ISE Guest Service
ISE Guest Service
In order to learn how IE works to provide Guest Service, We need to learn about Local Web Auth or Central Web Auth.
Local Web Auth: Below are some features of LWA.
- Web pages & Guest Authentication are delivered by Network Devices only.
- It does not allow/support change of Authorization
- To enforce Authorization, it uses ACL only.
- It required complete local web Auth configuration on each NAD (Switch / WLC)
- Each device has its own web portal files, Web servers, customization method.
Central Web Auth : Below are some features of CWA.
- Web pages & Guest Authentication are delivered by ISE only.
- It allow/support change of Authorization due to which profiling and posturing service can be done for guest and it also allow VLAN enforcement.
- To enforce Authorization, it uses ACL as well as VLANs.
- Web Auth configuration is done on ISE.
- Web portal , Web servers, customization method are performed on ISE centrally.
ISE Guest Services
There are three types of Guest that ISE handles and these traffic can be customized.
Hotspot Guest Portal: In this, all Guest are redirected to Welcome Web page, when users click on accept button, AUP is proceeded. From ISE, we can create number of different guest portal based on criteria you define.
Sponsor Guest Portal: In this any guest want to access the network, receives the credentials from sponsor who is someone from same organization or company and has valid access to company sponsor portal. The guest details are delivered to guest via email, text, SMS etc.
Self-Guest Registered Portal: Guest uses this Portal itself to register and request for network access. Once the registration is done guest must accept AUP to proceed.
Each Guest must be associated with Guest Type. In ISE you can create your own guest type or can use following inbuilt guest type.
- Daily: Short Term Guest requires network access between less than 1 day to 5 days.
- Weekly: Guest who require access till one week or two week.
- Contractor: Long term guest up to 1 yr.
In order to provide Guest Credential, ISE provides some different methods, below they are discussed.
- Username & password: It is provided either by sponsor or using self-registration.
- Access Code: It is a single access code, given to group of guest for temporary Guest network access.
- Registration Code: This code is given to Guest, when they try to self-register them self via Self registration portals.
Hotspot Guest Portal Configuration
This portal configuration does not require any user authentication, as they use open mode on Wi-Fi. Below are some general steps required to configure Hotspot Guest Portal?
Configure the hotspot portal: Work Centers | Guest Access | Portals & Components | Guest Portals | Hotspot Guest Portal | Edit.
Configure the authorization profile: this profile will be used for web redirection to your newly created portal. Go to Work Centers | Guest Access | Policy Elements | Results | Authorization Profiles and click Add
Configure the authorization rule in your policy sets: Here we will configure two rules to activate the Hotspot. First rule matches after a user successfully goes through the guest portal process. The second rule triggers the guest portal process.
Above figure describes about Guest Hotspot Authorization rule.
Sponsored Guest Portal Configuration
In order to configure the Sponsor Guest Portal, following three steps needs to be taken.
- Create an Active Directory Identity Store
- Create ISE Guest Types
- Create Guest Sponsor Groups.
Create an Active Directory Identity Store
AD needs to be configured for sponsors, if this is to be skipped, then use RADIUS or Internal ISE users.
Go to Administration | Identity Management | External Identity Sources | Active Directory.
Configure to Join your AD
Choose and create the group in AD, which will the list of sponsor example: Guest Sponsor shown in below figure and add members in it as sponsors.
To configure Identity Store Sequence that include AD, Administration | Identity Management | Identity Source Sequences. Here we will be using pre-build group called Sponser_Portal Sequence, which uses AD as first choice in list followed by Local ISE users.
Apply ID sequence as your sponsor authentication source. Go to Administration | Web Portal Management | Settings | Sponsor | Authentication Source. Select your sequence.
Create ISE Guest Type
Here Guest type provides different levels of access to different Guest Account. It is the responsibility of Sponsor, that he must assign the guest type to a guest while creating an account.