticated users.

In this conguration, HTTP and HTTPS browsing does not work without authentication (per the other ACL)
since ISE is congured to use a redirect ACL (named redirect). Here is the denition on the switch:
 ip access-list extended ACL_WEBAUTH_REDIRECT
deny ip any host <ISE ip address>
permit TCP any any eq www
permit TCP any any eq 443

This access list must be dened on the switch in order to dene on which trac the switch will perform
the redirection. (It matches on permit.) In this example, any HTTP or HTTPS trac that the client sends
triggers a web redirection. This example also denies the ISE IP address so trac to the ISE goes to the
ISE and does not redirect in a loop. (In this scenario, deny does not block the trac; it just does not
redirect the trac.) If you use unusual HTTP ports or a proxy, you can add other ports.

Another possibility is to allow HTTP access to some web sites and redirect other web sites. For example,
if you dene in the ACL a permit for internal web servers only, clients could browse the web without
authenticating but would encounter the redirect if they try to access an internal web server.

The last step is to allow CoA on the switch. Otherwise, the ISE cannot force the switch to reauthenticate
the client after the login to the guest portal.

aaa server radius dynamic-author

client <ISE ip address> server-key <radius shared secret>

This command is required for the switch to redirect based on HTTP trac:

ip http server

This command is required to redirect based on HTTPS trac:

ip http secure-server

These commands are also important:

radius-server vsa send authentication

radius-server vsa send accounting

dot1x system-auth-control

Here is the switchport conguration

 interface GigabitEthernet1/0/1
description ISE Port
switchport access vlan 100
switchport mode access
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

Congure ISE for Guest Access

Now that you have congured your network access device to work with ISE web authentication, you must
complete the necessary steps on ISE.

Add the Network Access Device to ISE

Perform the following procedure to add a wireless controller or switch to ISE:

1. Log in to ISE Admin UI.

2. Navigate to Administration > Network Resources > Network Devices.
3. Click Add, as shown in the following gure:

4. In the Name eld, enter the device name.

5. Choose IP Address from the drop-down list and enter the corresponding device’s IP address:
6. Check the RADIUS Authentication Settings check box.
7. In the Shared Secret eld, enter the corresponding information:

8. Click Submit.

If software dened segmentation is deployed then enable the Advanced TrustSec Settings and complete
the details as explained in the following guide: Cisco TrustSec Quick Start Conguration Guide.

Policy Set for Credentialed Guest Access

From ISE 2.3, the only way to congure authentication and authorization rules is to use Policy Sets. By
default, sample authorization rules are available for credentialed guest access. This section describes
how to enable these rules.

1. Navigate to Policy > Policy Sets.

2. Click the arrow to expand the default policy set, as shown in the gure below:

3. Expand the Authorization Policy.

4. Scroll down until you see the built-in Wi-Fi policies for Guest Access and then enable them.

Note: Like other built in policies, an SGT is applied to the Guest Access by default. This can
be utilized in your Software Dened Segmentation story, for more information please see the
Segmentation and group based policy resources community.

Understanding Guest Flow

Guest-access authorization with ISE happens in two stages. The initial ow is a MAC authentication
Bypass (MAB), where ISE authorizes the endpoint for URL redirect to itself. This results in the web trac
from the guest user’s device to be redirected to the ISE Guest portal. Note that at this stage, the network
device (switch or WLC) and ISE will track the endpoint’s network connection with a common session ID.
When a guest user logs in with guest credentials, the guest user ID is merged with the existing MAB
session. This part of the process is termed as Guest Flow, where an existing MAB session gets guest
user context appended to it. Therefore, there are two authorization rules for guest access; the Wi-Fi
Redirect to Guest Login rule redirects unknown endpoints to the Cisco_WebAuth prole for presenting
to a Guest portal, and the Wi-Fi Guest Access rule is used after users enter their credentials (Guest
Flow). This grants them internet access (permit access).
The following gure shows central web authentication:

Using Guest_Flow to Match Guest User Type

Guest user accounts can be created with several attributes that determine their roles and responsibilities
in the network. ISE has 3 built-in guest types. As an administrator, you can create your own custom guest
types. The following are the built-in guest types:

Contractor — Users who need access to the network for an extended amount of time, up to a year.
Daily — Guests who need access to the resources on the network for just 1 to 5 days.
Weekly — Users who need access to the network for a couple of weeks.

ISE Authorization Policy for Contractor Guest Type

1. Enable both the Wi-Fi Redirect to Guest Login and the Wi-Fi Guest Access policies.
2. Click Save.
3. Under Policy Sets, you can edit the existing rule for Wi-Fi_Guest_Access policy. Click the pencil icon.
Make the changes, as shown in the gures below, and then click Save.
  

4. When you complete this procedure, your policy will look like this. Remember to save the new policy.

Guest User Experience

The following gure depicts guest user experience:

1. Guest user’s device connects to the network.

2. The web trac from the guest device is redirected to the ISE Guest portal, where users can sign-up
for an account or enter their credentials.
3. Once users enter their guest credentials, they are in the Guest Flow, and will be granted access to the
Wi-Fi Guest Access rule.
4. The device is permitted access to the internet.

Note that if the device goes to sleep or if users leave the network and come back, they will be required
to go through the login process again.

Guest users are required to log in to the ISE Guest portal every time they connect to the network. For
example, users may put their device to sleep, resume from sleep mode, or get a new wireless session
ID. The default wireless user Idle Timeout value on the WLC is 180 seconds. This user experience can
be avoided with the Guest Remember Me feature on ISE.

