Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
0
Helpful
4
Replies

Modification of Self-Register Portal Workflow

Go to solution
florian.hahner1
Level 1
Level 1

‎02-07-2019 01:45 AM - edited ‎02-07-2019 01:48 AM

Hi Cisco Community,

 

i've a question regarding to the guest portals strategy of the Cisco ISE. None of the existing workflows really fit our needs. We're a university with several locations and buildings. At the moment we provide a WLAN SSID on demand of the conference owner. This SSID is limited in time and location (we use AP Groups on our WLAN controller). All these steps are done manually. To take a step into future, we want to broadcast a single guest WLAN SSID all over our campus. To minimize the administrative work we want to use a self-register portal. As we want to broadcast the SSID everywhere, everyone would be able to register himself on our wlan. To prevent this, we think about something like a 'Conference Code'. A password which is different from conference to conference. This 'Conference Code' should be visible (printed on paper i.e.) on the locations of the conference.

This conference code will be generated and distributed by our IT staff to the organization of the conference, which need to have access to the guest wlan.

After the guest enters the conference code, he/she must go through the self-register portal procedure as it might be necessary to track guests in case of law violation.

 

I saw that it is possible the set a AUP password. But only in the HotSpot Mode, where no self-register process is linked.

 

Maybe someone of you have a clue to solve my problem.

 

Thank you and best regards from Germany

 

Florian

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to florian.hahner1

‎02-07-2019 07:55 AM

Check out this . you could do a modification perhaps.
https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--2096579123
Linking one guest portal to another guest portal (ability to choose another portal)
ISE Hotspot portal with links to employee or vendor portals

View solution in original post

0 Helpful
4 Replies 4

Go to solution
florian.hahner1
Level 1
Level 1

‎02-07-2019 02:24 AM

Ok. I found a first possible step to solution. You can set a register code at the self-service registration form settings.

2019-02-07 11_21_47-Window.png

 

Maybe i'm able to set to set the code via rest-api.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to florian.hahner1

‎02-07-2019 03:32 AM

Hey @florian.hahner1

 

Another slightly related option to your multi-factor Guest network, might be to use a Pre-Shared Key WLAN Profile instead of an Open SSID.  Since the user has to type in *something* anyway, why not make them type the PSK of the SSID in?  That has the positive side effect of encrypting the connection as well (PSK only known to people who physically see the key written down, and not the hacker in the car park)

 

Just a thought.  And that PSK can be localised per location, and per WLC in that location.  I don't know if WLC supports REST API (I doubt it) but it could be scripted via ssh commands.

 

Once the user has typed in the PSK, they are redirected immediately to the self registration portal.

Another benefit of this method is that you don't get hundreds of MAB auths on your Radius server, because the client has to associate to the SSID first before the MAB auth can be done.  It's a protection layer for your ISE platform too :)

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to florian.hahner1

‎02-07-2019 07:55 AM

Check out this . you could do a modification perhaps.
https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--2096579123
Linking one guest portal to another guest portal (ability to choose another portal)
ISE Hotspot portal with links to employee or vendor portals
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents