ISE portal guest on second interface

Similar Messages

• ISE and Guest Portal

  WLC - 7.2.110.0
  ISE - 1.1.1
  I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action
  At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.
  I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?

  As you asked the documents related to ISE and Guest Portal. I am sending you two docs which will help you in this case. Please find the below documents:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

• Cisco ISE Disabled authentication in portal guest

  Hi, dear..
  How to disabled autentication in portal guest to ends users ? It is possible ?we have customers who have laptop with GPOs, allowing not show my guest portal.
  tks

  I don't understand your question.... they have GPO that prevents the end user from seeing the guest SSID?  If so, you can't do anything about that and would have to remove that restriction from GPO.  If your talking about having end users not have to go through the portal page, then your either have them connect to another SSID or your do a mac bypass.
  Scott

• ISE for Guest Auth but need traffic logs

  We have guests that visit our office and connect to the Guest WiFi. We want to implement ISE for the self-sign in portal. That would help us determine the user and have them accept the legal terms without involving IT.
  When a guests logs in and surfs the web, We want to track which websites they go to for legal purposes and hold that information for 18 months. I am not sure how I can achieve this second part.
  The guests may visit it us 1 or 2 times every 6 months so using WSA with AD auth, for example, would not be ideal and that's why we like the ISE portal.
  We are using Cisco 5500 WLC's.
  Any help is appreciated.

  If your guests surf through an ASA firewall, you can send that firewall syslog to ise, and ise will correlate the logs with the guest users that are logged in, so you can track activity in ise. There is a report that is called something like "Guest Activity" where this will get collected.

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• Allowing Airwatch MDM access to the Captive-Portal guest users in pre-auth role for android and BB?

  Requirement:
  How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
  What is Airwatch MDM?
  Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
  Solution:
  Why we need to allow access to Airwatch MDM?
  The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
  Configuration:
  Below is the configuration
  Configuration steps:
  1. Create the following netdestinations
  netdestination Airwatch
    name *.awagent.com
    name *.awmdm.com
    name air-watch.com
  netdestination Google-Play
    name android.clients.google.com
    name .ggpht.com
    name gstatic.com
    name accounts.google.com
    name clients1.google.com
    name clients2.google.com
    name clients3.google.com
    name clients4.google.com
    name i.ytimg.com
    name google-analytics.com
    name .1e100.net
    name android.l.google.com
    name mtalk.google.com
    name clients.l.google.com
    name googleapis.com
    name gvt1.com
  netdestination BlackBerry
    name *.blackberry.com
  2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
  ip access-list session Airwatch_Access
    any   alias Airwatch svc-http  permit
    any   alias Airwatch svc-https  permit
  ip access-list session Google-Play-Store
                 any   alias Google-Play any permit
  ip access-list session BlackBerry-Access
                 any   alias BlackBerry any permit
  3. Now map the session ACLs to captive-portal pre-authentication Role as follows
  user-role Guest-Pre-Auth-Role
   access-list session Airwatch_Access
   access-list session Google-Play-Store
   access-list session BlackBerry-Access
   access-list session logon-control
   access-list session captiveportal
  4. Now whitelist the list of domain names in the Captive Portal profle
  aaa authentication captive-portal Airwatch-Captive-Portal-Profile
  white-list Airwatch
  white-list Google-Play                                                                                ------------>Netdestinations where you defined the Domains.
  white-list BlackBerry
  Verification
  Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.

  Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

• My question about second INTERFACE DESIGN

  i create one interface( main interface created by JFRAME)
  in main interface i want to click button
  then create second interface.
  i should use which class to build second interface?
  i tried JFrame but it doesnot work
  JFrame is top cotainer .and it need main() also
  thanks in advance
  please give some hints

  i tried JFrame but it doesnot work - JFrame is top cotainer .and it need main() alsoThat's not true - you can create a JFrame instance without it having its own main() method.
  When the user clicks the button, do this:JFrame secondFrame = new JFrame("Second Frame");
  secondFrame.add(....whatever you need to add to it - JPanels etc...);
  secondFrame.setBounds(100,100,400,300);
  secondFrame.show();

• Use of the second interface

  Hi,
  I just configured the first interface of my C150 ESA with ip address, default gateway,listener, RAT and SMTP routes. I want my IronPort to handle mail for another domain with a totally independant netwotk (subnet and mail servers...). Can I configure the second interface the same way I configured the first one (obviously with all the good settings...;-)) ? Does it work? Is there no problem of IP or SMTP routing ?
  To be short, I want to do two "one interface configuration" scheme with my ESA (which has two physical interfaces) and not a "two interfaces configuration" scheme
  Thanks,
  Vincent

  Vincent - should be ok to do this. You have two options to do this:
  1. Use the 2nd NIC port and assign IP.
  2. Use the virtual gateway feature to get this 2nd IP address onto the network and then create a new listener on the virtual interface..this is much simpler and less work.
  Use the interfaceconfig CLI command or in the GUI to do this. Bind the new interface with it's unique DMZ ip onto the same network card as used for the previous interface (data 1 i assume).
  Option 2 is much easier
  :wink:

• GSS-Communication on Second Interface

  Hi,
  I shall be deploying two GSS in two different locations.
  Both GSS devices shall be placed on a DMZ using Private IP addressing with NAT to Public addresses to resolve DNS requests.
  As replication is not supported using NAT, would it be feasible to configure the second Interface with an IP address on the inside Network which would be used for GUI Management and also GSS-Comunications. Are there  any security issues which this approach.
  regards
  Ian.

  Hello Ian,
  By default, the first Ethernet interface (eth0) is used for both interdevice communications and for communicating with ANM, which you use to manage your GSS devices.  You can use the gss-communications interface-config command to change it to eth1.  I'm not aware of any security issues with this approach.
  Hope this helps,
  Sean

• MARS second interface can't be on same network?

  I am trying to enable the second interface (eth1) in Mars for management. The GUI won't let me set it to be on the same network as eth0. Why is this? Can I do it from the CLI? Maybe Cisco can do it in expert mode?

  See for discussion:
  http://groups.google.com/group/cs-mars-ug/t/3457ba30ac6e3ea3?hl=en-GB

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success

• ISE 3315 Guest Portal on ETH1?

  Hi,
  the 3315 and other ise appliances have multiple nics.
  Is it possible/supported to use eth1 for hosting the guest portal? (wireless LWA)
  Tnx,
  Bart

  jrabinow ,
  I found this reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_app_e-ports.html
  it states that the guest portal services are also listening on the other interfaces..
  Could somebody please confirm?

• ISE - sponsor guest portal with smartcard authentication

  Team, any support for sponsor guest portal authentication with the smartcard?
  If not then can someone plese create feature request to Cisco, smartcards are being rolled out more and more.
  Bilal

  We've got it working in our agency.  It's front ended by an 5540 ASA that sends the users attributes to ISE and then loops ISE to authenticate via AD. I've got a pretty sweet write up on it from our advanced services rep.  The guys are legit when it comes to work around and I just finished testing this with ISE 1.3. If you guys are interested I'll attach it tomorrow. 
  Attached configuration guide.   Note for 1.3 the Sponsor Group Policy has been removed.  Just make sure the Sponsor Group is configured and add the store to locate the user.  In our case its AD.
  If you have questions just PM me and Ill be glad to assist.
  -Ryan 

• ISE HTTP GUEST PORTAL

  Hello,
  We have some disconfort with Guest web authentication. When WLC redirects a guest user, he views certificate error.
  Can I use http instead https for guest portal?
  Thanks,
  Oleg

  Hi,
  Is your guest portal on the ISE ? In the ISE , there is only HTTPS port allowed to configure under Guest portal and no option of http port is there , So I dont think so. You also might be using port 8443 in the external web-auth redirection URL under security tab.
  Now even if you put a valid certificate on the ISE which hosts external guest portal , still you would receive certificate warning as long as you use local web server of the controller which is its virtual ip address.This is because even if the external web server where page is hosted for example has a valid certificate , even then internal virtual ip address is presented to the client.
  So
  > either you trust them in your browser so that you dont receive certificate warnings
  >or else have a valid certificate on the controller and external web server. 
  > or use http for web authentication in the controller and also http to external hosted page, then also you can get rid of these certificates.
  Regards
  Dhiresh

• ISE sponsor portal guest accounts

  I am having an issue with guest accounts that have been created in the sponsor portal, some accounts work fine but others show up in the authentication logs on ISE as error 22056.  This error points to ISE not looking in the right identity store but when you go deeper into the details all auth requests are pointing at the internal users store which is correct.
  My main problem is that when I try to look at these accounts from the ISE admin console to see if there is any difference between them they do not show up i.e. no accounts that are created on the sponsor portal are displayed in the internal users database but if you try to create an account with the same user name ISE says that there is already an account with that name.
  Is there any where on ISE to display the sponsor guest accounts?
  Regards
  Craig

  Hi,
      not too sure if I am missing something but this just tells you how to use the sponsor portal? my query was based around being able to see all user accounts i.e. accounts created in the sponsor portal and from the admin from the admin console in the admin console.
  If I web browse to the ISE admin console and the go to administration-Identities I can only see the accounts that I have created through ISE admin, if I try and create an account that I know exists on the sponsor portal ISe complains that the user already exists but you cannot view it.  This seems very odd, why wouldn't an admin be able to see all accounts?
  thanks
  Craig