The Guest “Remember Me” Feature

This section describes how to allow a guest to access the network without being redirected to ISE every
time after the initial login. With the previous rule set (Guest_Flow), when a device leaves the network and
comes back, the device is redirected to the login process again.
The Remember Me feature works by using the endpoint group to track users. Currently, there are caveats,
with ISE granting access based on the endpoint group. This is because there is no user logging into the
Guest portal. Instead, access is based on MAB, using the MAC address. Be aware of the following:

Reporting issues (MAC address is shown in the ISE reports instead of usernames.)
Guest Type options will not work if there is no portal login.
Time-based restrictions, for example, access only from 9 a.m. to 5 p.m.

Restrict access times by utilizing the authorization policy conditions.

Maximum number of simultaneous logins with the same guest account:

Instead, you can restrict the number of devices that are allowed to register under Guest Type for
wireless.

Note: Another way to remember guests is to use the Sleeping Client feature in the wireless
controller. This feature keeps the wireless session cached in memory. The potential problem
with this is that only a certain number of sessions can be stored in the controller’s memory.
However, this document does not cover that feature.

Guest User Experience with “Remember Me”

1. User connects to the Guest network.
2. Device is redirected to the ISE guest login window.
3. User logs in.
4. Device MAC address is registered in Guest Endpoints group.
5. Device goes away and returns for new wireless session.
6. Device is granted access based on its MAC address membership in the Guest Endpoints group.

Note: This is the same conguration that is used for a hotspot portal. The only dierence is that
with hotspot, you redirect guests to a hotspot portal instead of to a self-registered Guest
portal.

Policy Conguration for the Guest “Remember Me”

Feature
1. Navigate to Policy > Policy Sets.
2. Click the arrow to expand the default policy set.
3. Click Wi-Fi_Guest_Access conditions to edit the rules.

4. Under Editor, remove the Guest_Flow by clicking the (x) icon.

5. Click Add to add a new condition.

6. Dene the condition as IdentityGroup:Name Equals Endpoint Identity Groups: GuestEndpoints.

7. Click Use.

Note: Clicking on Save with allow you to use the Guest Endpoints MAB condition again in
another rule if you like, since its not complex you don’t need to re-use so instead we go
direct to Use.
8. Click Save to save the policy set

Note: For wired guest access, the policy can be modied in two ways. The
WiFi_Redirect_to_Guest_Login policy can be duplicated, and in the new rule, the endpoint’s
session can be matched with Wired_MAB instead of Wireless_MAB. Alternatively, the
WiFi_Redirect_to_Guest_Login policy can be edited to match Wireless_MAB or
Wired_MAB with an “OR” condition check.

The Remember Me feature is a simple MAB function based on the GuestEndpoint Endpoint Identity
group. The MAC address of any guest user’s device that is authenticated once will automatically be
registered under GuestEndpoint within ISE. A user has to accept an Acceptable Use Policy (AUP) for
hotspot access, or enter certain credentials for credentialed guest ows only once. From then on, access
is based on the guest device’s registered MAC address. Thus, the guest will not be redirected to the ISE
portal for AUP or login, on subsequent network connections, until the MAC address is purged from the
GuestEndpoint group. The default purge period is 30 days and can be customized for individual
environments. Note that this is not guest account purging, just a guest device’s MAC address. To change
the endpoint purge period, perform either of these tasks:

For Hotspot, endpoint purge conguration can be done under portal settings.
For credentialed guest ow navigate to Administration > Identity Management > Settings >
Endpoint Purge
As long as the endpoint is in the Endpoint group called out in the authorization rule then the device
will have access without having to login to the credentialed portal. You can set the EndpointPurge
rule as low as 1 day. An example would be if GuestEndponts AND ENDPOINTPURGE: ElapsedDays
LESSTHAN 9999. This will remove all endpoints in the guest database when the purge runs on its
daily schedule.
For Credentialed guest accounts, the endpoint duration can be congured under the Guest Type
settings.

Using an Authorization Prole to Redirect Guest

Endpoints to ISE
As explained in Understanding Guest Flow, when endpoints rst access the network, they are
authenticated with MAB, and must be redirected to the Guest portal for authorization. ISE comes with a
built-in prole called Cisco_WebAuth that references a built-in self-registered Guest portal. This section
shows you how to modify this authorization prole to use other portals and URL-redirect ACLs.
The following conguration can be used for both wireless and wired environments. The WLC and switch
require a precongured redirect ACL which you completed earlier in this document.

1. Navigate to Policy > Policy Elements > Results.

2. Expand Authorization and click Authorization Proles.
3. Check the Cisco_WebAuth check box.

4. Change the prole to work for your setup:

From the Web Redirection drop-down list, choose Hotspot or Centralized Web Authentication
(for Self-Registration or Sponsored Guest Flows).
 ACL – Enter the ACL being used for the redirection. This example uses the pre-congured ACL

Note: The ACL is case-sensitive and must match the denition in the Network Device
exactly.

From the Value drop-down list, choose the appropriate default portal (Hotspot, Self-Registration,
or Sponsored).
5. Click Save.

