ISEGuestTraining Foundation Aug2016

Cisco ISE Guest Access
Identity Services Engine Stage 2 Training (Foundation)
Jason A. Kunst, CISSP, CCNP R&S, CCNA Security

Technical Marketing Engineer, Policy & Access
Twitter @nacbot, LinkedIn, Youtube Channel
July 2016
Session Abstract
This session will introduce you to Guest

Access Management with Cisco ISE. It will
go into the standard options available for a
Hotspot and self-reg/sponsored (using
credentials) guest flows. We will discuss the
most used functionality and how they work
together. There will be short demos of each
as well along with some basic configuration
information
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda
•  What is Guest?
•  Supported Guest Flows
•  HotSpot
•  Self-registration
•  Sponsored
Agenda
•  Common Items
•  Test URLs, Sponsor Portal, Location
•  Guest Types
•  URL-Redirect/COA
•  Configuration & Policies
•  Customization
What is Guest?
Guest is an end
user web application
companies use to let
people to access the
Internet through
their network.
What does Guest touch?
Visitors Sponsors Employees Administrators
Non-Techy Tech Savvy Coder

You find guest….
Hotels & Conventions

Enterprise
Transportation
Everywhere there are people
Coffee Shops & Retail Schools
Supported Guest Flows
Supported Guest Flows
1.  Hotspot
2.  Self Service
3.  Self Service with Sponsor Approval
4.  Sponsored
Hotspot
Acceptable
Use Policy
I promise
to be good.
Day Ends
I Agree
44:6D:77:B4:FD:01
44:6D:77:B4:FD:01
Goal: Get them on the Internet with AUP acceptance no matter who they are and use
“remember me” them so you don’t get in their way each time they connect.
Self-Registration with SMS
1. Register
2. Text Sent to Phone
3. Login to portal
4. Success!
Goal: Get user on the Internet as long as you have a 3rd party identifier
to prove user is valid—They are who they say they are.
Self Service
Self Service with Email Verification
Fill In A Simple Form Check Your Email Connect to WFI
Pre-Expiration Notification
You are about to

expire! Go here.
http://bit.ly/reup
DESKTOP Mobile
Self Service
Self Service with Sponsor Approval
ISE sends email
requesting
approval
Visiting email?
Approved! credentials Logs into Sponsor

username: trex42
password: littlearms Portal and Approves or
rejects
Approving Self Registration Requests
DESKTOP Mobile
Sponsored Guest Access
Sponsored Flow
Hi! Can I
get on your Sure. I just
Wi-Fi? need a little
information.
Print, email
& SMS
credentials.
Cool!
Demo of Hotspot & Self-reg
Sponsoring Guests
Creating a guest Count – Sponsor Mobile
Click on the icon in the top right of the

mobile screen and select “Create Guest”
to get started. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Creating a guest account – Sponsor Desktop
Browser version of
Account creation by
Sponsor
Create a Guest Account – Sponsor Desktop
Creating random accounts
Import Accounts
Notices When Creating Lots of Accounts
Managing Accounts as a Sponsor
Fields on the Manage Accounts Page

•  Username
•  State (of their account)
•  First Name
•  Last Name
•  Email Address
•  Phone Number
•  Group Tag
•  Sponsor (username)
•  Guest Type
•  Expiration Date (6/30/2014 15:54)
•  Time Left (3 days,23 hours,35
minutes.) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Demo of Sponsored Guest
Common Items
Locations
When are they needed?
•  FromCreation Accounts
•  Using access times with
FromFirstLogin accounts
•  If used, must create for
all guest locations
•  Only Shown when self-
reg/sponsor creating
account with more than 1
location available
•  wrong location account
may not be active
Guest Types
•  Built-in types use

FromCreation
accounts
•  Recommended to
use FromFirstLogin
Guest Types
From Creation
•  Active at specified start

time
•  Dependent on locations
and timezones
•  Works well with small
amount of timezones
•  Work with access times
Guest Types
From First Login
•  Activated upon First

Login
•  Works well with many
geography (timezones)
•  Doesn’t require
timezone/location
unless using access
time in Guest Type
SMTP Server for email-notifications or basic
SMS (Optional)
•  Configure SMTP Server
for email and/or basic
SMS
•  For email only - Enable
email notifications and
set from address
Test your portal without a real client
Use for all portals, works best with guest/sponsor
https://server.company.com:8443/sponsorportal/PortalSetup.action?portal=44d99ef0-ef7d-11e3-bc94-005056bf2f0a
Where does a Guest flow send Guests?
Page they
tried to
reach.
Example:
google.com
Predefined URL
such as the
company page.
Custom ISE
Success Page
Secret Code Controls Access to Guest Wi-Fi
Registration code: require the
What is the ? Secret
user to enter a code before code:
completing a self service chemist
registration.
Access code: require the user to

enter a code before accessing
a hotspot or logging in using
guest credentials.
Rotate code: there is no way
besides manually changing
the value
ISE Guest and Employee
onboarding flows support the
End User Device Limit ability to limit a user to a specific

number of devices.
Management For Your

Reference
In this example the admin has
limited guests to 5 devices. In
other words, a guest user can’t
log in with a 6th device.
But this can be very confusing to

end users who are wondering why
they can’t log in a 6th device or
why another device got kicked off.
ISE eliminates this confusion.
ISE walks the end user through

what is happening and gives them
a choice.
When a guest or employee tries to

onboard a 6th device he/she is
presented a page explaining that
they can only have 5 devices on
the network and they are trying to
add a 6th. They see a list of their 5
existing devices and can choose
to kick another off the network in
order to add new one.
What is URL-redirection?
•  Provides the ability to send device browsers to a portal to provide

further information
•  Send users to an hotspot or credentialed portal (for account
creation and/or login)
What is COA Re-auth?
•  Provides the needed mechanism to change state from a redirection state

(initial connection) then to a permit access (final access)
•  Provides changes to the redirection along with VLAN, ACL, SGT
•  Upon 1st connect device/user is unknown and redirected to guest portal
•  After device is registered and/or the user logins then they are permitted
access (no more redirection)
Configuration & Policies
Basic Configuration Steps Wireless Controller
Used for all flows
1.  Security
•  AAA > RADIUS > Authentication & Accounting
•  Access Control Lists > Guest Redirect & Permit
2.  WLAN
•  Create WLAN
•  Security > Layer 2 – None, MAC filtering enabled
•  AAA Servers enabled for ISE Authentication & Accounting
•  Advanced > Select NAC State >RADIUS NAC & Check Allow AAA Override
Configuration Steps Wireless Controller
Configure Security Options > AAA > RADIUS
Configure Security Options > Access Control Lists
Configure Security Options > Access Control Lists
Create a WLAN
WLAN > Security
WLAN > Advanced
Final WLAN
Configuration Steps ISE
Add wireless controller
Authentication Policy
(Intelligent Default)
•  ISE 2.x Authentication Policy by default allows MAB for unknown endpoints – if user
not found then Continue
•  Mac Authentication Bypass is used to send unknown endpoints to be checked by the
authorization policy and redirected to the guest portal
•  that’s all that’s needed for the authentication piece!
Guest Portals included
(Intelligent Default)
•  Portals ready to go
•  Self-registered portal linked out of box to an authorization policy (intelligent default)
•  Other elements also included, Sponsor Portal, Guest Types
Authorization Profile
Create guest permit – used for all flows (required if using acl passed by
ISE)
Basic Configuration Steps Hotspot
1.  Setup Authorization Profiles

•  Profile to redirect to Hotspot Portal
•  Create and name PermitGuest with guest-acl for airespace ACL name
2.  Setup Authorization Rules (in following order)
•  If Wireless_MAB and GuestEndpoints Group then use PermitGuest authz
profile
•  If Wireless_MAB then use HotSpotRedirect authz profile
3.  Optional > Modify Portal
4.  Connect to the Hotspot Wireless network and accept the AUP!
Configuration Steps Hotspot
Authorization Profiles > Create Hotspot
Authorization Rules > Modify & Create
Modify portal – Work Center > Guest Access > Configure (Optional)
Connect to Hotspot!
Common Config for Self-Reg/Sponsored
•  SMTP and/or SMS Settings

•  Not Required for Self-Reg
•  1 or both required for Sponsor
•  Guest Types (Built-in)
•  Authorization Profiles
•  WebAuth Redirect
•  PermitGuest
•  Locations
Basic Configuration Steps Self-Reg

•  Create and name PermitGuest with guest-acl for airespace
ACL name
2.  Setup Authorization Rules
•  Enable built-in rules for Wi-Fi redirect to guest login and guest
access
3.  Setup locations outside of built-in/default San Jose
4.  Optional > Modify Portal
5.  Optional > Configure notifications
•  Email server or SMS providers
6.  Connect to self-reg Wireless network, create an account and login
Configuration Steps – Self-Reg
Authorization Policies 2. Replace this
1. Built-in!
1.  Intelligent Defaults! Self-Registered portal by default is used by Cisco_WebAuth rule

out of box
2.  ISE 2.1 Authorization Policy has most of what you need built-in but needs a different
authz profile if you want to pass an ACL, you need to make a new authz profile (can’t
modify built-in permit access) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Configuration Steps – Self-Reg
Authorization Policy Final result
•  Final result of new authz profile and rule
What is the flow?

