ISE Custom AUP for Guest Wireless

Similar Messages

• Printing Solutions for Guest Wireless

  So this is something that has been bouncing around the forums for a year or two now.  I have failed to come up with a "best-of-breed" approach that meets the strict security requirments of a government department.
  The scenario is this - the wireless platform is based around centralised Wism controllers in a datacentre and an anchor controller (for guest wireless) in a dmz, we have WCS to manage the components including the Lightweight Access-Points (mainly Cisco 1142N's) with a Cisco NGS to act as both hotspot and as the client credentials RADIUS authority. it works great except for printing which simply isn't currently an option.
  The solution services a wide number of geographic locations - all members of the one guest SSID and mobility group.  Since clients that connect to this are effectively DMZ'd and only able to connect to the internet, I am struggling to find a practical way to provide printing specific to each geographic site without going for a cloud service such as "Drop-box", or "PrinterON" 
  Has anyone out there in the Community come up with any innovative approaches to this connundrum?  If so please join the conversation

  Hi, I've encountered the same issue. Did you find a solution?

• ISE 1.3 Guest API - using custom fields for guest creation?

  I am currently working with the new ISE 1.3 guest api, i have most everything working, i can create guests fine, with the basic information entered into the guest account like first name, last name, company, email, phone and so on. Now i need some more fields to enter other information in for that guest, and i have created 5 extra custom fields called option1-option5, and enabled them for the "Known Guests" page on my sponsor portal. I can however not figure out how they should be adressed in the xml input sent in the api request...anyone tried this ?
  Regards
  Jan

  Hi Johan,
  Sure i can lead on the way, the stuff i am doing is part of a complete system i build and sell, that integrates with ISE to give customers the ability to create guest accounts using a number of different social media facebook, google and so on, to self-provision accounts for guest acces (and many other things :-)
  I mainly use PHP for this, and for simplicity you can use a curl command line executed by any scripting you prefer, or use any curl library you might have available to you.
  So, you need an ise sponsor account that has the "api usage flag" allowed in the sponsor group it is a member of. Then you need to know a few things about the ise setup, that needs to be sent with your request to ise, to allow the creation of a guest account.
  If you need some code examples, send me a pm and we can figure something out
  API Reference :
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_guest.html