Example: Authorization Prole for Hotspot Guest Access

Example: Authorization Prole for Self-Registered Guest Access

Access Control for Guest Trac

In a typical scenario, the guest Wi-Fi trac is isolated in the DMZ, and the guest wired trac is
segmented using a Guest VLAN, as shown in the gure below. In some environments, the guest wireless
trac may be within a campus with separate SSID and VLANs too. How you want to manage your guest
network is up to you. However, note that controlling guest trac from accessing internal resources is
important.
While VLAN segmentation helps in keeping the trac separate, as explained in the IP Address and VLAN
changes section, it is not a good idea to change VLANs dynamically for guests. The use of IP ACLs
and/or SGTs can be a remedy for this issue. For guest trac segmented on DMZ, an ACL and/or SGT
policy to permit all IP trac can be applied, and for the guest trac within a campus network, an IP ACL
and/or SGT to deny access to private IP addresses will suce in most of the cases. This section
describes the optional tasks of authoring and authorizing an ACL for a guest user connecting internally.

Overall the recommendation would be to consider using segmentation using Scalable Group Tags (SGTs)
in your deployment to help reduce the overall management costs and help with your organization
segmentation story.

For more information please see the Segmentation and group based policy resources community.

1. Navigate to Policy > Policy Elements > Results > Authorization > Downloadable ACLs.
2. Click Add.

3. Create an ACL with the following requirements:

Permit the ISE PSN IP address on port 8443 (allow access to Guest portal).
Permit access to internal sites, if necessary.
Deny access to internal networks.
Permit everything else.
The following gure shows a sample ACL:

permit tcp any host 192.168.133.27 eq 8443

deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 10.0.0.0 0.255.255.255
permit ip any any

4. The DACL on ISE can be validated by the Check DACL Syntax option.
5. Click Submit to save the ACL.

6. Click Authorization, then click Authorization Proles, and nally, click Add.

7. Congure the Authorization Prole, as shown in the following gures (the left gure indicates for a
wired guest and the right gure indicates for a wireless guest):
 Note: AireOS does not support downloadable ACLs. Therefore, ACLs must be congured
locally on the wireless controller (or access points in FlexConnect mode). The ACL names
must match in both ISE and in AireOS. The Guest ACL conguration on the WLC is very
similar to the DACL conguration on ISE.

8. Save the authorization prole.

9. Navigate to Policy > Policy Sets.
10. Expand Default Policy Set and Authorization Policy.
11. Modify the Wi-Fi_Guest_Access authorization rule, as shown in the gure below:

12. Click Save.

This completes the steps required to get a portal up and running with your network device (switch or
WLC).
If you are using a hotspot portal for guest access, you can go to the Congure Basic Portal Customization
section.

If you are using the self-registration or sponsored ows (Credentialed Guest Access), then additional
conguration is required. Continue with the next section, Congure the Minimum Settings for Self-
Registered Guest Flow.

Congure the Minimum Settings for Self-

Registered Guest Flow
The default portal settings for self-registered guest access redirects guest users to the login window
after successful account creation. This is a cumbersome task for the guests. For ease-of-use, we
recommend that you allow guest users to log in to the network directly after registration. The following
steps show you how to congure this:

1. Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals.
2. Click Self-Registered Guest Portal (default).

3. Under Portal Behavior and Flow Settings, select Self-Registration Success Settings.
4. Scroll down to the bottom of the window and check the Allow guests to log in directly from the
Self-Registration Success page check box.

5. Expand the Guest Device Registration Settings

6. Check the box to Automatically register guest devices.

Note: This setting is highly recommended for use with “Remember Me” functionality. This
allows the device to be remembered after the user initially logs into the Guest Portal. Using
this ow is a better user experience as they only have to log in once per device until the
device is purged.

7. Expand Post-Login Banner Page Settings, and uncheck the Include a Post-Login Banner page
check box.
8. Scroll up and save the portal settings by clicking Save.

Conguring Guest Type Access Times,

Location, and Time Zone
In ISE 2.1, the option of From rst login was introduced in the Guest Type. This option improves the ISE
Guest Access setup. However, by default, the From sponsor-specied date option is selected for all
guest types. We recommend that you switch all your guest types to use From rst login.

From rst login enables a guest account immediately after a sponsor creates that account, or when the
user self-registers on the Guest portal. This is particularly useful for those who want simple guest access
that is activated immediately and lasts for a specic amount of time. The account can be valid for a day or
a week, and you do not have to worry about limiting access to a set time of day or a specic amount of
time.

With the From rst login option, you do not have to worry about creating location and associated time
zones unless you want to limit the time range during which a user can log in to the Guest portal. If you
want to set strict limits on access hours, you should set up locations and time zones. However, if you only
want guests to be able to use the account starting at a specied time, you will have to work with the
sponsor-specied date. For more information about this, see Working with Locations and Time Zones.

Conguring From First Login

1. Navigate to Work Centers > Guest Access > Portals & Components > Guest Types.

2. Change the following settings for a specic guest type of interest or all guest types (except
SocialLogin(default)).
 

About the “From Sponsor-Specied Date” Option

Instead of the From rst login option, if the sponsor-specied date option is chosen for guest account
start time, the location and time zones corresponding to the locations where the guests will be accessing
the network, must be congured. Your guest or sponsor can easily choose the time zones when the
accounts are activated. Use this setting if you require a specic set of times during which your guests can
use their account for network access. Unlike the From rst login option that activates an account
immediately, this setting activates an account at a specic time, which is when the account is registered
by the guest, or when the sponsor sets its start time.

Note: If you do not congure a location, the account will not get activated at the correct time,
and the user will not be able to log in.

Ensure that the time on your ISE server is correct. Even if it is only a few minutes faster than your browser,
you may notice that it takes a few minutes for the accounts created using self-registration or sponsored
ows to start working. When this happens, an Authentication Failed message is displayed to the end user
using the Guest portal.

