Cisco ISE Part 9: Guest and web authentication
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 9: Guest and web authentication
Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS, because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.
There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.
To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.
You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.
Configuration
Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.
Edit the DefaultGuestPortal to your needs:
- Password policies
- Need of posture client
- self service
- device registration
- DHCP settings
- Policies
- etc
Click Policy – Policy elements – Results – Authorization – Authorization Profiles and create a new profile with “web authentication” checked.
The mentioned ACL is not available in ISE, this ACL should be available in the switch. Choose “manual” as redirect option.
To configure web authentication as a fallback. Click Policy – Authentications and edit the needed rule. Select “Continue” in all three options:
Create a new rule for no matches in the identity groups, use webauth as authorization. Click Policy – Authorization and edit the needed rule. Select the guest portal as authorization option:
You can edit the DACL for company users after authorization.
Click Policy – Policy Elements – Results. Selecht Authorizations – Downloadable ACLS > Dot1x_Valid_Domain_User. Add a permit to the ISE policy node IP(s).
Make sure that the client can access the webauth portal before authentication (by a preauth ACL).
Enable CoA on the switch:
Switch(config)# aaa server radius dynamic-author Switch(config-locsvr-da-radius)# client 10.10.10.150 sever-key mykey Switch(config)# ip http server Switch(config)# ip http secure-server Switch(config)# radius-server vsa send authentication Switch(config)# radius-server vsa send accounting
Guest portal configuration
First, create a sponsor group. Click Administration – Identity management – groups, click Add and enter a name.
Next, configure the SMTP settings under administration – System – Settings. Select SMTP and enter the smtp server.
Click Administration – Guest management – Settings and click General – ports. Check and/or change the port numbers.
Create a user group in active directory for sponsor users. Add this group in ISE: click Administration – identity management – external identity sources. Select Active directory and click Groups. Add the sponsor group.
Click Administration – Guest management – Sponsor group policy. Change the identity groups field to Any. In the other conditions field, click the plus sign and select Create new Condition. In the expression field, select your domain. In the most right field, select the active directory sponsor group.
Do not forget to apply the correct authentication sequence to the sponsor portal. Click Administration – Guest management – Settings. Selecht Sponsor – Authentication source
In the WLC configure a ACL with only access to the ISE node and DNS lookups to your DNS server. Make sure you use the same ACL name as you use in the “Authorization profile”. In the WLC, click: Wireless – All AP’s, click a AP, click Flexconnect, External Webauthentication ACL.
Click Add under Webpolicies, to add the ACL.
Repeat these steps for every AP.
The authentication Rule looks like:
Authorization rules look like:
This is the basic configuration. All other settings are customizable.
Happy testing!
Next week the last part, part 10 of this blog post series: Profiling and posture
thanks
with this configuration,
Switch(config)# ip http server
Switch(config)# ip http secure-server
Are you still able to lock down http access using an access-class? Im not a fan of having the http server enabled. aaa authentication default xxx will restrict login access to it, but i dont want http open to my entire network to allow them to login (this would likely get flagged with a pentest)
Hi Steve,
You don’t need ISE for that, you can apply a ACL to the http server with the following command:
Ip http access-class
If you add the access-class command though, and say lock it down to only your management server(s) – will this break wired guest access to the login portal? (as the http redirection is done on the switch)
That configuration will not break the webauthentication of ISE. The switch will redirect the clients’ request to the ISE servers by using CoA. The http service in the switches is not used for any client authentication.
So in summary, it’s no problem to restrict the http server on the switches by using a ACL if you use ISE webauth for clients. It’s even recommended to restrict http access, because it’s used for management of the switch and you don’t want regular users to access management interfaces of the switches.