• Setting up webauth for guest wireless access

  Hi there,
  I'm trying to set up guest wireless access.  having no experience with this at all, I'm beginning to struggle.
  Equipment:
  2x 3850 stacked and acting as one switch running 03.06.00E
  4x 1602E AP's registered to the WLC running on the 3850
  The infrastructure is sound and corporate wireless access works ok.
  I need a config that allows a guest user to connect to the guest SSID, DHCP an address, then when they open a browser, they are automatically redirected to a splash screen for them to log on. Once they log on with the supplied username and password they are then forwarded to whatever site it is they wish to go to;  So far my config looks like this (removed unnecessary parts for brevity);
  Building configuration...
  user-name test
   creation-time 1414684496
   privilege 0
   password 7 051F031C35
   type network-user description test guest-user lifetime year 0 month 0 day 0 hour 23 minute 59 second 4
  aaa new-model
  aaa authentication login aaa_guest_webauth local
  aaa authentication login local_login local
  aaa authorization exec local_authorise local
  aaa authorization network guest_authorisation local
  aaa authorization credential-download default local
  aaa session-id common
  switch 1 provision ws-c3850-24t
  switch 2 provision ws-c3850-24t
  service-template webauth-global-inactive
   inactivity-timer 3600
  service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
  service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  spanning-tree mode pvst
  spanning-tree extend system-id
  hw-switch switch 1 logging onboard message level 3
  hw-switch switch 2 logging onboard message level 3
  parameter-map type webauth global
   virtual-ip ipv4 1.2.3.4
  parameter-map type webauth guest-webauth
   type webauth
   redirect on-success http://www.google.com
   banner text ^CC test text test ^C
   custom-page login device flash-1:login.html
   custom-page failure device flash-1:failed.html
  class-map match-any non-client-nrt-class
  policy-map port_child_policy
   class non-client-nrt-class
    bandwidth remaining ratio 10
  interface VlanXXX
   description "Guest-Access-VLAN"
   ip address 10.x.x.126 255.255.255.128
   ip helper-address x.x.x.x
   ip helper-address x.x.x.x
  line vty 0 4
   exec-timeout 7 0
   authorization exec local_authorise
   login authentication local_login
   transport input ssh
  line vty 5 15
   exec-timeout 7 0
   authorization exec local_authorise
   login authentication local_login
   transport input ssh
  wsma agent exec
   profile httplistener
   profile httpslistener
  wsma agent config
   profile httplistener
   profile httpslistener
  wsma agent filesys
   profile httplistener
   profile httpslistener
  wsma agent notify
   profile httplistener
   profile httpslistener
  wsma profile listener httplistener
   transport http
  wsma profile listener httpslistener
   transport https
  wireless mobility controller
  wlan Wireless-Guest-Access 24 wireless-guest
   client vlan Guest-Access-VLAN
   ip access-group GUEST-ACCESS
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth authentication-list aaa_guest_webauth
   security web-auth parameter-map guest-webauth
   session-timeout 1800
   no shutdown
  ap country GB
  ap group default-group
  ap group BUS-AP-Group
   wlan Wireless-Corporate-Access
    vlan BUS-CORP-DATA-VLAN
   wlan Wireless-Guest-Access
    vlan Guest-Access-VLAN
  end
  I carried out a wireshark trace and can see the dhcp ok, then see DNS queries to the DNS name serever and the replies, followed by a TCP SYN to the resolved IP of the website requested - but that's it, there is no SYN ACK reply or redirect to the login page which i have placed on the flash and specified under 'custom-page login' 
  I am under the impression that the way this should work is as follows;
  1. Client connects to SSID and carries out DHCP DORA and is assigned an IP address
  2. open browser on client and carry out name resolution 
  3. once name is resolved, carry TCP three way handshake with requested site (e.g. google)
  4. once three way handshake is completed client carries out an HTTP GET request
  5. WLC holds the response and redirects to the login page
  6. on successful login, original requested page is forwarded to client.
  I can't seem to get a response - even if I remove the ACL.
  Am i heading in the right direction or am I trying to achieve something which is not possible with my setup?
  Cheers

  also, forgot to say, make sure your files are preceeded with webauth for your html and js and web_auth for image files
  38725  -rw-        4265   Nov 4 2014 12:21:28 +00:00  webauth_login.html
  38726  -rw-        6937   Nov 4 2014 12:11:03 +00:00  webauth_aup.html
  38727  -rw-        1356   Nov 4 2014 12:11:30 +00:00  webauth_logout.html
  38728  -rw-         662   Nov 4 2014 12:11:43 +00:00  webauth_failed.html
  38729  -rw-         318   Nov 4 2014 12:11:58 +00:00  webauth_loginscript.js
  38731  -rw-       82940   Nov 4 2014 12:12:28 +00:00  web_auth_image.jpg
  CORE-SW01#sho run | s param
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   custom-page login device flash:webauth_login.html
   custom-page failure device flash:webauth_failed.html
  parameter-map type webauth guest-webauth
   type webauth
   custom-page login device flash:webauth_login.html
   custom-page failure device flash:webauth_failed.html
   security web-auth parameter-map guest-webauth
  CORE-SW01#

• ISE DNS Question For Guest Users

  Before I ask the question, let me explain our environment.
  We have an internal 5508 controller.  We also have a 5508 DMZ controller that acts as an anchor controller.  Guest traffic is piped to the DMZ controller which provides the DHCP address, and DNS server information.  The DNS that we provide is our ISP provider DNS server information, to our guest wireless users.  There's no need to provide them with our internal DNS server information, since they're only going to the internet.
  Here's my dilema.  We are now implementing the ISE appliances so that we can better control our guest users.  Currently, our guest SSID is wide open.  With the ISE, we're going to initially only do self-registration for guest users.  They will connect to our broadcasted SSID, when they connect to it, they will be presented with the guest portal.  There will be a link that allows them to go to a self-registration page.  The dilema is that the ISE appliances are a part of our internal 10.x.x.x network.  Since the guest users will have our ISP's DNS servers, our ISE devices will not be able to be found for the redirection to the portal.
  Would anyone have any suggestions on this?  I don't want to advertise our internal DNS servers to guest users.  Thanks for any help!

