topic Re: Modification of Self-Register Portal Workflow in Network Access Control

Modification of Self-Register Portal Workflow

florian.hahner1 — Thu, 07 Feb 2019 09:48:17 GMT

Hi Cisco Community,

i've a question regarding to the guest portals strategy of the Cisco ISE. None of the existing workflows really fit our needs. We're a university with several locations and buildings. At the moment we provide a WLAN SSID on demand of the conference owner. This SSID is limited in time and location (we use AP Groups on our WLAN controller). All these steps are done manually. To take a step into future, we want to broadcast a single guest WLAN SSID all over our campus. To minimize the administrative work we want to use a self-register portal. As we want to broadcast the SSID everywhere, everyone would be able to register himself on our wlan. To prevent this, we think about something like a 'Conference Code'. A password which is different from conference to conference. This 'Conference Code' should be visible (printed on paper i.e.) on the locations of the conference.

This conference code will be generated and distributed by our IT staff to the organization of the conference, which need to have access to the guest wlan.

After the guest enters the conference code, he/she must go through the self-register portal procedure as it might be necessary to track guests in case of law violation.

I saw that it is possible the set a AUP password. But only in the HotSpot Mode, where no self-register process is linked.

Maybe someone of you have a clue to solve my problem.

Thank you and best regards from Germany

Florian

Re: Modification of Self-Register Portal Workflow

florian.hahner1 — Thu, 07 Feb 2019 10:24:30 GMT

Ok. I found a first possible step to solution. You can set a register code at the self-service registration form settings.

Maybe i'm able to set to set the code via rest-api.

Re: Modification of Self-Register Portal Workflow

Arne Bier — Thu, 07 Feb 2019 11:32:10 GMT

Hey @florian.hahner1

Another slightly related option to your multi-factor Guest network, might be to use a Pre-Shared Key WLAN Profile instead of an Open SSID. Since the user has to type in *something* anyway, why not make them type the PSK of the SSID in? That has the positive side effect of encrypting the connection as well (PSK only known to people who physically see the key written down, and not the hacker in the car park)

Just a thought. And that PSK can be localised per location, and per WLC in that location. I don't know if WLC supports REST API (I doubt it) but it could be scripted via ssh commands.

Once the user has typed in the PSK, they are redirected immediately to the self registration portal.

Another benefit of this method is that you don't get hundreds of MAB auths on your Radius server, because the client has to associate to the SSID first before the MAB auth can be done. It's a protection layer for your ISE platform too 🙂

Re: Modification of Self-Register Portal Workflow

Jason Kunst — Thu, 07 Feb 2019 15:55:19 GMT

Check out this . you could do a modification perhaps.
https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--2096579123
Linking one guest portal to another guest portal (ability to choose another portal)
ISE Hotspot portal with links to employee or vendor portals

Re: Modification of Self-Register Portal Workflow

Jason Kunst — Thu, 07 Feb 2019 16:07:58 GMT

yes you can set via rest api, look at the tips tricks

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1043955036