View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0059 - ISE 1.1 Sponsor and Guest (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
3
Lab Document: 
<Please login to see the content>
Video Download: 

The video explores Cisco ISE capabilities to provide guest login and sponsorship. We will look at how we can create a sponsor group and configure sponsor group policy to allow a sponsor to manage their guest accounts. We will configure a guest portal with a simple portal customization, and allow guest to perform self-service. As part of our testing, we will create a guest account through a sponsor portal page and test login over wired network. We will also test creating a guest account through self-service over wireless.

In part 2, we will validate our configuration from Part 1 by creating and testing guest account over wired and wireless.
Topic:
  • Guest Portal Theme
  • Guest Multi-Portal Config
  • Guest Time Profile
  • Guest Sponsor Group
  • Guest Sponsor Group Policy
  • Authentication Policy (WLAN MAB)
  • Policy Element Result
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

26 comments

thank you video~
if i want to connect AD account and sponsor and guest.
it should be use two ise server?

I am not sure why you would need two ISE servers. All you need to do are integrating ISE with AD, and point identity store for sponsor and guest to AD.

For wired devices, I'm trying to figure out a way to differentiate between an employee personal device and a guest device.

For an employee device, I'd want to provision a certificate as per your BYOD videos. If it's a guest, then a sponsored login screen as per these videos.

Is it possible to present a login screen that steers the user/device down one of these two paths depending on their login? Thanks.

You can drop both type of users on a guest portal that is configured with "Self-Provisioning Flow" enabled. The trick is you must have guest account created through the sponsor portal and they will not encounter the device registration page after a successful login. Other type of users (local, or AD) will encounter the device registration page, and be able to onboard their devices.


If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, subscribe our YouTube channel, follow us on Twitter

Many Thanks. Once again you are correct - this worked just fine.

I've built two labs, one to authz AD machines & users using TLS (SEC0045), and the more recent wired BYOD for AD users (SEC0050).

Authz policies are:
LAB-WIRED-MACHINE using EAP-TLS
LAB-WIRED-USER using EAP-TLS & checks for "Domain Users".
...
LAB-WIRED-BYOD using EAP-TLS & checks for "BYOD Users"

However, because we can't check for "WasMachineAuthenticated = True", with EAP-TLS, I'm finding the user is always authorized by the first LAB-WIRED-USER in the list above - hence it's not possible to issue different results/policies to corporate BYOD users.

In the absence of WasMachineAuthenticated, I can't think of a way to identify non-corporate machines.

From your comment, I assume you encountered the same issue on WasMachineAuthenticated with EAP-TLS. Another workaround I can think of, for what you are trying to do, is to check for (NetworkAccess:Usecase NOT EQUAL Guest Flow). That way users logging in from Guest Portal should not hit your WIRED-USER rule.


If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, subscribe our YouTube channel, follow us on Twitter

This didn't work but I've figured an alternative to check for WasMachineAuthenticated and still use certificates.

For corporate devices (using GPO), modify authentication to use a PEAP tunnel (PEAP outer, EAP-TLS inner). For BYOD corporate users, simply use EAP-TLS.

This way we can identify the authentication flow.

So my authz policies look like this:

LAB-WIRED-MACHINE # PEAP Tunnel (see below)
LAB-WIRED-BLACKLIST
LAB-WIRED-USER # corporate user, PEAP Tunnel (see below)
...
LAB-WIRED-BYOD # corporate user with personal device, uses EAP-TLS (see below).

The authz compound condition for LAB-WIRED-MACHINE is this:

Radius:Service-Type EQUALS Framed AND
Radius:NAS-Port-Type EQUALS Ethernet AND
AD1:ExternalGroups EQUALS lab2.domain.co.uk/Users/Domain Computers AND
Network Access:EapTunnel EQUALS PEAP AND
Network Access:EapAuthentication EQUALS EAP-TLS

The authz compound condition for LAB-WIRED-USER is this:

Radius:Service-Type EQUALS Framed AND
Radius:NAS-Port-Type EQUALS Ethernet AND
AD1:ExternalGroups EQUALS lab2.domain.co.uk/Users/Domain Users AND
Network Access:WasMachineAuthenticated EQUALS True AND
Network Access:EapTunnel EQUALS PEAP AND
Network Access:EapAuthentication EQUALS EAP-TLS

The authz compound condition for LAB-WIRED-BYODis this:

AD1:ExternalGroups EQUALS lab2.domain.co.uk/LAB2/BYOD Users AND
DEVICE:Device Type EQUALS All Device Types#Switch AND
Network Access:EapAuthentication EQUALS EAP-TLS

On corporate machines, logging shows machine prior auth using PEAP(EAP-TLS)

Authentication Protocol : PEAP(EAP-TLS)
...
24422 ISE has confirmed previous successful machine authentication for user in Active Directory

And on BYOD machines, logging shows it falls through to LAB-WIRED-BYOD and can be given a different DACL or results, etc.

