Re: Guest Wifi portal redirection flow

omerfaruk · ‎10-31-2024

I would like to create CWA guest SSID with ISE and WLC 9800. When a client connect to the SSID, it must be redirected to guest portal automatically, which is done in my environment.

- Connect to SSID, then redirect to guest portal automatically. (bypass is disabled)

- Since I send the credentials to the clients via email, when they complete their registration, they must be able to leave guest portal and go to their email box. So, they must have an internet access. However, this internet access must be limited like 10 min. ---- (I tried to create ACL with deny 80, 443, then automatic redirect wouldn't work. When i created ACL with permit 80, 443, then clients wouldn't have internet access to check their emails.)

- The client who received the credential from his email should return to the portal and log in.

How can i setup this flow? Would it be possible if i can do the following:

When the client connects, it will go to the portal with automatic redirection and register. Here, if ISE can put a sign or a flag for the radius request and 120 seconds later, the session timeout occurs. Since there is a termination-action = radius-request, if I can add the flags to the condition in the next request and redirect them to the same portal, they can log in with the credential they received.

Flavio Miranda · ‎10-31-2024

@omerfaruk

The ACL for redirect use deny, here one example

ip access-list extended REDIRECT
 deny ip any host <ISE-IP>
 deny ip host<ISE-IP> any
 deny udp any any eq domain
 deny udp any eq domain any
 permit tcp any any eq 80

Once the client is autheticated, the ACL does not apply anymore. I recommend you to follow the guide below. Try to first make it work and then you can think how to control the access time. I am not sure what you are thinking is possible but let me take a look about possibilities

Configure Central Web Authentication (CWA) on Catalyst 9800 WLC and ISE - Cisco

MHM Cisco World · ‎10-31-2024

for email I dont sure there is away to do that automatic but manually you can use sponsor instead of portal

https://www.netprojnetworks.com/cisco-9800-with-ise-central-web-authentication/

MHM

Aref Alsouqi · ‎11-01-2024

I think you can workaround that by enabling the "Allow guests to log in directly from the Self-Registration Success page" in the "Self-Registration Success Settings" section. Alternatively, you can rely on the grace access feature which came with ISE 2.7, however, to leverage this feature you need to enable the guests approval in the "Registration Form Settings" section. Once the guests approval is ticked, you will see a new couple boxes showing up, one is called "Allow guests to use Grace Access during sponsor's approval". If you tick the box next to that you will see that you can set the grace time in which the guest can be connected prior to any authentication.

omerfaruk · ‎11-01-2024

Thanks all for quick response.

@Aref Alsouqi, I have enabled the "Allow guests to log in directly from the Self-Registration Success page" option. This setting grants internet access to clients immediately after registration, which is what I needed. Now, clients can check their email inboxes right away.

However, after receiving their credentials from their email boxes, they should be redirected back to the portal to log in with those credentials. Could you advise on how I might configure this? If I send a Change of Authorization (CoA), will the Wi-Fi connection be briefly disconnected and reconnected, prompting the portal to reopen automatically?

Aref Alsouqi · ‎11-01-2024

The guest users will get reauthenticated next time they are about to connect to the network. For instance, if the guest user tries to reauthenticate after their session has expired they will be prompted to provide the credentials before they are allowed access to the network. I personally don't see a use case why you would want them to be kicked off the network right after they received the email with credentials and then reauthenticate! it is kinda redundant as a task. However, if you have this requirement for any specific reason then what I think you could do is setting reauthentication timer in the common tasks in the authorization profile to be something minimum, and also to set "RADIUS:Idle-Timeout" value in the "Advanced Attributes Settings" still in authorization profile. These two values/timers would trigger the guests session to be reauthenticated, so in theory it should ask them to provide their credentials before they are allowed access to the network. Keep in mind please that it is not recommended to set small timers here, I'm not sure but I think the recommendation is not go below 4 hours or something like that. But as I said, I personally think this adds complexity to the solution and probably wouldn't give a good user experience to the guest users.

omerfaruk · ‎11-05-2024

Thank you very much Aref.

Would it be possible if ISE add a radius-attr to the WLC without affecting anything, and this attr come in the next radius request? I need to differentiate 2 radius request.

Aref Alsouqi · ‎11-05-2024

You're welcome. I don't think that is possible because if ISE should return an attribute for a matched session that will apply to the session straightaway, it won't wait until the user/endpoint tries to reauthenticate before pushing those attributes.

omerfaruk · ‎11-11-2024

Hi,

We are using url-redirect av-pair in ISE Authorization profiles as follow. I would like to see portal id in the logs, but i couldn't. Because, WLC doesn't send it with radius request as follow. Is there a way to send portal id with radius? I am still trying to find something to differentiate the requests.

Aref Alsouqi · ‎11-11-2024

AFAIK the session ID relates to ISE not to the WLC and you can see its reference in ISE RADIUS live logs at the very end of the page if I remember correctly.

omerfaruk · ‎11-13-2024

You are right, thanks.

ISE is currently adding registered guests to the 'Guest 24 Hours From Login' group. Would it be possible for ISE to change their group to 'