Académique Documents
Professionnel Documents
Culture Documents
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda
• What is Guest?
• Supported Guest Flows
• HotSpot
• Self-registration
• Sponsored
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Common Items
• Test URLs, Sponsor Portal, Location
• Guest Types
• URL-Redirect/COA
• Configuration & Policies
• Customization
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
What is Guest?
Guest is an end
user web application
companies use to let
people to access the
Internet through
their network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
What does Guest touch?
Visitors Sponsors Employees Administrators
Transportation
Everywhere there are people
Coffee Shops & Retail Schools
Supported Guest Flows
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Supported Guest Flows
1. Hotspot
2. Self Service
3. Self Service with Sponsor Approval
4. Sponsored
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Hotspot
Acceptable
Use Policy
I promise
to be good.
Day Ends
I Agree
44:6D:77:B4:FD:01
44:6D:77:B4:FD:01
Goal: Get them on the Internet with AUP acceptance no matter who they are and use
“remember me” them so you don’t get in their way each time they connect.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Self-Registration with SMS
1. Register
3. Login to portal
4. Success!
Goal: Get user on the Internet as long as you have a 3rd party identifier
to prove user is valid—They are who they say they are.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Self Service
Self Service with Email Verification
Fill In A Simple Form Check Your Email Connect to WFI
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Pre-Expiration Notification
DESKTOP Mobile
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Self Service
Self Service with Sponsor Approval
ISE sends email
requesting
approval
Visiting email?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Approving Self Registration Requests
DESKTOP Mobile
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Sponsored Guest Access
Sponsored Flow
Hi! Can I
get on your Sure. I just
Wi-Fi? need a little
information.
Print, email
& SMS
credentials.
Cool!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Demo of Hotspot & Self-reg
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Sponsoring Guests
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Sponsored Guest Access
Creating a guest Count – Sponsor Mobile
Browser version of
Account creation by
Sponsor
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Create a Guest Account – Sponsor Desktop
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Sponsored Guest Access
Creating random accounts
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Import Accounts
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Notices When Creating Lots of Accounts
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Managing Accounts as a Sponsor
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Common Items
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Locations
When are they needed?
• FromCreation Accounts
• Using access times with
FromFirstLogin accounts
• If used, must create for
all guest locations
• Only Shown when self-
reg/sponsor creating
account with more than 1
location available
• wrong location account
may not be active
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Guest Types
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Guest Types
From Creation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Guest Types
From First Login
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
SMTP Server for email-notifications or basic
SMS (Optional)
• Configure SMTP Server
for email and/or basic
SMS
• For email only - Enable
email notifications and
set from address
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Test your portal without a real client
Use for all portals, works best with guest/sponsor
https://server.company.com:8443/sponsorportal/PortalSetup.action?portal=44d99ef0-ef7d-11e3-bc94-005056bf2f0a
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Where does a Guest flow send Guests?
Page they
tried to
reach.
Example:
google.com
Predefined URL
such as the
company page.
Custom ISE
Success Page
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Secret Code Controls Access to Guest Wi-Fi
Registration code: require the
What is the ? Secret
user to enter a code before code:
completing a self service chemist
registration.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
ISE Guest and Employee
onboarding flows support the
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Configuration & Policies
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Basic Configuration Steps Wireless Controller
Used for all flows
1. Security
• AAA > RADIUS > Authentication & Accounting
• Access Control Lists > Guest Redirect & Permit
2. WLAN
• Create WLAN
• Security > Layer 2 – None, MAC filtering enabled
• AAA Servers enabled for ISE Authentication & Accounting
• Advanced > Select NAC State >RADIUS NAC & Check Allow AAA Override
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Configuration Steps Wireless Controller
Configure Security Options > AAA > RADIUS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Configuration Steps Wireless Controller
Configure Security Options > Access Control Lists
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Configuration Steps Wireless Controller
Configure Security Options > Access Control Lists
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Configuration Steps Wireless Controller
Create a WLAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Configuration Steps Wireless Controller
WLAN > Security
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Configuration Steps Wireless Controller
WLAN > Advanced
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Configuration Steps Wireless Controller
Final WLAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Configuration Steps ISE
Add wireless controller
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Authentication Policy
(Intelligent Default)
• ISE 2.x Authentication Policy by default allows MAB for unknown endpoints – if user
not found then Continue
• Mac Authentication Bypass is used to send unknown endpoints to be checked by the
authorization policy and redirected to the guest portal
• that’s all that’s needed for the authentication piece!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Guest Portals included
(Intelligent Default)
• Portals ready to go
• Self-registered portal linked out of box to an authorization policy (intelligent default)
• Other elements also included, Sponsor Portal, Guest Types
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Authorization Profile
Create guest permit – used for all flows (required if using acl passed by
ISE)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Basic Configuration Steps Hotspot
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Configuration Steps Hotspot
Authorization Profiles > Create Hotspot
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Configuration Steps Hotspot
Authorization Rules > Modify & Create
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Configuration Steps Hotspot
Modify portal – Work Center > Guest Access > Configure (Optional)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Configuration Steps Hotspot
Modify portal – Work Center > Guest Access > Configure (Optional)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Configuration Steps Hotspot
Modify portal – Work Center > Guest Access > Configure (Optional)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Configuration Steps Hotspot