Authorization Policy Matched Rule: LAB-WIRED-BYOD

Hope this helps.

That's a very creative work around. I will definitely try that out. I am curious to see where on GPO you can set Inner and Outer EAP methods. I will re-post your comment on the EAP-TLS video page so the others can see it too. Thanks for sharing.


If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, subscribe our YouTube channel, follow us on Twitter

I can see now on the client that when you choose Microsoft PEAP for authentication, the inner auth method by default is MSCHAPv2 and this can be changed to Certificate. Very nice.

Thanks - Yes - that's it. I was just about to put together some screen shots, but you have found it.

I discovered this method when using Microsoft's NPS and their built in NAP client. NAP requires PEAP to transfer Statement of Health (SoH) messages, so the only way to combine certificates is to use the same method, PEAP outer, EAP-TLS inner.

Excellent Video's, thanks again! how do we increase the Session Timeout on the ISE Server for Guest users? when Guest device goes to sleep or are idle for a while, they are forced to re-authenticate whenever they try to access the WEB. My intention is not to re-authenticate for 8hrs

On the WLC, since "Allow AAA Overide" is checked, i believe the "Enable Session Timeout" is overwritten; how do we go about this?

This has got to do with an Idle Timeout on the WLC. If you run version 7.3 (could be 7.4 i don't remember exactly) or later, you should be able to adjust the Idle Timeout on the SSID config and this will help keeping a webauth user session around when there is no activity. Also, 7.5 came out with a new feature that addresses sleeping client so you might want to look into that as well.

http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html

Thanks for your insight. The sleeping client on 7.5 is only available for layer 3 security. Am currently using Layer 2 MAC Filtering, the options available are session time and idle timeout.

Am going to set both at 36000 seconds, to see it that solves my issue.

Regards

How can I configure session timeout on the switch for wired GUEST access ?

You can use the 'authentication timer' command for port-level config, or configure Authorization Profile on ISE to return the timout value as part of the RADIUS attribute for Guest.

Hi and thanks for your answer
I cannot use the 'authentication timer' command for port-level config because I want to apply it only on GUEST user
How can I configure Authorization Profile on ISE to return the timout value as part of the RADIUS attribute for Guest. Please I need help to configure it.

Thanks in advance

I believe it is the 'Reauthentication' attribute under the Authorization Profile that you need to use for session timeout.

I want the number of user self-registrations per day to be limited to 1 per device, after time expire the user can't use self-registration again. Is it possible?

I don't believe that is possible. All you can do is globallyl limit number of device allowed per guest accout. Once the account is expired, it can no longer be used. 

This option? Limit Device Registration Portal. I've set this option to 1 and still managed to create other accounts by self-registration, the same device.

I also logged on with an existing account and in the middle of the session has expired, however continued working, bug?

What is the purpose of the sponsor portal and time profile if a user can create N accounts? If the user loses the password he can just create another account. The sponsor portal and time profile loses all meaning, right? Only if you disable self-registration..

Self-service and guest sponsor are two different model and usually are not used together. If you want guest account to only be created by sponsor then you need to disable self-service link on guest portal.. I don't think there is a way to limit how many account a guest can self-create although you can limit a number of device per guest account but it be moot for self-service since guest can create as many account as they like so it would only make sense for sponsored guest. Btw, I belive self-registration (one that allow user to enter MAC address) is a different thing and normally not used for guest.

Got it, the two together do not make sense. Thankss!

How can I prevent a domain machine to match the guest policy? Is there a condition to does this?

First of all, you need to enable machine authentication and your domain machine should match a rule with condition of "Domain Computer" group from the AD. When user try to connect to network, you need to check if he/she is accessing from a domain computer using "wasmachineauthenticated" condition. If use is on non-domain machine, it should not match these two rules and fall down your guest rule below them.

Got it, but if for some reason the supplicant configuration is wrong and the domain computer fails to match the policy of dot1x machine, then the machine will match mab/guest policy... I would like the domain machine to match in default rule (deny access) in this case. Is it possible?