![]() By default, the Guest account is valid for 1 day and it can be extended to the number of days configured under the specific Guest Type.Ħ. Under Portal Page Customization, all pages presented can be customized. Leave all of the other settings to default. Refer to this document on how to configure the SMTP server on ISE: Choose the portal name, refer to the Guest Type created before and send credential notification settings under Registration Form settings to send the credentials via Email. Navigate to Work Centers > Guest Access > Guest Portals.ĥ. Create a new Guest Portal Type: Self-Registered Guest Portal. Refer to the previously created Endpoint Identity Group under this new Guest Type and Save.Ĥ. Create a Guest Type by navigating to Work Centers > Guest Access > Portal & Components > Guest Types. Navigate to Work Centers > Guest Access > Identity Groups > Endpoint Identity Groups.ģ. Add the WLC as a Network Access Device from Work Centers > Guest Access > Network Devices.Here is an example for GuestRedirect ACL (need to exclude traffic to/from ISE from redirection): Internet, which is denied for corporate networks and permitted for all others.GuestRedirect, which permits traffic that must not be redirected and redirects all other traffic.Navigate to Security > Access Control Lists > Access Control Lists and create two access lists:.On the Advanced tab, enable AAA Override and set the Network Admission Control (NAC) State to ISE NAC (CoA support). In Security/Authentication, Authorization, and Accounting (AAA) Servers, select the ISE IP address for both Authentication and Accounting. Set Layer2 security to None with MAC filtering. Under the WLANs tab, create the Wireless LAN (WLAN) Guest-WiFi and configure the Correct Interface.It is also advised to configure the WLC to send SSID in the Called Station ID attribute, which allows the ISE to configure flexible rules based on SSID: There is a similar configuration for Accounting. Navigate to Security > AAA > Radius > Authentication in order to enable RADIUS CoA (RFC 3576). Add the new RADIUS server for Authentication and Accounting.Multiple additional features like posture and Bring Your Own Device (BYOD) can be enabled (discussed later). The guest user has desired access to the network. But for MAB (MAC filtering), CoA Reauthenticate is enough there is no need to de-associate/de-authenticate the wireless client. Note: Extensible Authentication Protocol (EAP) sessions, ISE must send a CoA Terminate in order to trigger re-authentication because the EAP session is between the supplicant and the ISE. ISE responds with Access-Accept and Airespace ACL defined locally on the WLC, which provides access to the Internet only (final access for guest user depends on the authorization policy). The WLC re-authenticates the user when it sends the RADIUS Access-Request with the Authorize-Only attribute. ISE sends a RADIUS Change of Authorization (CoA) Reauthenticate to the WLC. After the account is created, the user is provided credentials (username and password) and logs in with those credentials. An optional secret registration code can be enabled in order to limit the self-registration privilege to people who know that secret value. Rather than provide credentials in order to log in, the user clicks Register for Guest Access. The user is redirected to a page where that account can be created. url-redirect (where to redirect that traffic- to ISE).url-redirect-acl (which traffic must be redirected, and the name of Access Control List (ACL) defined locally on the WLC).ISE returns a RADIUS Access-Accept with two cisco-av-pairs: This authentication matches the second authorization rule on the ISE and the authorization profile redirects to the Guest Self Registered Portal. This is an open network with MAC filtering with ISE for authentication. Guest user associates to Service Set Identifier (SSID): Guest-WiFi. This scenario presents multiple options available for guest users when they perform self-registration. If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. ![]() The information in this document was created from the devices in a specific lab environment. The information in this document is based on these software and hardware versions: Configuration of Wireless LAN Controllers (WLC).Prerequisites RequirementsĬisco recommends that you have experience with ISE configuration and basic knowledge of these topics: This Portal allows you to configure and customize multiple features. Self Registered Guest Portal, allows guest users to self-register along with employees to use their AD credentials to gain access to network resources. This document describes how to configure and troubleshoot this functionality.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |