Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2915
Views
0
Helpful
4
Replies

automatic device registration

Go to solution
adityaM1234
Level 1
Level 1

‎11-18-2014 01:44 AM - edited ‎03-10-2019 10:11 PM

I am using ISE 1.2. I have to configure automatic device registration through Guest Portal. 

The issue is that whenever a guest logs in for first time, he needs to enter the device mac address manually. Is there any method so the ise will automatically notice device's mac address and automatically populate it in "Device ID" field on Device Registration Portal  

 

 

 

 

Regards,

Aditya

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎11-18-2014 03:24 AM

Another method of guest authentication, you can try

 

Device Registration WebAuth

Using device registration web authentication (DRW), you can allow guests’ devices to connect to your network without requiring guest account credentials.

Device Registration Web Authentication Process

In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, Cisco ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.

The following steps outline the process for Device Registration WebAuth:

1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the guest user attempts to go to any URL.

2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Web Portal Management Multi-Portal Configurations page.

3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Web Portal Management Multi-Portal Configurations page.

4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.

5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.

6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

Note The CoA type for both wired and wireless is Termination CoA. You can configure device registration authentication (DRW) to perform VLAN IP Release and Renew, thereby re-authorizing the CoA type for both wired and wireless to Change of Auth.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_guest_pol.html#14776

View solution in original post

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎11-21-2014 05:55 AM

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee

‎11-18-2014 03:10 AM

Hello Aditya,

The only way to get the mac address pre-populated is to use provisioning. You can enable the "enable self provisioning flow" option in guest portal, but then you will need the provisioning rules accordingly.

0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎11-18-2014 03:24 AM

Another method of guest authentication, you can try

 

Device Registration WebAuth

Using device registration web authentication (DRW), you can allow guests’ devices to connect to your network without requiring guest account credentials.

Device Registration Web Authentication Process

In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, Cisco ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.

The following steps outline the process for Device Registration WebAuth:

1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the guest user attempts to go to any URL.

2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Web Portal Management Multi-Portal Configurations page.

3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Web Portal Management Multi-Portal Configurations page.

4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.

5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.

6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

Note The CoA type for both wired and wireless is Termination CoA. You can configure device registration authentication (DRW) to perform VLAN IP Release and Renew, thereby re-authorizing the CoA type for both wired and wireless to Change of Auth.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_guest_pol.html#14776

0 Helpful

Go to solution
jackmtl71
Level 1
Level 1
In response to mohanak

‎11-21-2014 08:31 AM

We use DRW for our wireless guest network.

 

However, our security director would like us to periodically reset the AUP accepted attribute.  Can this be automated/scripted?

So far, all I have found is to manually remove Endpoints from the GuestEndpoint identity group to force guests to accept the AUP once more.

Is there another way?

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎11-21-2014 05:55 AM

0 Helpful
Customers Also Viewed These Support Documents