View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0115 - ISE 1.2 Wireless Guest with HTML Customized Portal (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>

The video walks you through wireless sponsor and guest access configuration on Cisco ISE 1.2. We will take the same lab we did back in ISE 1.1 and rebuild our guest authentication so you can see how guest portal has changed in ISE 1.2 as well as preparing ourselves for full HTML custom guest portal in the second half of the video. We will show you how to create a custom guest login page so a background on HTML coding and CSS is recommended as a pre-requisite. Although we will touch on some of the sponsor and guest access configuration, for detail discussion on the subject, please review the videos SEC0058 - ISE 1.1 Sponsor and Guest (Part 1) and SEC0059 - ISE 1.1 Sponsor and Guest (Part 2)

Part 2 of this video shows how to create a custom guest portal and testing


  • Guest Multi-Portal Config
  • Guest Time Profile
  • Guest Sponsor Group
  • Guest Sponsor Group Policy
  • Authentication Policy (WLAN MAB)
  • Policy Element Result
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
  • Cisco HTML Sample Code
  • Full HTML Custom Guest Login

Relevant Videos:

SEC0058 - ISE 1.1 Sponsor and Guest (Part 1) 

SEC0059 - ISE 1.1 Sponsor and Guest (Part 2)


Sample Code for Sponsor and Guest Portal Customizations


About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Is there a way to get sample file of nac_login.xml, nacStrings_xx.xml. I have try to build one but I keep getting error any help or pointer will be helpful.



Do i need to purchase a certificate from third CA for 802.1x user ?the idea thats I don't want to configured wifi profile for 802.1x .....

For PEAP on Windows, even with a trusted 3rd party cert, the user still gets prompted to trust the cert so it won't help if you are trying to avoid having the user to do that. The only way is to push out the profile with the cert already trusted. Nevertheless, 3rd party cert is always recommended.

Thank you for the informative and quick reply,so thats mean i have to push the user profile through windows "GROUP POLICY" otherwise i need to do it manually in each machine ?!

That is correct. The profile needs to have appropriated trusted root CA cert selected if you plan to do server certificte validation.

I configured a X SSID with peap authentication for staff (a non-join domain laptops and iDevice). Now i want to deny computer domain to get access to this SSID, i try with the condition below but no luck:
AD1 > External Groups not equel computer domain.
AD1 > External Groups equel user domain.

Your comment is highly appreciated.


You need to make sure all of the domain computers perform Machine Authentication, otherwise they will be seen as non-domain computers. A better way to identity non-domain computers is to issue a certificate using whether via onboarding or MDM.

but my main goal is to deny corporate machine to get access in the X SSID which is dedicated to non-domain computer.
So How do I achieve this ?

ISE first needs to be able to identity the computer to be part of domain and this is usually done through machine authentication so you will need to have machine auth enble on all of your domain computers, and use WasMachineauthenticated on ISE to deny accordingly. An alternative is to instll cert on all domain computers and have them use EAP-TLS, then you can create condition to only match PEAP for the non-domain SSID.

I have issue with ISE self-services portal, when Guest but his email the ISE not validation the e-mail address, I mean even if he is but the wrong email address ISE will grant him the username and password.
Please advice?

ISE does not really validate if the guest email is valid. All it does is it makes sure the format is correct. Even with invalid email, guest can still use it to login. he/she will just not be receiving the account info notification via email if you have that setup.

Thank you for your clarification, I want to applied self-services for guest (as Management requested) but because our company too closed from the other companies. The problem that’s any one can have access to the guest network without our permission.
Q: Is the below scenario possible in the ISE 1.2
-guest have username and password from the ISE and directly he is go to suspended mode unless the sponsor active his account (i tried with Aruba ClearPass and it works fine).

There is no such feature built-in but what you might be able to do is creating a User Identity group called 'Suspended Guest' and make it the default group for all self-service guest. You can then create a authorization rule that just deny all access to that group. Only when that guest has been moved to a different group like "Guest" or "Active Guest" by a sponsor, he/she will have access to the network.

I will be deploying ISE only for Wireless Guest Access , he has an anchor and foreign controller setup in his environment and he will be using the Internal DHCP server on his Anchor controller to give out IP address to all the guest, my question is will I be adding the Anchor controller on ISE or the foreign controller as a NAD device ?

There should not be a need to add anchor controller to ISE since all authentication will be done on the foreign controller even before the user traffic will be allowed to pass through to the Anchor