Cisco ISE 2.0 – Guest authentication ISE configuration

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).
For more guides about configuring (previous) Cisco ISE, see this page.This is part 4, the ISE configuration for guest access

Configure Cisco ISE

The Authorization profile will be created first, then the authentication and authorization policies are configured.

1. Navigate to Policy, Policy Elements, Results
2. Navigate to Authorization, Authorization Profile
3. Click “Add”
   1. Name: DOMWLC01_CWA
   2. Access Type: Access Accept
   3. Check Web Redirection, Choose Centralized Web Auth
   4. ACL: CWA_Redirect or Flex_ACL (corresponds with created ACL or Flex ACL on WLC)
   5. Value: Sponsored Guest Portal (Uses standard Portal, if you use custom portal, use that instead)
   6. Select “static IP/Hostname” and enter one that corresponds with the certificate (For example: guestportal.ehlo.lan in this example)

4. Click Save
5. Create a record for the portal in DNS:

Create the Authentication Rule

The authentication rule ensures that ISE accepts all of the MAC authentications from the WLC and makes sure it will pursue authentication even if the user is not found (and thus the client needs to receive a portal redirect).

1. Navigate to Policy, Authentication
2. In a standard configuration, the correct Authentication rule for MAB is already present. If not, configure as follows:

Create the authorization Policy

Two authorization policies will be created:

1. The second line is used when an unknown mac address is encountered (user is not authenticated yet), the result will be a redirect to the webportal using the DOMWLC01_CWA authorization profile.
2. The first line is used when the user authenticates with the guest portal. This part cannot use the DOMWLC01_CWA authorization profile, as it would trigger an authentication redirect loop.

The above sequence used is mandatory, the guest redirection rule should be configured AFTER the PermitAccess rule.
First, create the authorization policy for the guest portal redirect:

1. Navigate to Policy, Authorization, Create New
2. Name: “Guest redirect to Portal”
3. Click Condition(s), Create new Condition
4. Select Airespace, WLANID, Equals, <WLAN ID Number>
5. After “then”, select Standard, DOMWLC01_CWA (The central web authentication Authorization Profile we created earlier):

Create a new rule BEFORE the redirection rule

1. Name: “Authenticated Guest”
2. Click the + after “if” and select the guest types for which you would like to allow access:

3. Click Condition(s), Create new Condition
4. Select AireSpace,WLAN ID, Equals, <WLAN ID Number>
5. After “then”, select PermitAccess (or a custom setting if you would like to provide a VLAN), here we just use PermitAccess:

How it works:

1. Upon first authentication attempt, users are redirected to the guest portal, using the “Guest Redirect to Portal” rule. The “Authenticated Guest” rule isn’t hit, because the user’s mac address isn’t member of one of the various guest types.
2. After authentication in the guest portal, the user’s mac address is mapped to the given guest account and is granted access.

Upon authentication in the future, the mac address is already matched with the guest useraccount in the ISE database, and the user is granted access using the “Authenticated Guest” rule.
Thanks to Dominique Hermans (follow him on Twitter) for his great help with these Cisco ISE 2.0 blog posts!