1.  1st redirect to built in self-reg portal (Cisco_WebAuth)
2.  Once user goes through login they are permitted access via guest flow
Configuration Steps Self-Reg
Self-Reg page > Location, SMS Providers, Notification Options
Create Account and Login
Basic Configuration Steps Sponsored
•  Create and name PermitGuest with guest-acl for airespace
ACL name
•  Change the Cisco_WebAuth Profile to use Sponsored Guest
Portal
2.  Setup Authorization Rules
•  Enable built-in rules for Wi-Fi_redirect to Guest Login and use
default authz profile
•  Enable built-in rule for wi-fi guest access to use PermitGuest
3.  Create internal sponsors mapped to ALL_ACCOUNTS or connect
to AD and map your sponsor groups
4.  Choose notification method
5.  Connect to Sponsor Portal and Create a guest account
6.  Login to Sponsored Guest Portal © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Configuration Steps – Sponsored
Authorization Policies 2. Replace this
1. Built-in!
1.  Change the Web Redirection to the default Sponsored Portal

2.  ISE 2.1 Authorization Policy has most of what you need built-in but needs a different
authz profile if you want to pass an ACL, you need to make a new authz profile (can’t
modify built-in permit access)
Configuration Steps – Sponsored
Authorization Policy Final result
•  Final result of new authz profile and rule
What is the flow?

1.  1st redirect to built in Sponsored portal (Cisco_WebAuth)
2.  Once user goes through login they are permitted access via guest flow
Configuration Steps Sponsored
Setup your internal sponsors
Setup your sponsors (connect with AD accounts)
Setup the locations sponsors can use (outside of california)
Allow Sponsors to send SMS notifications (options)
Sponsor Portal > Launch
Create Account
Login
Credentialed login flow (self-reg/sponsored)
•  Requires user to login with every new NAD session
•  Will honor all guest type attributes
•  No ability to bypass portal
•  Works correctly with syslog from firewall (sites visited in master guest
report)
Remember Me to Avoid Re-Auth
•  Device/user logs in to hotspot or credentialed portal
•  MAC automatically registered into GuestEndpoint group
•  Authz policy for GuestEndpoint Group grants immediate
access until device purged,
•  This is standard hotspot, for credentialed flows no need
to login to the webauth portal again
Remember Me to Avoid Re-Auth
Credentialed flow caveats
•  Guest Type options don’t apply as require
login to portal
•  Unable to restrict access based off times
•  Cannot restrict how many sessions at once
(can restrict how many devices are
registered)
•  Won’t show username and device in same
report entry
Authorization Policy SGT can also be
used for
Example enforcement
Redirection to Guest Portal, Different portals are used here for different guest flows
Hotspot COA disconnect?
•  Bad user experience if

disconnect when roaming
open networks, some devices
take a while to reconnect
(10-30 sec)
•  COA Reauthenticate
addresses this and is default
settings going forward
•  ISE 1.3-2.1 are disconnect
(terminate)
•  CSCut93791- Introduced in
ISE 2.1patch1
Easy ISE Wireless Guest Setup
•  ISE Wireless Guest Setup Guide for 1.4/2.0
(mostly same for 2.1)
•  Wizard available for 1.4, 2.x
•  Free, downloadable application
•  Simplifies ISE and wireless controller
installation
•  Provisions Hotspot, Self-Registered or
Sponsor services
•  Modifies guest portals with logo and colors
•  Start with setup guide -
ISE Wireless Guest Setup Guide
Customizing Portals
Which Portals Are Customizable
All except the admin portal
1.  Guest
Sponsor Portal
2.  Sponsor
3.  BYOD (Device Registration)
4.  My Devices
5.  Client Provisioning (Desktop Posture)
6.  MDM (Mobile Device Management)
7.  Certificate Provisioning
8.  Blacklist Guest Portals
Customize each portal independently
Customizing Portals - Previews
e P r eview
Mobil
Desktop Preview
Logos, Banners, Titles, and Languages
Languages
15 built-in, export template
and build your own
Change the look

