Ise Guest Portal Certificate

1/7/2022by admin
  • Follow the below steps to reconfigure the behavior of Certificate Provisioning Portal 1. Go to Administration Device Portal Management Certificate Provisioning 2. Click on Certificate Provisioning Portal (default) 3. Expand Portal Settings 4. Certificate group tag 5. Authentication method 6. Configure authorized groups 7.
  • Under the Portal Settings section, this is where we can change the following: HTTPS port that ISE uses for the Guest Portal. I usually keep this at 8443 but if you do decide to change it, remember to change it in your ISE-ONLY ACLs if you're locking down ports; Certificate Group Tag - This is to specify the certificate used for this portal. I usually recommend using a certificate signed by a public CA to avoid any pesky certificate warnings in the end-user's browser.

Obtain the Base 64 encoded certificate (s) from the Root CA, Intermediate CA (s), and/or the Hosts required to be trusted. Log in to the ISE node and navigate to Administration System Certificate Certificate Management Trusted Certificates and click Import, as shown in this image.

Been toying with the Cisco vWLC and ISE in the home lab. Evaluation copies of ISE can be found on Cisco’s box share here: https://cisco.app.box.com/v/ISE-Eval

Here are my notes on configuring a Guest Hotspot portal. Hotspots are a simple portal where users will need to accept an Acceptable Use Policy before being granted access to the internet.

Please also see the ISE Guest Access Deployment Guide from Cisco for more details on setting up different Guest Access scenarios: https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

After installing vWLC and ISE, add ISE as a AAA server on the vWLC.

  • Log into the vWLC. Click the security tab at the top.
  • On the left hand menu click Authentication under Radius/AAA.
  • Click the New button to add a new AAA server.
  • Enter the IP address of the ISE server, be sure port number is 1812, and that Support for COA is checked. Create a Shared Secret and make note of it as ISE will need to be configured with the same secret. Click Apply.
  • Next click Accounting from the Security/AAA menu on the left. Hit New and enter the required information.

Next we will log into ISE and configure the WLC as a network device.

  • Go to Work Centers, then Network Resources.
  • Click Add and fill out the WLC information. Check Radius Auth. Settings and be sure to fill out the Shared Secret we filled out earlier in the WLC.

The next step is to configure our Guest WLAN/SSID.

  • Log into your WLC and click the WLANs tab. Choose Create New from the drop down box and click Go.
  • Enter a profile name and SSID.
  • Select Status Enabled, and the correct interface for your guest traffic.
  • Next click the Security tab.
  • Change Layer 2 Security to None, and check MAC Filtering.
  • Click AAA Servers, and change the Authentication and Authorization servers to the ISE server via the drop down boxes.

Click the Advanced tab.

Check Allow AAA Override.

Under NAC change the drop down to ISE NAC.

Uncheck Flex Connect Local Switching if enabled.

Check DHCP/HTTP profiling under Radius Client Profiling.

  • Next we have to create a few ACLs. One for Web Auth Redirect that will allow DNS and traffic to ISE and another ACL for restricting guest access. (As this is just a lab we’re not too concerned with traffic separation but typically the best way to go about separating Guest and production traffic is through an anchor controller in the dmz, see: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/WirelessNetwork_GuestAccessService.html )
  • Click Security, and find Access Control Lists on the left hand menu.
  • Click New, and for the ACL name type ACL_WEBAUTH_REDIRECT
  • Click Apply, then click the ACL name to start editing.
  • Click Add New Rule.
  • Create a rule allowing destination DNS (udp/53) from any to any.
  • Create a rule allowing source DNS from any to any.
  • Create a rule allowing tcp from ISE to any.
  • Create a rule allowing tcp from any to ISE.
  • Note: In production you would want to limit the DNS entries to just your trusted DNS server.
  • Create a new ACL if you’d like to place any restrictions on your guest network. e.g., blocking access to any private IP space.