  I haven't tried this before but ISE does actually allow you to assign physical ports to the Guest HTTP portal. You can see this under Administration > Web Portal Management > General > Ports. Perhaps you can:
  1. Take a physical port from your appliance and connect it to the DMZ
  3. Give it an IP address that is resolvable from the public DNS server
  3. Assign that physical port only to the guest HTTP service
  On the other hand, you could also build a DNS server just for the guest users and stick in the DMZ :)
  Not sure if this helps but just some food for thought.
  Thank you for rating helpful posts! 

• Separate Internet service for Guest Wireless

  Hi all,
  I was reading about security concerns having guest wireless sharing the corporate Internet services and therefore looking towards the path where a separate basic Internet serivce can be provided for them keeping the corporate side safe.
  In doing that what i was thinking would be the way:
  Extend the Guest Wireless VLAN from the core switch where the SVI is currently at to the new ADSL router's Inside interface. And in doing that I will need to configure the ADSL router for the right DHCP scope and DNS entries and finally remove the SVI from the core switch so it simple does switching across to this ADSL service.
  Let me know if i am on the right track or if i am missing something.
  Regards!

  Hi George,
  it is a simple setup with just one controller. and the WLC is talking to the ISE to authenticate including the web auth login for the guest.
  So to ans your Q, i think No, the WLC deosnt push the guest to the DMZ. the guest VLAN is hanging off the core switch at the moment. and using their corporate Internet service.
  i hope the above answered your doubts. Cheers!

• Web Page for Guest Wireless

  Hi.
  I was wondering if someone could help me with the easiest way to set up a Web Page to control Guest Wireless access on Cisco AP 1130AG.
  I was using PEAP and Dot1x to Active Directory but the messing around required on some clients (namely XP and Vista) means it is not ideal for random and unexpected guests.
  How can I set up an Open Authentication method (or whatever I need) that then defaults to a web page or logon page for access to the network itself? I have seen this in other companies so it must be do-able.
  Just for information a standard WPA2 key for the SSID is insufficient as we want a logon page and user credentials that are changeable.
  I hope someone can help.

  Are you using the AP with a lightweight controller, or standalone (autonomous)?
  The lightweight controllers have this capability. Standalone APs do not.

• ASA5510 base config for guest wireless network

  Hello
  I am partitioning off my guest wireless traffic out a new connection.
  I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.
  AP - WISM - 5508 - FW - Cable link - Internet
  Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.
  The external link will be via cable and I want to configure their static on my outside int,
  Where would be the best place to ratelimit the subnet(s)?
  sMc       

  ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443
  These are router configurations and would not work on the ASA.  To do this the ACL config would need to look like this:
  access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80
  access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443
  access-group LAN in interface inside
  Keep in mind that you can change the ACL name (LAN) to anything you want it to be.  You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.
  Also, to make sure this subnet has no access to inside services, what would be needed?
  Not exactly sure where you are going with this.  Is this subnet also located on the inside interface? or on a different interface?
  If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.
  Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs.  If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.
  Please remember to rate and select a correct answer

• Web Based Registration for Guest Wireless Access

  I just started a project to make a guest wireless network available at every site in my enterprise.  Guest wireless networks are currently available at some sites.  Two key goals of this project is to enable WPA/WPA2 encryption and to develop a web based registration/autentication solution.  All of the sites have a mixture of 1230, 1240, and 1250 autonomous access points.  What do I need to do/get in order to make this happen?