Connect to Hotspot!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Common Config for Self-Reg/Sponsored
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Basic Configuration Steps Self-Reg
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Configuration Steps – Self-Reg
Authorization Policies 2. Replace this
1. Built-in!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Configuration Steps Self-Reg
Self-Reg page > Location, SMS Providers, Notification Options
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Configuration Steps Self-Reg
Modify portal – Work Center > Guest Access > Configure (Optional)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Configuration Steps Self-Reg
Create Account and Login
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Basic Configuration Steps Sponsored
1. Setup Authorization Profiles
• Create and name PermitGuest with guest-acl for airespace
ACL name
• Change the Cisco_WebAuth Profile to use Sponsored Guest
Portal
2. Setup Authorization Rules
• Enable built-in rules for Wi-Fi_redirect to Guest Login and use
default authz profile
• Enable built-in rule for wi-fi guest access to use PermitGuest
3. Create internal sponsors mapped to ALL_ACCOUNTS or connect
to AD and map your sponsor groups
4. Choose notification method
5. Connect to Sponsor Portal and Create a guest account
6. Login to Sponsored Guest Portal © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Configuration Steps – Sponsored
Authorization Policies 2. Replace this
1. Built-in!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Configuration Steps Sponsored
Setup your internal sponsors
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Configuration Steps Sponsored
Setup your sponsors (connect with AD accounts)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Configuration Steps Sponsored
Setup the locations sponsors can use (outside of california)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Configuration Steps Sponsored
Allow Sponsors to send SMS notifications (options)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Configuration Steps Sponsored
Sponsor Portal > Launch
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Configuration Steps Sponsored
Create Account
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Configuration Steps Sponsored
Modify portal – Work Center > Guest Access > Configure (Optional)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Configuration Steps Sponsored
Login
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Credentialed login flow (self-reg/sponsored)
• Requires user to login with every new NAD session
• Will honor all guest type attributes
• No ability to bypass portal
• Works correctly with syslog from firewall (sites visited in master guest
report)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Remember Me to Avoid Re-Auth
• Device/user logs in to hotspot or credentialed portal
• MAC automatically registered into GuestEndpoint group
• Authz policy for GuestEndpoint Group grants immediate
access until device purged,
• This is standard hotspot, for credentialed flows no need
to login to the webauth portal again
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Remember Me to Avoid Re-Auth
Credentialed flow caveats
• Guest Type options don’t apply as require
login to portal
• Unable to restrict access based off times
• Cannot restrict how many sessions at once
(can restrict how many devices are
registered)
• Won’t show username and device in same
report entry
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Authorization Policy SGT can also be
used for
Example enforcement
Redirection to Guest Portal, Different portals are used here for different guest flows
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Hotspot COA disconnect?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Easy ISE Wireless Guest Setup
• ISE Wireless Guest Setup Guide for 1.4/2.0
(mostly same for 2.1)
• Wizard available for 1.4, 2.x
• Free, downloadable application
• Simplifies ISE and wireless controller
installation
• Provisions Hotspot, Self-Registered or
Sponsor services
• Modifies guest portals with logo and colors
• Start with setup guide -
ISE Wireless Guest Setup Guide
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Customizing Portals
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Which Portals Are Customizable
All except the admin portal
1. Guest
Sponsor Portal
2. Sponsor
3. BYOD (Device Registration)
4. My Devices
5. Client Provisioning (Desktop Posture)
6. MDM (Mobile Device Management)
7. Certificate Provisioning
8. Blacklist Guest Portals
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Customize each portal independently
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Customizing Portals - Previews
e P r eview
Mobil
Desktop Preview
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Logos, Banners, Titles, and Languages
Languages
15 built-in, export template
and build your own
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Customizing Portals
Out of the box themes
Themes Tweaks
Pick from built-in or change
with built-in color picker
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Page Content Customization
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Page Content Settings
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
The Mini Editor
• Available in most
pages
• Allows the admin to
add test messages
that include
variables to further
enrich and
personalize the
guest experience
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
The Mini Editor - Variables
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
The Mini Editor - HTML Source Mode
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Test your portal without having a real device
For language to test
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Quick Language Switcher Tool
Link
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Monitoring & Reporting
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Guest Monitoring – Radius LiveLog
Hotspot Access
No name in log Jkunst logging in
(same for as Guest
endpoint group
access)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Guest Reports
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Guest Visibility
My Dashboard shows user based login for guest, not hotspot or endpoint
Active endpoint shows all endpoints (no dashlet for just guestendpoints)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Remember Me
Livelog
Initial login has user and MAC, subsequent only MAC address
• Operations > RADIUS Livelog
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Remember Me
Reporting will show initial login with user
Operations > Reports > Guest > Master Guest Report
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Example - logging traffic on ISE
http://www.cisco.com/c/en/us/support/docs/security/nac-appliance-clean-access/110304-integrated-url-log.html
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Tracking Guest Web Traffic?
Sending ASA syslog to ISE MnT (1/3)
Send syslogs to
ISE MNT:
UDP port 20514
Filter messages ID #
304001: accessed
URLs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Tracking Guest Web Traffic?
Sending ASA syslog to ISE MnT (2/3)
ISE shows
accessed URLs
in Master Guest
Report
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Tracking Guest Web Traffic?
Sending ASA syslog to ISE MnT (3/3)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Resources
• For customers/partners • For partners
• ISE Guest Public page • ISE Express License Bundle
• ISE 1.4 Install Guide • Security Partner Community
• ISE 2.0 Install Guide • Ordering Guide
• ISE Portal Builder
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 108