Also, under Operations > RADIUS > Live Logs in ISE, you can see failure entry details stating that the
account is not yet active.

Working with Locations and Time Zones

If you need to restrict access to certain times of the day, you must congure locations and time zones. If
only one location is congured in your portal and sponsor group, guests and sponsors will not be
presented with the option to select a location.

Since only one location, San Jose, is available out-of-the-box, there is a problem with new setups in
other time zones. For example, when an ISE administrator sets up a system in Boston, it is 9. a.m. there.
The admin goes to the self-registration window or the Sponsor portal window to create an account,
thinking that he/she is working with the local time. However, the time zone is PST. The account (unless
the admin is using From First Login) will not be activated for another 3 hours, and the guests will not be
able to log in. Unless the guest users connect to the network in PST time, a separate location
conguration must be done in ISE to cater to those users in dierent time zones.

Deployments in the PST time zone can use the San Jose location that is built into ISE. If that time zone is
acceptable to you, skip to the Congure Settings for the Sponsored Guest Flow section.

Note: You cannot change the name of the default San Jose location. However, you do not have
to remove it because it will not be displayed if you do not choose to use it.

For more information about location and SSIDs, see Assign Guest Locations and SSIDs in the
Administrators guide.

To congure guest locations and time zones, perform the following steps:

1. Navigate to Work Centers > Guest Access > Settings > Guest Locations and SSIDs.

The Guest Locations and SSIDs window is displayed.

2. Enter a Location Name and Time zone, for example, Boston (EST) using EST5EDT or America/New
York.

Do not delete the San Jose Location.

3. Click Add.
4. Click Save.

Congure Settings for the Sponsored Guest

Flow
Guest Portal for the Sponsored Flow
From a guest user’s perspective, there are a couple of options to provide sponsored guest access:

Self-registered guest access with sponsor approval – A guest user registers the account by lling
in all the mandated elds during the initial Guest Flow, and upon notication, the sponsor approves or
declines access.
Sponsored guest access – A guest user cannot register an account, but has to collect the credentials
from the sponsor via SMS or email to log in to the guest network. To congure this, see Congure
Sponsored Guest Access.

Congure Self-Registered Guest Access with Sponsor Approval

1. Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals.
2. Click Self-Registered Guest Portal (default).

3. Under Portal Behavior and Flow Settings, select Registration Form Settings.

4. Check the Person being visited check box and the Require guests to be approved check box.

5. Scroll down and chose the notication methods applicable to your environment.
6. Scroll up and Save the conguration.
7. If you’re decided to use self-registration portal as congured above then next you will need to
conguration an Authorization Policy, Congure Authorization Policy

Congure Sponsored Guest Access

The default self-registration portal can be used for both self-registered and sponsored guest access. The
following table explains the options for both the scenarios:

Guest Type Guest Can Sponsor Role Guest Portal

Create Own
Accounts
Self- Yes (Optional) Can approve or deny Self-Registered Guest Portal
registered guest access
guest user
Sponsored No Must create guest account and
guest user share credentials to guest user Sponsored Guest Portal

Or

Self-Registered Guest Portal

(with settings to deny guests the
permission to create own accounts)

If you are looking at only sponsored guest access, and do not want to allow guests to self-register,
perform these steps:

1. Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals.
2. Click Self-Registered Guest Portal (default).

3. Under Portal Behavior and Flow Settings, select Login Page Settings.
4. Uncheck the Allow guests to create their own accounts check box.

5. On the right-hand side, when you click Guest Flow, the ow should appear, as shown in the gure
below:

Note: The Guest Flow for both Self-Registered Guest Portal (with the Allow guests to
create their own accounts option unchecked) and Sponsored Guest Portal is exactly the
FIND A C same. The default sponsored Guest portal is available under Work Centers > Guest
Buy o Access > Portals & Components > Guest Portals.

Scroll up and Save the conguration.

Congure Authorization Prole and Policy for

Sponsored Guest Access
1. Navigate to Policy > Policy Elements > Results, select Authorization Proles, and check the
Cisco_WebAuth check box.
2. Ensure that the authorization policy redirects guest users to the portal you are using. Use the following
conguration as an example:

3. Ensure that the ISE authorization policy results for Cisco_WebAuth prole for guest user’s initial MAB
session. To do so, check the corresponding policy under Policy > Policy Sets: Default >
Authorization Policy > Wi-Fi_Redirect_to_Guest_Login.

Working with Sponsor Accounts

Set up your sponsors by either creating an internal account or conguring ISE to integrate with Active
Directory. If you are integrating with Active Directory, skip to the

Using Sponsor Accounts from Active Directory section

To create an internal account, perform the following steps:

1. Navigate to Administration > Identity Management > Identities > Users.

2. Click Add.
3. Fill in the information for the Sponsor.
4. Under User Groups, if ALL_ACCOUNTS, which is the default, is not selected, select it.
5. Click Submit.

Using Sponsor Accounts from Active Directory

Perform the procedures described in this section and the Setup the Active Directory Sponsor Group in
All_Accounts only if you are integrating your Guest Access system with an Active Directory server that
contains your sponsor groups.

For more information see the Active Directory as an External Identity Source section in the Cisco Identity
Service Engine Administrator Guide.

To create sponsor accounts from Active Directory, perform the following steps:

1. Navigate to Administration > Identity Management > External Identity Sources.

2. Select Active Directory.
3. Click Add.

4. Enter the Join Point Name and Active Directory Domain.

5. Click Submit.
 A “Would you like to join all ISE Nodes to the Active Directory Domain?” message is displayed.

6. Click Yes.
7. You are asked to enter your credentials to join the domain. Note that the Specify the Organizational
Unit eld is optional. Click the information icons next to each eld for more details on what is required.
8. Click OK.