Next we’ll create ISE policies to redirect users who connect to the Guest network to a web portal. Once the AUP has been accepted they will get a new policy applied to them restricting their access to internet only via the ACL we created earlier. We’re going to be using the default hotspot portal but you can design your own portals with custom graphics. Cisco also has an ISE portal builder which has an excellent WYSIWYG editor to make custom portal building a snap. The portal builder requires a Cisco login and can be found here: https://isepb.cisco.com/#/

  • Log in to ISE. Go to Work Centers, Guest Access,Policy Elements.
  • Click Results and and go to Authorization Profiles.
  • Click Add to create a new profile.
  • Give the policy a descriptive name and description.
  • Scroll down a bit in the Common Tasks and check Web Redirection.
  • Select Hotspot from the drop down. Enter ACL_WEBAUTH_REDIRECT as the ACL and the value will be the Hotspot guest portal (if you’ve uploaded a customer portal you can select it here).
  • Click Submit.
  • Click Add again, enter a new name and description. This policy will apply the guest restriction ACL we created on the WLC.
  • Scroll down into the Common Tasks and find Airespace ACL, enter the name of the Guest ACL you created earlier. Click Submit.
  • Now, go to Work Centers, Guest Access, Policy Sets.
  • Expand the Default policy set by clicking the arrow on the right.
  • Expand the Authentication Policy be clicking the arrow.
  • Find MAB (MAC Address Bypass) and expand the options menu. Be sure the option for “If User not found” is set to Continue.
  • Next we’ll create our new Authorization Polices for the Guest network. Expand Authorization Policy and select a space to insert the polices. Locate a rule and click the gear, select insert above or below rule to place the new policies where you’d like them.
  • Enter a name for the policy. Select Wireless_MAB as the condition, and Guest_Hotspot as the Profile.
  • Add a new profile above the one we just created
  • This will be for applying the Guest ACL for the user once going through the portal. Conditions will be Wireless_MAB, IdentityGroup = GuestEndpoints, and Guest_Flow. Result will be the Guest_Access policy we created which applies the ACL we created on the WLC.
  • Click Save.

This should be enough configuration to get the Guest Hotspot SSID up and running. Connecting to the new SSID should pop up the AUP, once accepted you should then have access to the internet.

Cisco Identity Services Engine (ISE) may be used for guest management when paired with Meraki Access Points. Cisco ISE is another option for authorizing users, enabling many additional business use cases.

Meraki APs will pass necessary information over to Cisco ISE using MAC-based authentication and honor a Uniform Resource Locator (URL) redirect that is received from the Cisco ISE Server. Using change of authorization (CoA), the Cisco ISE server can ensure that the correct authorization is applied to the end user devices based on the authentication status.

Ise guest portal public certificate

Expected Packet Flow

Cisco Ise Guest Portal Certificate Chain


  1. Client machine associates to the web authentication SSID

  2. Client MAC address is sent to RADIUS server as a username and password (Access-Request) by MR, and the MR responds to the client machine acknowledging the association request

  3. ISE server responds with an RADIUS Access-Accept and a redirect URL

  4. Client machine gets an IP address and DNS server address through DHCP

  5. Client machine tries to reach a webpage which results in an HTTP GET packet

  6. MR intercepts the GET packet and sends redirect URL instead (with webpage hosted on ISE)

  7. Client machine authenticates on the ISE web portal

  8. RADIUS server then sends a CoA request (CoA requests work on UDP Port 1700) with a request to re-authenticate, also indicating that user is valid
  9. MR sends CoA-ACK
  10. MR Authenticator sends an Access-Request with existing client machine's session-ID and MAC address
  11. ISE server then responds back with Access-Acccept and any extra ISE functions after client's successful authentication to web portal

  12. Client is allowed access to the network

Configuration

The following sections of this guide will outline a configuration example with using Cisco ISE as the guest management system which is also hosting the captive portal.

Ise

Meraki Access Point Dashboard Configuration

The Meraki Access Point configuration is outlined below all on the Access Control Page for a particular SSID (Wireless > Configure > Access Control).

Configure MAC-Based Authentication

Select MAC-based access control from the association requirements section of the access control page.

Enter the details for the RADIUS server including the IP address, port, and secret. If using Group Policies select Airspace-ACL-Name for the RADIUS attribute specifying the group policy name. The Airspace-ACL-Name must match the name of one of your group policies configured under Network-wide > Group Policies. Enable CoA support if there is a requirement to change the attributes of an authentication, authorization, and accounting (AAA) session.

Configure CWA for Splash page

SelectCisco Identity Services Engine (ISE) Authentication in the Splash Page section of the access control page. This setting will honor the Cisco custom url-redirect attribute sent from Cisco ISE.

Configure the Walled Garden

The IP address of the Cisco ISE server needs to be added to the walled garden to ensure that a client will be permitted through the walled garden before being authenticated by the Cisco ISE server.

