Solved: Launching ISE Guest Portal from a 3rd party web page - possible?

Arne Bier · ‎10-07-2018

Hello

Customer is broadcasting a Guest SSID which re-directs users to a 3rd party web page that is used to present a landing page for various options. E.g. click option A, B , C etc. and then it launches further pages to capture guest user credentials or provide other services.

They want to implement ISE for BYOD and asked whether they could simply add an option 'D' on their existing Guest platform that says "click here to onboard BYOD". Is that a viable method to launch the ISE Guest Portal (which we want to use as the on-boarding portal (dual-SSID strategy))? I am not familiar with this method because I have always relied on the MAB auth flow from the NAS to trigger portal redirection.

Let's assume it is possible, is there documentation on how this is done?

Finally, can this also be combined with SAML to allow us to bypass the ISE Guest login page entirely, and go directly to the BYOD flow, assuming of course that the SAML auth has been successful? This would be the ideal scenario, since customer wants to use SAML wherever possible (e.g. guest/BYOD portal, certificate provisioning and MyDevices portal - all of which are SAML compatible according to the Cisco docs).

thanks

Arne

Jason Kunst · ‎10-08-2018

Correct, not available. you’re looking for some sort of walled garden like you may see on United flights where you get redirected to a company portal first and then shoot off to login or register for guest

Even if you were to write something in the portal you would be restricted by cross site scripting

This is an ask we have gotten often enough please make sure you send customer info to the product managers thru sales channel or post feedback on ise itself to get direct to them

View solution in original post

paul · ‎10-08-2018

Arne,

I am not sure on the SAML piece, but with some REST API coding I could see the link possibly working. I am just spit balling here so don't take this to mean I have tried any of this. To craft the URL I think you need two pieces of dynamic information (the portal identifier is static):

The URL references the session ID for the user. If you look a the normal redirect a guest user is handed it contains the session ID.
The URL also needs to go to the PSN that authenticated the guest user.

I think you may be able to get both pieces of information from REST API calls to the M&T node looking for session information. What I am not sure about is if you can do query and filter by IP address, because all you would know at that point is the client IP. I have done M&T API calls filtering on MAC addresses looking for the IP address but not the other way around.

Again no idea if this will work. Just giving you my initial thoughts.

paul · ‎10-08-2018

Nevermind Arne, I just checked the M&T API and you can't do a lookup by client IP, only NAS IP:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/api_ref_guide/api_ref_book/ise_api_ref_ch1.html

You can look up the session information by MAC address, but you would need to craft a way to get the MAC address of the client via the browser session, which I don't think you can do. Maybe better of looking to bring them into a customized ISE portal that has the links to the external sites. At least that way you have all the variables.

One other option I could think of is allowing ISE to do the redirect but do a hostname override to the web server FQDN the customer has control off. The URL would still look like the normal ISE redirect ACL so the customers web server would have to know how to handle it (trivial assuming they know web coding). Then they could collect the session variable from the redirect string and do whatever API look-ups required to craft the option D. May be more trouble than its worth.

Arne Bier · ‎10-08-2018

Hi @paul

I appreciate you chipping in as always. That's the reason I like this forum so much. I think the suggestion of hosting the Guest SSID is probably the only viable option I see (although, hacking ISE portals to look like the existing 3rd party portal might be a job for another expert). It's funny - the number of times I have heard customers say they want a guest page that allows them to branch off somewhere - it seems that this should be an option in the ISE portal wizard. The standard in-yer-face Username/Password is a bit primitive.

They use Cisco WLC and that would do a MAB auth to their current radius server. I might try using a static URL redirect (like I would do when using ISE with Aruba/HPE WLC's) - at least then the guest portal URL is fixed (and not using hashed session value). But again, PSN is not "handling the session" via things like Radius Accounting, because all that stuff goes to their current Radius platform.

My gut feel is that this portal 'hand-off' is not possible.

Jason Kunst · ‎10-08-2018

Correct, not available. you’re looking for some sort of walled garden like you may see on United flights where you get redirected to a company portal first and then shoot off to login or register for guest

Even if you were to write something in the portal you would be restricted by cross site scripting

This is an ask we have gotten often enough please make sure you send customer info to the product managers thru sales channel or post feedback on ise itself to get direct to them