Note: The domain credentials are not saved by ISE. The credentials are used only once to
create a machine account for ISE in the Active Directory.

9. A Successful message is displayed

10. Click Close.

11. Click the Groups tab.
12. Click Add, and select Groups from Directory, as shown in the gure below:

13. Click Retrieve Groups.

14. After you choose the groups that contain the users who will be sponsoring guests, click OK at the
bottom of the window.

15. After you choose your groups, the conguration will look, as shown in the following gure:
16. Click Save at the bottom of the window.

You have now completed the task of setting up Active Directory Groups that can be mapped to your
sponsor groups.

Set Up the Active Directory Sponsor Group in

All_Accounts
The following steps show how to associate the group containing your sponsors or employees to the
sponsor group. In the example described here, we use Domain Users.

1. Navigate to Work Centers > Guest Access > Portals & Components > Sponsor Groups >
ALL_ACCOUNTS.

The Sponsor Group window is displayed, as shown in the gure below:

2. From the members list under Available User Groups, move the domain users under Selected User
Groups, as shown in the gure below:
3. Click OK.
4. Click Save.
It is important to congure correct locations that can be used when sponsors create your guest
accounts. If you are ne with using San Jose as the location, or do not have to use locations because
of your guest types, you can skip Steps 5-8.
5. From the Select the locations that guests will be visiting section, select the locations you want your
sponsors to use, as shown in the gure below.

6. Add in the locations you plan to use in your deployment.

7. Scroll to the top of the window, and click Save.
8. Click Close.

Set Up ISE Sponsor Portal FQDN-Based Access

A Sponsor portal allows a sponsor to create temporary accounts for guests, visitors, contractors,
consultants, and so on. It also allows you to view the accounts that guests create for themselves.

The following are the three options that are available to access the Sponsor portal; the rst two methods
require no special conguration, and can be accessed via the ISE admin GUI:

Using the Manage Accounts button – Navigate to Work Centers > Guest Access > Manage
Accounts.

This window is reserved for administrators to quickly see what is going on with guests. However, we
recommend that you do not use this to manage guests and sponsors. Use it only to quickly access the
guest listing, mainly for deployments that do not use a Sponsor Portal. We highly recommend that you
set up an easy-to-use Sponsor portal.
 Using the Portal Test URL - This URL can be sent to your sponsors so that they can easily bookmark
the site. This is the default option.
Using Sponsor Portal FQDN – This is an easy-to-remember URL that requires some additional
conguration.

We recommend that you provide your sponsors with an easy Sponsor Portal URL, for example, Error!
Hyperlink reference not valid..

Perform these steps to provide easy access to the Sponsor portal:

1. Navigate to Work Centers > Guest Access > Portals & Components > Sponsor Portals.
2. Click Sponsor portal (default).

The Portal Settings pane appears, as shown in the gure below:

3. Click Portal test URL.

The Portal Test URL window is displayed.

Note:

Clicking Portal test URL displays the Sponsor portal with a complicated URL that can be sent
to your sponsors. However, if you continue with the subsequent steps, a simpler URL can be
generated.

Sample Portal test URL from an ISE deployment:

https://ise.securitydemo.net:8443/sponsorportal/PortalSetup.action?portal=28981f50-e96e-
11e4-a30a-005056bf01c9

4. Close the Portal Test URL window as this was only to test its working.
5. In the Sponsor Settings and Customization window, click Portal Settings.
6. In the Fully qualied domain names (FQDN) and host names eld, enter a friendly Sponsor portal
FQDN:

7. Scroll to the top and click Save.

8. You should now update your DNS Server to ensure that this friendly FQDN resolves to your ISE IP
address. For more information please see the section for Fully Qualied Domain Name (FQDN) under
Portal Settings for Sponsor Portals in the Cisco Identity Services Engine Administrator Guide.

Congure Basic Portal Customization

Note that this is an optional task. It is not critically necessary to get your system up and running for Guest
access. It is an optional process to help familiarize with the basic customization options for your new
Guest portal. If you are not interested in customizing your portal, skip this procedure and continue to the
Setting up a Well-Known Certicate section of the Cisco Identity Services Engine Administrator Guide.

For more information about guest customization, see the Customize End-User Web Portals section of the
Cisco I, and the HowTo: ISE Web Portal Customization Options section in the ISE Guest & Web Auth
community page.

To customize a Guest portal, perform the following steps.

1. Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals.
2. Click the portal you are using (Hotspot, Self-Registered, or Sponsored) to edit that portal.

The active portal is indicated by a check mark in a green circle, as shown in the gure below:
3. Click Portal Page Customization, as shown in the gure below:

ISE provides you with the advantage of basic customization built into the product. ISE also makes it
easy to see what changes you are making in real time. Notice that the top of the window provides you
with options to change logos, the banner, and main text elements. You can also choose from built-in
color themes. Depending on your portal settings and portal type, you will see dierent options on the
left side of the window. You can tweak the text in the dierent areas too.

4. To change the theme colors of your portal, use a built-in Portal Theme or the Tweaks option, as
shown in the following gure:

5. After performing customization, preview the window by clicking Desktop Preview.

Note: Portal testing provides a real end-user experience and helps you validate a certain
conguration, without the need for a real endpoint or network access session.