DNS traffic is permitted by default through the walled garden

Disable CNA

As of Cisco ISE 2.2, Apple CNA is supported for Guest and BYOD. Beginning July 26th, 2017, Apple CNA and Android captive portal detection are enabled by default on Cisco Meraki MR access points. On iOS 7+ and OS X, the client will automatically launch a mini-browser (CNA) that takes the user to the splash page to complete authentication and gain access to the network. Android devices will display a notification on the device prompting the user to sign into the Wi-Fi network. Tapping the notification will launch the device browser and direct the user to the splash page. To disable CNA and captive portal detection, append the following 17.0.0.0/8 IP rangeand domain names to the walled garden as shown below:

Disabling CNA will require that users manually open their web browser before being presented with the splash page. Applications on the user's device that require Internet connectivity will not function as expected until the user has opened their web browser and completed authentication via the splash page.

Cisco ISE Configuration

The following sections focuses on Cisco ISE 2.4 and it will present a basic configuration with default web portal from Cisco ISE. For more information about web portal customization please look into ISE documentation.

Adding Managed Network Devices

MR access points acting as authenticators (devices through which AAA requests are sent to Cisco ISE) need to be added to ISE before Access-Request will be answered, it will by default not answer any requests.

To add a new device:

  1. In Cisco ISE, choose Administration > Network Resources > Network Devices.

  2. From the Network Devices navigation pane on the left, click Network Devices.

  1. Click Add, from the action icon on the Network Devices navigation pane or click an already added device name from the list to edit it.

  2. In the right pane, enter the Name and IP Address. As for the mask, you can add devices inside a network using /24, or as needed to avoid manually importing several APs.

  3. Check the Authentication Settings check box and define a Shared Secret for RADIUS authentication. This must match the Secret entered for the RADIUS server when configuring the SSID in Dashboard.

  1. Click Submit

Once a device is added, it will show up on the device list in ISE.

Creating Results for Rules

Cisco ise guest portal certificate chain

A new results needs to be created where the redirection will be specified.

Cisco Ise Guest Portal Certificate Renewal

To do this, go to “Policy > Results”. Click on Authorization and Authorization Profiles.

Click on “Add

  1. Name this authorization profile.

  2. On Common Tasks, select “Web Redirection (CWA, MDM, NSP, CPP)”, choose Centralized Web Auth, on ACL “NULL” and Value “Self-Registered” (These values can change depending on your needs.

Optionally, Static IP can be used to not used a DNS server, however, this is not recommended because the IP of the ISE server will be clear text and visible for the end client.

Enabling Policy Sets

Cisco ISE supports policy sets, which allow grouping sets of authentication and authorization policies, as opposed to the basic authentication and authorization policy model, which is a flat list of authentication and authorization rules. Policy sets allow for logically defining an organization's IT business use cases into policy groups or services, such as VPN and 802.1X. This makes configuration, deployment, and troubleshooting much easier.

In Cisco ISE, choose Administration > System > Settings > Policy Sets.

Creating a Policy Set

  1. Click on Policy > Policy Set

  1. Click the plus (+) sign or click on the settings icon and Create above to create a new policy set.

  2. Enter the Name, Description and a Condition for this group policy.

  3. Click on Condition, a new menu will show, match the condition necessary, per SSID policy sets are recommended, therefore, attribute “Radius·Called-Station-ID” ENDS WITH “<SSID name>” is the preferred option. Click “Use” after configuring this step.

Cisco Ise Guest Portal Wildcard Certificate

  1. Define allow protocols, by default “Default Network Access” can be used.

  2. Click on “Save

Create Authentication Policy

  1. Click on “View” policy by clicking on the right arrow.

  2. Click on ”Options

  3. Change “If user not found” to CONTINUE

Create Authorization Policy.

Two rules are required in Authorization Policies for Central Web-Auth, one rule will prompt the redirection and the second rule will grant access once the client machine has passed web page authentication.

  1. Click on Authorization Policy

  1. Click on the (+) sign or on the settings Icon to create a new rule.

  2. Click on “Condition”. a new window will pop up. In this window, the method of the client requesting access can be selected.

    • Look for Called-Station-ID, and match it to the name of the SSID.

  1. Click “Use

  2. Select on “Results”, the name of the profile created for redirection, in this case it is “CWA.

For second rule click on the Action Icon and select “Insert new row above

  1. Click on “Condition” a new window will pop up, in this window the method of the client requesting access can be selected.

  2. Look for “IdentityGroup:Name

  1. Select “In” and “Endpoint Identity Groups: GuestEndpoints”.
  1. Click on “Use”.

  2. Select on “Results” the profile called “PermitAccess

  3. Click Save.

Both rules should be created and should look like the image below, order is very important.

Comments are closed.