Banners/Icon/Logos
Customizing Portals
Out of the box themes
Guest Guest Guest Guest

Theme Theme 2 Theme 3 Theme 4
Default Olive Fresh Blue High
Contrast
Tweaking Default Themes
Themes Tweaks
Pick from built-in or change
with built-in color picker
Page Content Customization
Page Content Settings
The Mini Editor
•  Available in most
pages
•  Allows the admin to
add test messages
that include
variables to further
enrich and
personalize the
guest experience
The Mini Editor - Variables
The Mini Editor - HTML Source Mode
Feature support for the

very Geeky
Test your portal without having a real device
For language to test
Quick Language Switcher Tool
Link
Monitoring & Reporting
Guest Monitoring – Radius LiveLog
Hotspot Access
No name in log Jkunst logging in
(same for as Guest
endpoint group
access)
Guest Reports
Guest Visibility
My Dashboard shows user based login for guest, not hotspot or endpoint
Active endpoint shows all endpoints (no dashlet for just guestendpoints)
Details do not show the username
Remember Me
Livelog
Initial login has user and MAC, subsequent only MAC address
•  Operations > RADIUS Livelog
Remember Me
Reporting will show initial login with user
Operations > Reports > Guest > Master Guest Report
Guest Accounting report shows mac address – CSCuh14138

Guest remember me breaks ISE guest activity logging – CSCux55288
Example - logging traffic on ISE
IP XYZ > user ABC

so
“user ABC sent this traffic” “SYSLOG: IP XYZ sent this traffic”
“RADIUS accounting: user ABC, IP XYZ, etc.”
http://www.cisco.com/c/en/us/support/docs/security/nac-appliance-clean-access/110304-integrated-url-log.html
Tracking Guest Web Traffic?
Sending ASA syslog to ISE MnT (1/3)
Send syslogs to
ISE MNT:
UDP port 20514
Filter messages ID #
304001: accessed
URLs
Create Service Policy in

ASA to inspect HTTP
traffic for guest subnet
ISE shows
accessed URLs
in Master Guest
Report
Resources
•  For customers/partners •  For partners
•  ISE Guest Public page •  ISE Express License Bundle
•  ISE 1.4 Install Guide •  Security Partner Community
•  ISE 2.0 Install Guide •  Ordering Guide
•  ISE Portal Builder

ISEGuestTraining Foundation Aug2016

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ISEGuestTraining Foundation Aug2016

Transféré par

Droits d'auteur :

Formats disponibles

Cisco ISE Guest Access

Identity Services Engine Stage 2 Training (Foundation)

Jason A. Kunst, CISSP, CCNP R&S, CCNA Security

This session will introduce you to Guest

Non-Techy Tech Savvy Coder

Hotels & Conventions

2. Text Sent to Phone

You are about to

Approved! credentials Logs into Sponsor

Click on the icon in the top right of the

Fields on the Manage Accounts Page

• Built-in types use

• Active at specified start

• Activated upon First

Access code: require the user to

End User Device Limit ability to limit a user to a specific

Management For Your

But this can be very confusing to

ISE walks the end user through

When a guest or employee tries to

• Provides the ability to send device browsers to a portal to provide

• Provides the needed mechanism to change state from a redirection state

1. Setup Authorization Profiles

• SMTP and/or SMS Settings

1. Setup Authorization Profiles

1. Intelligent Defaults! Self-Registered portal by default is used by Cisco_WebAuth rule

• Final result of new authz profile and rule

What is the flow?

1. Change the Web Redirection to the default Sponsored Portal

• Final result of new authz profile and rule

What is the flow?

• Bad user experience if

Change the look

Guest Guest Guest Guest

Feature support for the

Details do not show the username

Guest Accounting report shows mac address – CSCuh14138

IP XYZ > user ABC

“RADIUS accounting: user ABC, IP XYZ, etc.”

Create Service Policy in

Vous aimerez peut-être aussi

•  Built-in types use

•  Active at specified start

•  Activated upon First

•  Provides the ability to send device browsers to a portal to provide

•  Provides the needed mechanism to change state from a redirection state

1.  Setup Authorization Profiles

•  SMTP and/or SMS Settings

1.  Setup Authorization Profiles

1.  Intelligent Defaults! Self-Registered portal by default is used by Cisco_WebAuth rule

•  Final result of new authz profile and rule

1.  Change the Web Redirection to the default Sponsored Portal

•  Final result of new authz profile and rule

•  Bad user experience if