6. Close the Desktop Preview window.

7. Click Save at the top of the window, as show in the gure below:
You have now completed basic customization of your Guest portal. You can do the same with your
Sponsor portal if you are using Sponsored Guest Access. To do this, navigate to Work Centers > Guest
Access > Portals & Components > Sponsor Portals > Select the default portal, and follow the same
steps you used to customize your Guest portal.

Setting up a Well-Known Certicate

Note that this is an optional task. It is not required to get your system up and running for guest access for
basic testing, but is highly recommended. To ensure that your users will not have to accept an invalid
certicate when connecting to the Guest, Sponsor, or Administrator portals via their web browser, use a
certicate that has been signed by a well-known Certicate Authority (CA). We recommend that you do
not use self-signed certicates.

In the example described in this section, a certicate from SSL.com is used as an example of a provider
that will work correctly with ISE. However, we do not recommend any specic provider. We only
recommend that before purchasing a certicate, you get a test certicate from the CA to test with.

Note: Each certicate provider may refer to a certicate type by dierent names. It often helps
to call the company, or use their online contact options to explain what is needed in the SAN
elds. Tell them that you are looking for a certicate containing a wildcard and FQDN in the SAN
eld, and a FQDN in the CN= eld.

For more information about wildcard certicates and certicates in general, see the following section in
these documents:

Cisco Identity Services Engine Administrator Guide - Wildcard Certicate Support in Cisco ISE
MovingPackets.net article - When SSL Certicates Go Wild
Aaron Woland’s Network World Blog - Wildcard certicates and how to use with ISE
Aaron Woland’s - HowTo: Implement Cisco ISE and Server Side Certicates 

 
Create a Certicate-Signing Request and Submit it to
a Certicate Authority
The steps listed here show an example of how to set up a Unied Communications Certicate (UCC) with
a wildcard in SAN from SSL.com, which is a subordinate of Comodo:

1. Navigate to Administration > System > Certicates > Certicate Signing Requests.
2. Click Generate Certicate Signing Requests (CSR).
3. Enter the values for generating a CSR, as shown in the following gure:

Usage

Certicate(s) will be used for: Multi-use

Allow Wildcard Certicates: Checked

Subject

Common name: <yourdomain.com>

Replace the other sections of the subject
with the information pertaining to your
organization.
Subject Alternative Name (SAN)=
SAN DNS Name 1 =
<yourise.yourcompany.com>
SAN DNS Name 2 = <*.yourcompany.com>
Retain the default value for the last two
elds.
4. Click Generate.
The CSR is generated, as shown in the gure below:

5. Click Export to save the le

6. Open the le in a text editor.
7. Copy all the text from “---- BEGIN CERTIFICATE REQUEST-----“ through “-----END
CERTIFICATE REQUEST----.”
8. Paste the contents of the CSR into the certicate request of a chosen CA. The following gure shows
an example of the SSL.com portal:
9. Download the signed certicate.

Note: Some CAs might email the signed certicate to you. The resulting download or email
attachment is often in the form of a zip le that contains the newly signed certicate and the
public certicates of the CA. Save the digitally signed certicate, root CA certicate, and other
intermediate CA certicates (if applicable) to the local system running your client browser in
order to be imported. For more information about importing, see the section below, Import
Certicate to the Trusted Certicate Store.

Import Certicates to the Trusted Certicate Store

This section shows you how to import the necessary certicates to ensure trusted client and server
communication. Along with the server certicate, ISE also presents the root and intermediate (if required)
certicates to the client when communicating.

Note: Not all providers have intermediate certicates that are required to be installed.
Intermediate certicates come from the subordinate CAs. The example provided here uses
SSL.com, which is a subordinate of Comodo. Comodo is a subordinate to the AddTrust root CA.
Therefore, this example shows how to import a root certicate as well as certicates for the two
subordinates.

To import all three certicates, perform the following steps:

1. Navigate to Administration > System > Certicates > Trusted Certicates.

2. Click Import.

The Import a new Certicate into the Certicate Store pane is displayed, as shown in the gure
below:
 Click Browse
to select the
root CA
certicate.
Enter a
Friendly
Name.
Choose the
root certicate
returned by
your CA.
Under Trusted
For, check the
Trust for
Authentication
within ISE
check box and
the Trust for
client
authentication
and Syslog
check box.
Check the
Validate
Certicate
Extensions
check box.
Enter a
Description.
Click Submit.
3. Import all the CA certicates in the chain:
Root CA: AddTrustExternalCARoot.crt
Subordinate CA: SSLcomDVCA_2.crt
Subordinate CA: USERTrustRSAAddTrustCA.crt

The values specied above are specic to this example. Otherwise, the values vary according to
your service provider's chain.

Bind the CA-Signed Certicate to the Signing Request

Now that you have received the digitally signed certicate from your CA, and imported the CA certicates,
the next step is to bind the certicate signed by the CA to the CSR, from ISE. This pairs the certicate
and private key that was used to generate the CSR.

1. Navigate to Administration > System > Certicates > Certicate Signing Requests.
2. Select the entry for your signing request.
3. Click Bind Certicate, as shown in the gure below:

4. Congure as follows:
Click Browse to choose
the CA-signed
certicate.
Specify a Friendly
Name for the certicate.
Under Usage, check the
Admin, EAP
Authentication, and
Portal check boxes.
From the Portal Group
tag drop-down list,
choose Default Portal
Certicate Group.
Click Submit to bind the
CA-signed certicate.

