Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6250
Views
5
Helpful
15
Replies

Cisco ISE CWA (Guest Portal) Authentication -> Broken By Design

ChristianBur
Level 1
Level 1

‎09-19-2018 03:20 AM - edited ‎10-26-2018 06:46 AM

In the last days I have been working with the guest portals of the Cisco ISE (v2.1.0). My result: "Broken By Design".

 

We are currently using Local Web Authentication (Layer 3 Auth) on the Cisco WLC. The WLC forwards the username/password by radius to the ISE. In the "Policy Set" I can then process this request as "WLC_Web_Authentication". Currently we use several Windows AD groups and different GuestType groups per tenant in the Autorizaiton Policy.

The disadvantage of Local Web Authentication is that guests are thrown out of the WLAN at undefined intervals (broadcast key refresh), so guests have to enter their username and password again (mainly with smarphones in deep sleep). Sleeping client we cannot use, because our guests WLANs are secured with PSK. 

With Central Web Authentication, this is bypassed by storing the MAC address of the guest device in an Identity Group, so with broadcast key refresh only Layer 2 authentication (PSK + MAC address) is required and no Layer 3 (PSK + WebAuth) authentication.

We would also like to have Web Authentication in a larger Internet switch environment (about 80 switches) so that guests have to authenticate themselves before they can use the Internet. In this scenario, however, Local Web Authentication is hardly feasible since SSL/TLS certificates and the Captive Portal would have to be installed on every switch.

That's why I tested the CWA of the ISE. The main problem is that the guest portals are designed in a way that you can't define rules for the allowed guests (Windows AD groups, GuestTypes), but only "Identy Source Seuences". But if I add an AD-connection in the Identy Source Seuences it always includes ALL users, but I only want to add a part by groups. 

 

After some searching I found the following workaround.

https://community.cisco.com/t5/identity-services-engine-ise/ise-cwa-only-allow-certain-ad-group-to-register-their-devices/td-p/3461321

https://community.cisco.com/t5/identity-services-engine-ise/ise-cwa-portal-mapping-ad-group-to-endpoint-group/m-p/3554392

 

By linking "SponsoredGuestPortal - CoA -> Rules with AD-Groups/GuestTypes -> HotspotGuestPortal - CoA" it is possible to assign single AD-Groups/GuestTypes, but with the following disadvantages: - the initial WLAN connection is disconnected twice (because of CoA) - Since the MAC address of the guest is moved by the HotspotGuestPortal into the final Identiy Group, no reference to the registered guest ( AD-ID or guest ID) is stored in the properties of the MAC address (under Identies).

which means that in the Identity Group many MAC addresses of the guests are available by the successful registration, but you cannot see however which MAC address belongs to which AD identification.???

0 Helpful
15 Replies 15

hslai
Cisco Employee
Cisco Employee
In response to ChristianBur

‎10-28-2018 04:46 PM

Another idea is to use SAML IdP as the auth source for the guest portal. Several IdPs use groups to restrict access; e.g., Using Groups | Duo Security.

0 Helpful
Customers Also Viewed These Support Documents