Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
0
Helpful
10
Replies

Identity Service Engine 2.3: hotspot guest portal with RSA token?

Go to solution
r.delmonte
Level 1
Level 1

‎08-23-2018 09:06 AM

Hello Community,

I'd ask your help..

Customer asked us if it's possible to authenticate WiFi guest users using RSA tokens; in his idea, WiFi guest will be redirect to CWA, where they will be asked just for the RSA code. No user registration (like in the self-registered portal), no username or password, just RSA code.

At first I thought to something like the hotspot guest portal, where you can ask for an access code, but it seems that this code is only locally significant for ISE and not dependant from any external ID source.

It's the first time I received this kind of request, I was unable to find anything useful about, so I'd like to ask if someone managed something like this.

Thanks

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to r.delmonte

‎08-23-2018 07:31 PM

Sounds like you can use one
of the following but don’t understand big deal since they are not worried about security per say since it’s a shared password regardless?

Also seems like rsa token is overkill as security is not really a focus

Ipsk on wlc to a hotspot with AUP

Or sponsored guest access (create an account per room) you can setup a password only portal (examples under guest webauth page) where they only have to enter one piece of information. Sponsored account can say it belongs to a certain classroom or sponsor

Or a hotspot portal with access code depending on ap group could be different portal and code (messy it seems)

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-30-2018 11:44 AM

ISE guest portals may use RSA token to login but, like the other commented, each token needs tied to a username.

If only one user token per portal, it might be easier to hide it and asking only the generated OTP. If more than one, it would likely need a lot more coding and skill to allow selecting the meeting rooms, etc.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-23-2018 09:48 AM

In this flow if there is no username and just the token, how do we know which token to match against? Is the token universal for all users connecting during certain timeframe?

0 Helpful

Go to solution
r.delmonte
Level 1
Level 1
In response to howon

‎08-23-2018 10:57 AM

Hello,

as you wrote, the token is meant to be universal for all users logging in during its time of validity.

Thank you

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to r.delmonte

‎08-23-2018 07:32 PM

FYI there is no current type integration you’re looking for this would be advanced customization paid with partner someone with heavy coding skills if even a possibility
0 Helpful

Go to solution
r.delmonte
Level 1
Level 1
In response to howon

‎08-23-2018 11:00 AM

Hello,

as you wrote, the token is meant to be universal for all users logging in during its time of validity.

Thanks

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎08-23-2018 01:02 PM

How about a Captcha type verification?

 

Cisco ISE Guest Portal Human Verification

 

You can use it on a Hotspot Portal, too.

0 Helpful

Go to solution
r.delmonte
Level 1
Level 1
In response to Charlie Moreton

‎08-23-2018 01:26 PM

Hello,

Thanks for your answer.

Unfortunately, captcha isn't enough: the requirement is to allow guest access using RSA tokens. The customer wants to distribute one token in each meeting room, which is the only place guests are allowed to stay, and force them to use the token to authenticate. This also to prevent unauthorized wifi access from outside the building.

Thank you

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to r.delmonte

‎08-23-2018 07:31 PM

Sounds like you can use one
of the following but don’t understand big deal since they are not worried about security per say since it’s a shared password regardless?

Also seems like rsa token is overkill as security is not really a focus

Ipsk on wlc to a hotspot with AUP

Or sponsored guest access (create an account per room) you can setup a password only portal (examples under guest webauth page) where they only have to enter one piece of information. Sponsored account can say it belongs to a certain classroom or sponsor

Or a hotspot portal with access code depending on ap group could be different portal and code (messy it seems)
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎08-24-2018 12:03 PM

Not sure how that applies? And its old implementation method
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-30-2018 11:44 AM

ISE guest portals may use RSA token to login but, like the other commented, each token needs tied to a username.

If only one user token per portal, it might be easier to hide it and asking only the generated OTP. If more than one, it would likely need a lot more coding and skill to allow selecting the meeting rooms, etc.

0 Helpful
Customers Also Viewed These Support Documents