Solved: Cisco ISE and Guest Wireless capability

jinapark · ‎11-15-2016

Hello Experts,

I would like to know if Cisco ISE can using XML file from SAP HR system for external database to do authentication

for the wireless hotspot Guest Portals. I've checked the Jive page below, seems like we can do,

but I'm not fully sure about the scenario which provided by the customer.

SAMLv2 Identity Provider as an External Identity Source
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html

The customer want users to self register on the ISE Guest Portal, and the Portal will look up the SAP HR XML file.

If it s a valid employee ID, the user selects their name and an account will be provisioned on ISE for use on the Guest WiFi.

Account name will be their firstname.lastname from the SAP XML file and ISE should create a password that the user

can change on first logon...

Thank you always for your help.

Jina

Craig Hyps · ‎11-17-2016

SAML may be XML-based, but web portal auth against a SAML IDP is different than ISE querying an external XML-based directory. If the SAP HR directory has an LDAP/ODBC/RADIUS interface, then ISE could query that for authorization. The alternative is to create a separate registration portal that performs the queries and validation and uses ISE ERS API to create the guest accounts.

Regards,

Craig

View solution in original post

Craig Hyps · ‎11-17-2016

SAML may be XML-based, but web portal auth against a SAML IDP is different than ISE querying an external XML-based directory. If the SAP HR directory has an LDAP/ODBC/RADIUS interface, then ISE could query that for authorization. The alternative is to create a separate registration portal that performs the queries and validation and uses ISE ERS API to create the guest accounts.

Regards,

Craig