11-18-2014 01:44 AM - edited 03-10-2019 10:11 PM
I am using ISE 1.2. I have to configure automatic device registration through Guest Portal.
The issue is that whenever a guest logs in for first time, he needs to enter the device mac address manually. Is there any method so the ise will automatically notice device's mac address and automatically populate it in "Device ID" field on Device Registration Portal
Regards,
Aditya
Solved! Go to Solution.
11-18-2014 03:24 AM
Using device registration web authentication (DRW), you can allow guests’ devices to connect to your network without requiring guest account credentials.
In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, Cisco ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
The following steps outline the process for Device Registration WebAuth:
1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the guest user attempts to go to any URL.
2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Web Portal Management Multi-Portal Configurations page.
3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Web Portal Management Multi-Portal Configurations page.
4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.
Note The CoA type for both wired and wireless is Termination CoA. You can configure device registration authentication (DRW) to perform VLAN IP Release and Renew, thereby re-authorizing the CoA type for both wired and wireless to Change of Auth.
11-21-2014 05:55 AM
11-18-2014 03:10 AM
Hello Aditya,
The only way to get the mac address pre-populated is to use provisioning. You can enable the "enable self provisioning flow" option in guest portal, but then you will need the provisioning rules accordingly.
11-18-2014 03:24 AM
Using device registration web authentication (DRW), you can allow guests’ devices to connect to your network without requiring guest account credentials.
In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, Cisco ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
The following steps outline the process for Device Registration WebAuth:
1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the guest user attempts to go to any URL.
2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Web Portal Management Multi-Portal Configurations page.
3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Web Portal Management Multi-Portal Configurations page.
4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.
Note The CoA type for both wired and wireless is Termination CoA. You can configure device registration authentication (DRW) to perform VLAN IP Release and Renew, thereby re-authorizing the CoA type for both wired and wireless to Change of Auth.
11-21-2014 08:31 AM
We use DRW for our wireless guest network.
However, our security director would like us to periodically reset the AUP accepted attribute. Can this be automated/scripted?
So far, all I have found is to manually remove Endpoints from the GuestEndpoint identity group to force guests to accept the AUP once more.
Is there another way?
11-21-2014 05:55 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide