ISE Authentication cache in CWA for Guest
Ciao,
do you known how I can cache a guest authentication ?
For example a Guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After that every time the guest logoff and login, no authentication is required during the same days.
Thanks
You can find "Automatically register guest devices /Allow guests to register devices" option here -> Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > Guest Device Registration Settings.
using this option -Automatically create an endpoint for the device from which the guest is accessing this portal. The endpoint will be added to the endpoint identity group specified for this portal and is subject to the identity group's purge policy.
An authorization rule can now be created to allow access to endpoints in that identity group, so that web authentication is no longer required.
And you have "ActivatedGuest" option in 1.2
Similar Messages
-
WLC to ISE authentication for Guest
Hi Experts,
Hope if you could guide me with our setup for Guest users. Below is what we are doing
a) Guest connects to SSID
b) WLC is being used to redirect Guest HTTP to WLC internal Portal
c) WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
Appreciate your helpThe first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
Please follow below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
Using ISE for guest access together with anchor controller WLC in DMZ
Hi there,
I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
Thx
FrankSo i ran into a similar scenario on a recent deployment:
We had the following:
WLC-A on private network (Inside)
ISE Servers ISE01 and ISE02 (Inside)
WLC-B Anchor in DMZ for Guest traffic (DMZ)
ISE Server 3 (DMZ)
ISE01 and ISE02 are used for 802.1X for the private network WLAN.
Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth. Since we want to do CWA, we use Mac Filtering with ISE as the radius server. If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to. Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails. (This was a limitation of ISE 1.1. Not sure if this persists in 1.2 or not.
So what now? In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to. Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session. Note, you do have to allow ISE03 to send a CoA.
In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node. -
I want to integrate SMS gateway to Cisco ISE 1.2 and my question is
SMS notifications are supported for Guest self−registration Services ? or it should be done by SponsorI'm not sure I understand the question. Do you want to log in to the Sponsor Portal using AD credentials?
Create an Identity Source Sequence using AD as an Authentication Source. Go to Administration > Identity Management > Identity Source Sequences. Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings. Double-click Sponsor from the Left Menu and click Authentication Source. Choose the Identity Source Sequence. Click Save.
I hope this helps.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Generate one time authentication for Guest on Cisco WLC
Hi All
Sorry for my question, because I just started to work with Cisco WLC.
I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
For Guest I used PSK with MAC-filtering.
But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
Regards
HaiHi Choudhary
Thank you much for your information
Could I reconfirm about my concern.
With Cisco WLC, I can use WebAuth with Guest user only
If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
Regards
Hai -
ISE 1.3 Guest API - using custom fields for guest creation?
I am currently working with the new ISE 1.3 guest api, i have most everything working, i can create guests fine, with the basic information entered into the guest account like first name, last name, company, email, phone and so on. Now i need some more fields to enter other information in for that guest, and i have created 5 extra custom fields called option1-option5, and enabled them for the "Known Guests" page on my sponsor portal. I can however not figure out how they should be adressed in the xml input sent in the api request...anyone tried this ?
Regards
JanHi Johan,
Sure i can lead on the way, the stuff i am doing is part of a complete system i build and sell, that integrates with ISE to give customers the ability to create guest accounts using a number of different social media facebook, google and so on, to self-provision accounts for guest acces (and many other things :-)
I mainly use PHP for this, and for simplicity you can use a curl command line executed by any scripting you prefer, or use any curl library you might have available to you.
So, you need an ise sponsor account that has the "api usage flag" allowed in the sponsor group it is a member of. Then you need to know a few things about the ise setup, that needs to be sent with your request to ise, to allow the creation of a guest account.
If you need some code examples, send me a pm and we can figure something out
API Reference :
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_guest.html -
ISE DNS Question For Guest Users
Before I ask the question, let me explain our environment.
We have an internal 5508 controller. We also have a 5508 DMZ controller that acts as an anchor controller. Guest traffic is piped to the DMZ controller which provides the DHCP address, and DNS server information. The DNS that we provide is our ISP provider DNS server information, to our guest wireless users. There's no need to provide them with our internal DNS server information, since they're only going to the internet.