Figure x Bind Signed Certicate

5. After you click Submit, the system will restart and be inaccessible for about 5 minutes.

This completes the task of setting up ISE with a well-known certicate for ISE. For more information about
working with certicates, see the Managing Certicates section of the Cisco Identity Services Enginer
Administration Guide.

Operate
Validation of ows
After conguring your ISE server, use the following steps to validate your deployment:

Testing Web Portals

 Note: For guest ows, you can use the Portal Test URL at the top of the Portal Settings window
to quickly test the ow, without having any network device or real clients.

1. Navigate to Work Centers > Guest Access > Portal & Components > Guest Portals.
2. Choose the Guest portal you want to test.
3. Click the associated portal test URL.

If, for some reason, your portal does not load, here are a few tips:

The test portal always opens up with ISE’s real IP address. If the ISE node is behind a NAT router, its
public IP address must be replaced in the test URL.
If DNS is not resolving correctly, you can replace the ISE’s FQDN with IP address.

From this point, you can go through the complete ow. Note that the nal success redirection to a static
or originating URL needs a real session for this to work completely.

Clearing Guest Endpoints

If, however, you are going to perform dierent ows with the same device, you should do the following
between each ow test:

1. Turn o the Wi-Fi on the device, go to the device settings and click Forget SSID if you have multiple
proles set up.
2. On the WLC, clear the session for the device by navigating to Monitor > Clients.
3. On ISE, navigate to Context Visibility > Endpoints and remove guest devices.

If you want to switch between a hotspot portal and a credentialed portal using the same authorization
rules, you can do so by going into your Authorization prole and switching between the two.

Monitoring Guest Connections

For Hot Spot Guest Flow

1. Connect to your Guest SSID.

2. Open a browser if it does not auto launch. (Apple iOS devices should also auto launch.)
3. Accept the AUP via the Hotspot Portal.
4. Access the internet.
5. In ISE, navigate to Operations > RADIUS > Live Logs.

Here is an example of what you will see when going through a ow with an endpoint.

Look at the image below, from bottom to top, the ow the device or user goes through is depicted:
6. Device connects to SSID and is authorized to be redirected to the webauth portal because the mac
address is unknown.
7. The user accepts the AUP or logs in to the portal, and the guest user device is added to the
GuestEndpoint group.
8. ISE initiates CoA for reauthentication.
9. The device is authorized (granted access) based o the endpoint group and permitted access.

For Self-Registered Guest Flow

1. Connect to your Guest SSID.
2. Open a browser if it does not auto launch. (Apple iOS devices should also auto launch.)
3. Click the Or register for guest access link to register for guest access.

4. Enter information, if needed, and then click Register.

5. Click Sign-on.

Note that if you did not enable sign-on from the Self-Registration Success window, you should copy
the username and password information to enter in the same login window.

6. Access the internet.

The following procedure shows how a guest credentialed access will present itself. Look at the image,
from bottom to top, the ow the device or user goes through is depicted:

1. Device connects to SSID and is authorized to be redirected to the webauth portal because the mac
address is unknown.
2. The user logs in to the portal, and the guest user device is added to the GuestEndpoint group.
3. ISE initiates CoA for reauthentication
4. The user is authorized and permitted access per the guest ow.

 
Viewing the Guest Users List
Access without Sponsor Portal
Navigate to Work Centers > Guest Access > Manage Accounts.

The Managed Accounts is reserved for administrators to quickly see what is going on with guests. Note
that we do not recommend this to manage guests and sponsors. It should be used only to quickly access
guest listing, mainly for those systems that do not use a Sponsor portal. We, however, recommend that
you set up an easy-to-use Sponsor portal.

Access with Sponsor Portal

1. Using a machine in the internal network, connect to the Sponsor Portal via the Sponsor portal easy
FQDN or use the Portal Test URL for Sponsor portal access. This is explained in in the Setup ISE
Sponsor Portal FQDN Based Access section.
2. Log in with a sponsor account.
3. Create a guest account.
4. Using another client, connect to the Guest SSID.
5. Log in with the newly created guest account.

For additional conguration and customization options, visit our Guest Web Auth community page.

Troubleshooting Common Issues

My apple mini-browser is not working. I am getting error that the server can’t be found or I cannot
connect to the internet. What maybe causing this?

.local domains are not supported by apple - https://support.apple.com/en-us/HT207511

Make sure that forward and reverse DNS for your guest network is resolving the FQDN of your ISE
server.

Using Wired my endpoints aren’t being redirected.

Cisco Switches require that a management vlan (SVI) exists on the switch. This management network
is used to communicate with the endpoints for redirection to the ISE guest portal (ISE is not an inline
 appliance). Any routing or ACLs in your network will need to allow this communication to all IPs and
ports your PSN is setup to use.

Troubleshooting checklist
Is the client getting an IP address (and not an APIPA address)? 
Is the switch seeing the IP address? (show authentication session interface x/y details)
Is the Client able to resolve the FQDN of the guest portal? (open cmd and try to do nslookup on the
FQDN of the portal)
Is the Client able to reach the PSN (to which the FQDN is resolving to)? Try pinging from the client to
the PSN, if ping is allowed in your network.
Is the Test URL option working for the guest portal?
Can you paste the FQDN of the guest portal in the URL of the client's browser and take captures on
the PSN with the lter of the client's IP? Are you seeing any packets coming in?
Do you have any proxy or a rewall in the path, which could possible aect the trac? 
Miscellaneous - If multiple interfaces are selected in a portal which one will be returned? The rst one
in the list will be returned in any requests.

