Solved: Guest portals grace period and portals on a distributed environment.

KevinR99 · ‎09-29-2022

Hi

I am testing a guest portal solution. I have it integrated with my email server but I have to drop off the SSID and onto another to retrieve my credentials. Is there a way where I can register and have a period of internet access where I can retrieve the account credentials via email over the guest SSID? Then either immediately re-authenticate or the splash page appears after a period and forces me to authenticate? Alternatively when I register can I be immediately logged in and retrieve the credentials over email for future logins.

In addition, how do the Guest portals work in a distributed environment? I have ISE's in different DC's. I primarily use the ISE in the same DC for PEAP authentication and the one in the other DC as a failover. Can I host a portal on both ISE's and do a similar thing? If so and considering I just configure on one ISE would the portal have a single URL associated with both ISE IP addresses? I would then need to do something with DNS to send users from each WLC to the local ISE primarily.

As usual I appreciate any input, Kev.

KevinR99 · ‎10-02-2022

Thank you both for your input. I’ve found a way to alter the registration success page to both show the password and to allow the user to click a button to email the credentials. So I have an acceptable solution now. At this stage I am really just testing different scenarios in case the customer wants them. I can then advise if we can or can’t do a particular request and suggest whether the request is sensible to deploy.

View solution in original post

Aref Alsouqi · ‎09-29-2022

I think the grace access can only be used if you are using the guests approvals which I believe it came out in version 2.7, otherwise that option would not be available. However, if you are not using any approval process then I think you can meet your requirement by redirecting the guests to the login page where they can see their credentials and use them to access the network. You can configure those settings in the "Registration Form Settings" inside the interested portal. Also, you might need to check that the username and the passwords boxes are ticked in the "Self-Registration Success Settings", otherwise they won't show up on the login instructions page.

Assuming the ISE nodes are configured in the same deployment, you can use both PSNs at any given time to serve the guest traffic. ISE PSNs work in active/active fashion. One key thing to keep in mind is that the whole guest session should be always served by the same PSN. For example, if the guest connects and gets redirected, the redirection should go the same PSN on which the session was initially created.

To ensure that, you can create two authorization profiles for redirection (which will then be associated to the redirection authorization rules), one for each ISE node by specifying the node IP or hostname. On both rules you can use the same portal, no need to create multiple portals. Another way to achieve this which I personally prefer is to create a single redirection authorization profile without specifying any ISE node IP or hostname, and then creating the IP aliases through CLI. The reason why I would prefer this method over creating two authorization profiles and two authorization rules is just because it is simpler and cleaner. In this case you just need one authorization profile and one redirect authorization rule.

Each ISE node should have its IP alias created, for example, on ISE 1 you create the alias "ip host < ISE node IP or the guest dedicated interface IP > < the guest portal FQDN >". The guest portal FQDN must be different between the ISE nodes, for example, you can use "guest1.company.com" on ISE 1 and "guest2.company.com" on ISE 2.

The DNS resolution should point to ISE nodes IP addresses, specifically the interfaces IP addresses that will be serving the guest portal. So on your public DNS management console, you just create the DNS entries and you associate them to the private IP addresses.

thomas · ‎10-01-2022

When the user is waiting in WebAuthentication state for their emailed credentials you could allow POP3 traffic for email retrieval by a mail client.

Except many people probably only know gmail.com in a web browser so now you have to allow HTTPS with DNS based access control lists to gmail.com and any other domains necessary for gmail email to work.

Except for the people that use other web-based mail services... now you have to add those domains too.

You see where this is going?

What is your guest scenarios and is your method of username+password feasible in your situation? If people will be connecting with mobile phones they will probably fallback to 4G/5G to get that email. But not with laptops.

What problems are you both solving and creating for yourself by emailing Guest usernames and passwords to email accounts?

KevinR99 · ‎10-02-2022

Thank you both for your input. I’ve found a way to alter the registration success page to both show the password and to allow the user to click a button to email the credentials. So I have an acceptable solution now. At this stage I am really just testing different scenarios in case the customer wants them. I can then advise if we can or can’t do a particular request and suggest whether the request is sensible to deploy.