Here's my dilema. We are now implementing the ISE appliances so that we can better control our guest users. Currently, our guest SSID is wide open. With the ISE, we're going to initially only do self-registration for guest users. They will connect to our broadcasted SSID, when they connect to it, they will be presented with the guest portal. There will be a link that allows them to go to a self-registration page. The dilema is that the ISE appliances are a part of our internal 10.x.x.x network. Since the guest users will have our ISP's DNS servers, our ISE devices will not be able to be found for the redirection to the portal.
Would anyone have any suggestions on this? I don't want to advertise our internal DNS servers to guest users. Thanks for any help!I haven't tried this before but ISE does actually allow you to assign physical ports to the Guest HTTP portal. You can see this under Administration > Web Portal Management > General > Ports. Perhaps you can:
1. Take a physical port from your appliance and connect it to the DMZ
3. Give it an IP address that is resolvable from the public DNS server
3. Assign that physical port only to the guest HTTP service
On the other hand, you could also build a DNS server just for the guest users and stick in the DMZ :)
Not sure if this helps but just some food for thought.
Thank you for rating helpful posts! -
Cisco ISE authentication failed for Win XP SP3
Hello,
I have some trouble this Win XP wired Client authentication. With Win7 everything works well.
ISE 1.2 (patch 4)
Switch: 2960 / 2960S (15.0.(2)SE2)
Authentication details:
Event:
5400 Authentication failed:
Failure Reason
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Resolution
Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
I try to disable validate server certificates on Win XP Clients, but it won´t work for me.
Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.
Any idea?
thanksThe ISE use a self-signed certificate. I add this self-signed certificate to the clients "trusted root certification authorities", enable validate server certificates at the eap properties and select the added certificate from the trust list. But if I uncheck validate server certificates, I see the same error message as well.
Are there any differences between xp client config and win7 client config?
thanks, -
NAC guest server with RADIUS authentication for guests issue.
Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin WoodhouseWell I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion. -
Using 3rd party WEB redirect for Guest authentication
I'm currently using (Internal) WEBAuth on the WLC for my guest WLAN but my management would like a simlper method. Some external WEB page that the guest user can fill out a form and enter some information such as name, location and email address and they would get a cookie or something that would provide then guest access for some period of time. Does anyone know of such a product?
Thanks,
GaryI don't see how that is different from web passthrough on the WLC where the user has to type his information but doesn't need a password ...
Have you looked at the Nac Guest Server ? It's an appliance especially made for that purpose.
The upcoming ISE has also some cool unified guest features. -
Authentication for Guest Access
Hi, we are looking for a solution for either automated daily creation of guest user accounts or a console for clients enter their details which in turn creates the guest account on the controller.
If we go down the path of automation, policy requires a single username/password for each day, unfortuntely WLC scheduled guest account creation is not an option as the reocurrence doesn't change the password, but it would be a handy feauture if Cisco would like to introduce it in a future release
The CLI has the option to create 'config netuser add [name] [password] WLANID [X] userType guest lifetime [seconds]' - Can we schedule and email this from the CLI on the controller?
Appreciate your time.
BrendanBrendan,
Currently there is no way to automate this process. The process that has been developed is either an admin on the wlc/wcs creates the account or the use of the lobby admin feature. WCS has the lobby admin feature also to create accounts but it isn't intended for guest users to create their own account.
The wlc doesn't have a schedule to enter a command via the cli, but I bet you can developer some web base guest creation that would send the command to the wlc and remember that command to remove it later.
Sent from Cisco Technical Support iPhone App -
Wireless device can't get IP address for Guest network
I have a wireless network setup at my main location. The access points allow Internal and Guest access. The Internal access uses DHCP from a Windows Server. The Guest access looks like it uses DHCP from my ASA, I did not set this up originally. My question is... I am installing a new WAP in a branch location. I can get the Internal access to work because it uses the Windows Server DHCP. I cannot figure out how to get the Guest access configured to use the DHCP from the ASA. The ASA is on a DMZ. Any help would be appreciated.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname WAPMadisonOffice
logging rate-limit console 9
enable secret 5 $1$f1/9$SWBosxmjEGfSW4U.t4FnW.
no aaa new-model
dot11 syslog
dot11 vlan-name Internal vlan 141
dot11 vlan-name Guest vlan 99
dot11 ssid Bard
vlan 141
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 141500120D0A7B72757C31343017
dot11 ssid Guest
vlan 99
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii 7 070D33554F07485C4646090D162E
power inline negotiation prestandard source
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 141 mode ciphers aes-ccm
encryption vlan 99 mode ciphers aes-ccm
ssid Internal
ssid Guest
antenna gain 0
mbssid
channel least-congested 2412 2437 2462
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
interface Dot11Radio0.141
encapsulation dot1Q 141
no ip route-cache
bridge-group 141
bridge-group 141 subscriber-loop-control
bridge-group 141 block-unknown-source
no bridge-group 141 source-learning
no bridge-group 141 unicast-flooding
bridge-group 141 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
interface GigabitEthernet0.141
encapsulation dot1Q 141
no ip route-cache
bridge-group 141
no bridge-group 141 source-learning
bridge-group 141 spanning-disabled
interface BVI1
ip address 10.10.20.20 255.255.255.0
no ip route-cache
ip default-gateway 10.10.20.11
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community internal RO
bridge 1 route ip
bridge 141 protocol ieee
bridge 99 protocol ieee
line con 0
logging synchronous level all
login local
line vty 0 4
logging synchronous level all
login local
endJennifer,
The ASA is connected on this interface:
interface GigabitEthernet1/0/2
switchport trunk allowed vlan 1,10
switchport mode trunk
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
and the Access Point, what interface?
10.10.10.251 - IP of ASA?
If you set vlan 99 in one interface and connect one computer do you get ip?
I only see the interfaces 1/0/27 and 1/0/48 with access for guest vlan 99.
Regards. -
Hi Experts ,
Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
how about internet traffic for Guest SSID , which one will be recommanded :
1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
ThanksHi George ,
Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
how about if I have another anchor controller in lets say in other office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ? -
2504 with new-architecture enabled breaks MAC auth for guest access
Hello,
We have (2) 2504 WLC running version 7.6.120. WLC1 is the local controller and WLC2 is an achor controller for guest-access. We need to incorporate a 3850 for use with the WLC2 anchor. The guest access is currently working with Mac-Auth and Mac-Auth-Fail to Web-Auth.
When converged access is enabled on the WLC1 and WLC2, the MAc-Auth no longer works. That is, the previously authenticated user is now redirected to the Web-Auth page. The local controller shows the user as authenticated but the Anchor controller shows the state as WEb-Auth-REQD.
Rolling back using "config mobility new-architecture disable" and rebooting resolves the issue.
Does anyone what changes from the old to the new that would break this mac-auth/web-auth configuration?You should reach TAC for these sort of issues. Not many people deploying this CA setup yet & you may not get direct feedback immediately.
HTH
Rasika -
Cisco ISE authentication failed because client reject certificate
Hi Experts,
I am a newbie in ISE and having problem in my first step in authentication. Please help.
I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
Regards,
RatnaCertificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication.
Maybe you are looking for
-
Error while Downloading the Report
Hi All, I am facing a problem when I try to download a report to Powerpoint. I used Pivot table and graphs. Please find the error below: **Sax parser returned an exception. Message: Unterminated entity reference, 'L', Entity publicId: , Entity system
-
V.15 and New Data Selection
Hi, in V.15 transaction the "New data selection" is greyed out. How can i allow the user to check/uncheck this box? The problem is when the "New data selection" is checked and when i execute the transaction, the "Name of sold-to party" is empty but w
-
Has anyone upgraded iPad 2 from iOS 4. to iOS 7?
I need to update iPad 2 from iOS 4.3.4 to iOS 7. Has anyone done this and what problems occurred?
-
BAPI to upload serial number master
Hi Gurus, Is there any BAPI to upload serial number masters? Thanks in advance for your cooperation, Regards, Sudhir Dahake
-
Is this possible in some form? <cfquery name="name" datasource="dsn"> #query.sqlstatement#</cfquery>