Re: Guest Authentication based on Location using ISE

vadusumi · ‎05-19-2020

For an ISE design where 2 ISE instances will be deployed with full functionalities in terms of nodes/management and policies and feature set (full PAN/M&T/PSN personas).

1 will be deployed in SG while the other in JP

Question 1: Can these 2 full functional ISE appliances sync in terms of identity store database? They are planning to use them as Sponsor portal for Apple employees to provision guest accounts. So both ISE will be running active - active topology but both will carry the same database of guest identity store and sponsor identity store and both will be active radius authentication servers for WLCs to pass authentication request.

The WLCs from APAC will radius authenticate against the guest store on the ISE of the closer proximity. Meaning SG WLC will authenticate via radius with SG ISE while the JP ISE will be a backup server. Vice versa for the JP WLCs using JP ISE as main radius and SG ISE as backup.

Will this deployment work?

== I would assume the only way to do this is by syncing both the identity stores to each ISE node – in SG and JP, and it won’t be possible to sync the identity store between the ISE nodes themselves. Is my understanding correct? Are there any other caveats I should consider?

Question 2 : Can ISE set a condition upon authentication to look at the incoming radius request to check if the incoming request WLC ID matches with the ISE guest account location field?

Meaning:

Scenario 1: Guest account is provisioned with a location field of "SG" (defined in the location configuration page)

SG WLC send a radius request -> ISE
ISE condition : If WLC ID is SG -> check with the matched guest username/password account's location field to see if it is using "SG" string
If this is matched, authentication successful else fail

Scenario 2: Guest account is provisioned with a location field of "CN" (defined in the location configuration page)

SG WLC send a radius request -> ISE
ISE condition : If WLC ID is SG -> check with the matched guest username/password account's location field to see if it is SG string
Since guest account is provisioned with a "CN" location field, fail the authentication.

== I know that ISE will be able to check against the SSID of the WLC, but I wasn’t able to find an option to integrate location into the authentication check. The timezone check won't be a viable option here either. Is this design achievable?

Reference : https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-824021380

Francesco Molino · ‎05-19-2020

Hi

Are the 2 ISE servers deployed as a cluster or separatly? I believe, if I understood you correctly, there'll be in cluster.

This means, that sponsor portal will be accessible on both nodes and guest database will be synced across the cluster.

On the policy, you can't select Guest location as criteria. Will the SSID be the same on both sites?

If not, you can leverage the SSID name and assign it to your guest users while they will be created by a sponsor or you can use one of the optional fields to put the location in and use it in your policy condition combined to your WLC id.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

paul · ‎05-20-2020

I personally don't like using the Guest location field but it would work. A better option in my opinion is to modify the RADIUS called station ID on the WLCs (Security->RADIUS->RADIUS authentication). The default setting is AP MAC:SSID. A better setting is AP Name:SSID. Assuming the APs are well named you should be able to tell what site they are at by looking at the Called Station ID and looking for the site code in the AP name.