In Cisco ISE, select the Work Centers tab and in the Guest Access group, click Overview. Select the Portals & Components tab and click Guest Portals. Select the Self-Registered Guest Portal option and click Continue. Note: This is not the main portal for the user interaction to SecureAuth IdP. Instead, this is a subportal interaction to verify session status. Connection is protected by ISE admin certificate. As a result of this probe ISE can return session ID back to the client if node where probe landed is the same node where user has been authenticated. Hotspot Guest Portal: The Hotspot Guest portal is an alternative Guest portal that allows you to provide network access without requiring.
![Ise Guest Portal Certificate Ise Guest Portal Certificate](/uploads/1/2/6/4/126487087/971918023.png)
Follow the steps below to complete device enrollment when demonstrating personal devices in the Cisco ISE demonstrations.
Depending on the software version of your device, the steps below may vary.
Scenario Credentials
The table below contains the scenario credentials that will be needed to complete device enrollment.
Table 1. Scenario Credentials
Scenario / Vertical | Username | Password | Access Level | Connections Center Webpage |
Healthcare | doctor | C1sco12345 | Tier 1 – Full | http://health.dcloud.cisco.com |
Healthcare | nurse | C1sco12345 | Tier 2 – Limited Access | http://health.dcloud.cisco.com |
Education | dean | C1sco12345 | Tier 1 – Full Access | http://edu.dcloud.cisco.com |
Education | professor | C1sco12345 | Tier 2 – Limited Access | http://edu.dcloud.cisco.com |
Federal | captain | C1sco12345 | Tier 1 – Full Access | http://federal.dcloud.cisco.com |
Federal | officer | C1sco12345 | Tier 2 – Limited Access | http://federal.dcloud.cisco.com |
Corporate | manager | C1sco12345 | Tier 1 – Full Access | http:/corp.dcloud.cisco.com |
Corporate | employee | C1sco12345 | Tier 2 – Limited Access | http:/corp.dcloud.cisco.com |
N/A | itadmin | C1sco12345 | Full Demo Access |
Apple iOS Devices
If prompted while going through BYOD for a PIN or password, enter your device specific pin/password.
Follow the steps below to enroll Apple iOS devices.
- Connect to the wireless network.
- Go to Settings > Wi-Fi and connect to the network dCloud-Guest.
- Open a website to be redirected to the Guest Portal to perform onboarding.
- Open your built-in browser (Apple Devices: Safari)
- Attempt to connect to your Demo Scenario page (ex: corp.dcloud.cisco.com) and you will be redirected to the Guest portal.
If this doesn’t work try another http site, for example http://cnn.com
Be sure that the website you attempt to open uses HTTP, as HTTPS redirection is not supported in this demo.
- On the guest portal, login with the user credentials for your selected scenario, as shown in Table 1.
- Click Accept to accept the Acceptable Use Policy.
- Click Start on the BYOD welcome page.
- Fill out the device information and click continue.
- Click Launch Apple Profile and Certificate Installers Now
- On the Install Profile screen click Install to install the digital certificate for User Trust RSA Certification Authority.
- Click Install on the Warning message that pops up.
- Click Done on the profile installed screen.
- Click Install once again on the Install Profile screen to install the profile service, then click Install Now to verify
The first profile installation installs the CA root certificate, while the second profile installation installs the individual device certificate and the wireless settings needed to connect to the secure network.
- Click Done on the profiled installed screen.
Cisco Ise Guest Portal Certificate Error
- You are redirected to the Success page. Go to Settings > Wi-Fi forget the dCloud-Guest network and you should automatically connect to network dCloud-Registered.
Please see the following link with known issues with different clients connecting to the ISE demos – https://communities.cisco.com/docs/DOC-75784
Android Devices
If prompted while going through BYOD for a PIN or password, enter C1sco12345.
Cisco Ise Guest Portal Certificate
Some Android devices require an SD card to store security certificates. Please be aware that some Android devices might not work with this demonstration. Android is open source across cellular carriers and device vendors. Some vendors update their code more frequently than others. Compatibility with all devices cannot be guaranteed.
Follow the steps below to enroll Android devices.