  You should get a WLC and upgrade the 1240 and 1250 and replace the 1230's if they are in remote sites.
  The WLC has a Webauth feature that is great. You can define users on the WLC also if you wish.
  Guest access should always be open authentication with the use of a Webauth page. This makes it easy and you won't have to help manage guest access. Autonomous ap's and to have a splash page will require a 3rd party software or you can use a Cisco NAC guest server.
  Search for Cisco Wireless Guest Access or Webauth and you will see many docs on this type of setup.
  Sent from Cisco Technical Support iPhone App

• DHCP lease for Guest Wireless network

  Is there a "rule-of-thumb" for the lease of DHCP on a guest or general use wireless network. The standard user is expected to be relatively transient. Thanks in advance for the comments / help.

  I think ther no such rule of thumbs in a wireless network but the networks that incorporate large numbers of mobile devices, such as laptops and wireless telephony devices, should be configured with shorter DHCP lease times (for example, one day) to prevent depletion of DHCP-managed subnet addresses. Mobile devices typically use IP addresses for short increments of time and then might not request a DHCP renewal or new address for a long period of time. Longer lease times will tie up these IP addresses and prevent them from being reassigned even when they are no longer being used.

• Captive Portal for Guest wireless using a Cisco ASA 5510 or just 1231 Autonomous AP's

  Our environment consists of about 7 Cisco 1231 Access Points.  We have multiple SSID's including a Guest SSID for internet only access.  All Ap's are in autonomous mode.  We have a Cisco ASA5510 at the internet perimeter.  I would like to use what we have in house to setup a way in which all Guest Wirelsss users will be re-directed to a Captive Portal (Splash Page where there are given a custom warning page that instructs them about our Internet Accepted Usage Policy.  Can I do anything with the ASA to dish out a page like this.  I know that I can turn on an AAA rule on the ASA and force those users to have to authenticate when going to the internet but the Prompt page can't be customized too much.  I can add some text but it gets mixed in with all the other default text.
  I am not seeing a way to do URL redirection inside of the 1231 AP's themselves.  I know that a controller environment would help me out but looking to find a solution with what equipment the I already have in place.
  Any ideas??

  Hi,
  AFAIK.  using Autonomous.. there is no way we can do that..
  Regards
  Surendra

• Create custom dock for guest account

  I downloaded Server admin tool that so many has told me to, but now what? I now have a couple of programs I know nothing about, how do I do this?

  Okay. At this point, Workgroup Manager is asking you to authenticate (log in) to a server that you manage. Obviously you don't have an actual OS X Server, but you can still use the tools to manage the users on your regular Mac. So you'd "log into" your Mac, using the following values:
  Address: localhost
  User name: the name of an admin account on your Mac
  Password: the corresponding account password.
  Hope that helps
  Matt

• Guest Wireless Cisco ISE 1.3

  I am setting up guest wireless in my enterprise using Cisco ISE 1.3.
  I have set up Authorization profiles and Authentication conditions for Guest Wireless. I am however not sure of the Authentication results (the allowed protocol section). Since I want to give Guests INTERNET-ONLY access, I have configured WLC with a ACL and tied that ACL-name to ISE. However, when it comes to Authentication results à Allowed protocols, I am unsure of what to include. For instance, I have created an allowed protocol named ‘Wireless_Access’, screenshot attached below..
  Please let me know what options have to be checked to suit a guest environment. Any help would be much appreciated.. thanks!

  Hi,
  Below you can find a configuration example for guest access using ISE1.3.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Hope this helps.
  Regards

• E2500 with multiple APs for guest access

  I got 5 E2500 routers and the main one has setup to IP address 192.168.1.254 and the rest APs are programmed into the bridge mode with the IP address 192.168.1.245 through 248. The secured wireless network  works fine when I roaming between these APs but the only AP that I can get internet access for guest wireless network is the main (192.168.1.254) router; for every other APs, I will get the guest log on screen (prompt for guest access password) and no internet access after I type in the correct access password. Does the E2500 support multiple APs guest or it requires a special way to configure it? Please help...
  Jim

  Guest Access allows you to provide Internet connection to your guests, however, they will not have access to your computers or other personal data. When you set up your Valet or Linksys Wireless-N router, the Cisco Connect software will create two wireless networks with the same Wireless Network Name (SSID) that differs from one another by a -guest suffix to one of the wireless network names.
  So first of all remove all the networks from the preferred list of the computer and then try to connect.  

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.