DNS issues
If guest clients simply are not getting a DNS response for your ISE servers due to the network design. 
There are a few options here, but each have their own caveat.

If you can't resolve DNS of guest portal and are trying IP address of PSN (static URL for ISE) then the
certicate presented by ISE to the client needs to have ALL PSN IP Addresses serving guests in the
SAN of the well known certicate
You can set a static IP address under Policy > Policy Elements > Results,  click your redirect.  Check
the check box for static URL. Here, you can setup either DNS that is resolvable or an IP address.   The
issue with using a static DNS entry, it breaks redundancy. If you use the IP address, the same issue
with redundancy comes in, but you also are going to start facing certicate issues because you can not
get a 3rd party cert for a private IP (depends on provider).

ISE with Static Redirect for Isolated Guest Networks Conguration Example

2. open a hole for your guests to hit your internal DNS server.  This way they can get a proper response.

3. Create a DNS server just for the guest environment.

How Do I Get Support?

For technical questions about ISE, please reach out to the ISE Support community page, your partner or
local account team.

For advanced troubleshooting issues and outages, contact the Cisco Technical Assistance Center.

Tags: access deploy deployment guest guide ise prescriptive wired wireless
  102 Helpful

Share

COMMENTS


06-23-2018 03:5
charleseapen Beginner

Good Document. I'll try this in my upcoming installation.

Can you add settings for SMS option in BYODD or Guest portal. While an user enters his/her phone number an OTP
is sent to the phone. User can login using this OTP to wireless network.


06-23-2018 04:08

Jason Kunst Cisco Employee

Those all depend on the sms provider and are all listed on this page . Are you looking for something else? Then
please provide deep detail in a new community question

https://communities.cisco.com/docs/DOC-64018?mobileredirect=true#jive_content_id_SMS


07-25-2018 05:1
kamlenegi Beginner

Hello Jason,

I have gone through the guest deployment document and able to do wireless guest deployment in 2.3.
 

This document is very nice.

I am stuck in wired guest deployment and not able to push DACL from ISE to switchport which will allow user to
redirect. When user is connecting ISE congure switchport, nothing is happening, swithchport doesn't apply any acl.
Is there working snapshots for wired guest , what exact ACL, I need to congure.

Thanks

Kamlesh


07-25-2018 05:1

Jason Kunst Cisco Employee

Please don’t ask troubleshooting on the post. Open a new thread and see how basic support back and forth may
help

Also might be in your best interest to open Tac case to quick resolution


08-13-2018 02:5
vivekkupekar Beginner

Hi Jason,

Is it mandatory requirement to have catalyst switch in Cisco ISE guest wi- setup.

 
 My requirement is to only setup guest wi-. I understand that it only a Access Point, WLC (for redirection) and ISE
PSN node is required.

I was going through the page 17 of the PDF which talks about "Deploying ISE for Guest Network Access" and
mention of switch is confusing to me.

Thanks,

Vivek


08-13-2018 05:34

Jason Kunst Cisco Employee

There are sections showing the wireless and wired cong separate. Wireless cong has nothing to do with the wired
setup


08-14-2018 12:2
vivekkupekar Beginner

Understood. Thank you.

Latest Contents

 FTD - Upgrade Direction

Created by Quintin.Mayo on 02-11-2021 05:27 AM

1 0 
 Hi, I'm currently running FMC version 6.6.1 and I have two FTDs running 6.6.0.1 and want to make sure I choose the
correct next step to upgrade the FTDs. When I go to download updates the only one I see for the FTDs is Cisco FTD
SSP FP2K Patch 6.6.0.... view more

 URL Filtering License Needing

Created by derar1990 on 02-11-2021 05:24 AM

0 0 
Hi, I have 5506-X with Firepower services, Do i need the URL license for Whitelisting URLs or it just be needed in ca
se i need to blacklisting (Block) urls?The purpose for this that i have a network which i just need to permit a specic
URLs and blo... view more

 Cisco ISE 2.4 email alert

Created by Nadia Bbz on 02-11-2021 04:58 AM

1 0 
Dear Teams ; I congured email alerts for some alarms for a year everything works well , but now i do not receive an
y alarmhow can i send test email for ensure that's the smtp server work ne thanks in advance

 DART
Created by cae5upport on 02-11-2021 02:24 AM

2 0 
Hi Guys, According to Cisco (see source) you can download the DART as a separate MSI installer le, the format is
"anyconnect-win-version-dart-predeploy-k9.msi" but I am unable to nd this particular package via the Cisco down
load and do remem... view more

 Cisco ISE guest portal: person being visited modication

Created by gpinero on 02-11-2021 01:30 AM

0 0 
Hi, I'm trying to chagne some funcionality in guest portal auto register and aproval. Now with ISE you have a eld wit
h: Person being visited (email address)When guest user register in this portal, it's send an email to validate this acc
ess. Well, I... view more

Create Please login to create content

 Discussion  Video

 Blog

 Document

 Project Story

Related Content

 Discussions 

 Blogs 

 Events

 Videos

Project Gallery
 Recommended for you

  Prescriptive guide for ISE VPN 

  Cisco ISE Device Administration Prescriptive Deployment Guide

  Cisco ISE Device Administration Prescriptive Deployment Guide

 guest access

 ISE Secure Access Wizard (SAW) Demo Script and Guide  

 Top

Follow our Social Media Channels

    

Contacts Privacy Statement

Community Feedback Cookie Policy
Site Map Trademarks
Terms & Conditions Help
 Copyright © 2020 Cisco Systems Inc.
All rights reserved.