- Go to Settings > Wi-Fi and connect to the network dCloud-Guest.
- Launch the default Android web browser and access the Connections Center Webpage for your selected scenario as shown in Table 1. Accept any HTTPS warnings if necessary.
- Login with the username and password for your selected scenario. You are redirected to the self-provisioning page.
- Click Accept to accept the AUP.
- Fill out the device information and click Continue.
- Close you web browser and use the Google Play Store application on your device to download the Cisco Network Setup Assistant. If prompted for a Pin, enterC1sco12345.
Because Android is an open platform, we cannot account for all variations of the product.
- Open Network Setup Assistant and click Start. Wait for your Android to be provisioned and joined to the correct network.
- On your device, in WiFi Settings, select the dCloud-Guest SSID and forget the SSID.
- Connect to the dCloud-Registered SSID.
You cannot use a randomized MAC address (Android default) when logging in because this causes a different MAC to be used for different SSIDs login and results in failure to authenticate to networks. You must use the actual MAC address of the device.
Mac OSX Workstations
- Connect to the wireless network.
- Click the wireless icon at the top of the desktop and connect to the network dCloud-Guest.
- Open a website to be redirected to the Guest Portal to perform onboarding.
- Open your built-in browser (Apple Devices: Safari).
- Attempt to connect to your Demo Scenario page (ex: corp.dcloud.cisco.com) and you will be redirected to the Guest portal.
- If you are prompted with a certificate warning, click continue.
Be sure that the website you attempt to open uses HTTP, as HTTPS redirection is not supported in this demo.
- On the guest portal, login with the user credentials for your selected scenario, as shown in Table 1.
- Click Accept to accept the AUP.
- Click Start on the BYOD welcome page.
- Fill out the device information and click continue.
Ise Guest Portal Certificate
- You are brought to the install page. The Cisco Network Setup Assistant will automatically begin downloading in the background. When it is done, open your downloads folder in finder and launch the SPW.tar.gz which extracts into cisco_network_setup_assistant.dmg.
- Double click the Cisco Network Setup Assistant icon. You may be prompted with a warning that “Cisco Network Setup Assistant” is an application downloaded from the internet. Click Open on this warning to launch the application.
You may need to change security settings in OSX in order to run the Cisco Network Setup Assistant application. By default, OSX will only allow you to install applications from Apple. If you get an error that the Cisco Network Setup Assistant cannot be run, you likely need to change security settings. To do this go to System Preferences then Security & Privacy. At the bottom, in the section labeled Allow apps downloaded from: select the Anywhere radio button
- Click Start in the Network Setup Assistant. Click Continue on the verify certificate popup if necessary.
- Enter your local computer credentials and click OK. These are the same credentials you use to login to your Mac. You may need to enter your credentials twice during this process, depending on your version of OSX due to security changes in OSX.
- Click Exit on the network setup assistant after it successfully completes
- OSX should automatically switch you to the dCloud-Registered network. Verify you are now connected to the dCloud-Registered network
- Open Safari and enter the Connections Center Webpage that corresponds to your selected scenario (Table 1).
Windows Workstations
You must use the default Windows wireless client for this demo.
- Connect to the wireless network.
- Click the wireless icon and connect to the network dCloud-Guest.
- Open a website to be redirected to the Guest Portal to perform onboarding.
- Open your built-in browser (Windows: IE/EDGE).
- Attempt to connect to your Demo Scenario page (ex: corp.dcloud.cisco.com) and you will be redirected to the Guest portal.
- If you are prompted with a certificate warning, click continue.
Be sure that the website you attempt to open uses HTTP, as HTTPS redirection is not supported in this demo.
- On the guest portal, login with the user credentials for your selected scenario, as shown in Table 1.
- Click Accept to accept the AUP.
- Click Start on the BYOD welcome page.
- Fill out the device information and click continue.
- The Cisco Network Setup Assistant will be downloaded. If you are prompted, save the file NetworkSetupAssistant.exe to your Downloads folder.
- Launch the NetworkSetupAssistant.exe installer that was downloaded. Click Run on any security warnings.
- Click Start. Proceed through any certificate warning messages, if necessary.
- Click Exit on the network setup assistant after it successfully completes.
- Windows should automatically switch you to the dCloud-Registered network. Verify you are now connected to the dCloud-Registered network
- Open IE or Firefox and enter the Connections Center Webpage that corresponds to your selected scenario (Table 1).
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 9: Guest and web authentication
Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS, because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.
There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.
To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.
You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.
Configuration
Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.
Edit the DefaultGuestPortal to your needs:
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 9: Guest and web authentication
Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS, because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.
There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.
To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.
You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.
Configuration
Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.
Edit the DefaultGuestPortal to your needs:
- Password policies
- Need of posture client
- self service
- device registration
- DHCP settings
- Policies
- etc
Click Policy – Policy elements – Results – Authorization – Authorization Profiles and create a new profile with “web authentication” checked.
The mentioned ACL is not available in ISE, this ACL should be available in the switch. Choose “manual” as redirect option.
To configure web authentication as a fallback. Click Policy – Authentications and edit the needed rule. Select “Continue” in all three options:
Create a new rule for no matches in the identity groups, use webauth as authorization. Click Policy – Authorization and edit the needed rule. Select the guest portal as authorization option:
You can edit the DACL for company users after authorization.
Click Policy – Policy Elements – Results. Selecht Authorizations – Downloadable ACLS > Dot1x_Valid_Domain_User. Add a permit to the ISE policy node IP(s).
Make sure that the client can access the webauth portal before authentication (by a preauth ACL).
Enable CoA on the switch:
Guest portal configuration
First, create a sponsor group. Click Administration – Identity management – groups, click Add and enter a name.
Next, configure the SMTP settings under administration – System – Settings. Select SMTP and enter the smtp server.
Click Administration – Guest management – Settings and click General – ports. Check and/or change the port numbers.
Create a user group in active directory for sponsor users. Add this group in ISE: click Administration – identity management – external identity sources. Select Active directory and click Groups. Add the sponsor group.
Click Administration – Guest management – Sponsor group policy. Change the identity groups field to Any. In the other conditions field, click the plus sign and select Create new Condition. In the expression field, select your domain. In the most right field, select the active directory sponsor group.
Do not forget to apply the correct authentication sequence to the sponsor portal. Click Administration – Guest management – Settings. Selecht Sponsor – Authentication source
In the WLC configure a ACL with only access to the ISE node and DNS lookups to your DNS server. Make sure you use the same ACL name as you use in the “Authorization profile”. In the WLC, click: Wireless – All AP’s, click a AP, click Flexconnect, External Webauthentication ACL.
Click Add under Webpolicies, to add the ACL.
Repeat these steps for every AP.
The authentication Rule looks like:
Authorization rules look like:
This is the basic configuration. All other settings are customizable.
Happy testing!
Next week the last part, part 10 of this blog post series: Profiling and posture
First, create a sponsor group. Click Administration – Identity management – groups, click Add and enter a name.
Next, configure the SMTP settings under administration – System – Settings. Select SMTP and enter the smtp server.
Click Administration – Guest management – Settings and click General – ports. Check and/or change the port numbers.
Create a user group in active directory for sponsor users. Add this group in ISE: click Administration – identity management – external identity sources. Select Active directory and click Groups. Add the sponsor group.
Click Administration – Guest management – Sponsor group policy. Change the identity groups field to Any. In the other conditions field, click the plus sign and select Create new Condition. In the expression field, select your domain. In the most right field, select the active directory sponsor group.
Do not forget to apply the correct authentication sequence to the sponsor portal. Click Administration – Guest management – Settings. Selecht Sponsor – Authentication source
In the WLC configure a ACL with only access to the ISE node and DNS lookups to your DNS server. Make sure you use the same ACL name as you use in the “Authorization profile”. In the WLC, click: Wireless – All AP’s, click a AP, click Flexconnect, External Webauthentication ACL.
Click Add under Webpolicies, to add the ACL.
Repeat these steps for every AP.
The authentication Rule looks like:
Authorization rules look like:
This is the basic configuration. All other settings are customizable.
Happy testing!
Next week the last part, part 10 of this blog post series: Profiling and posture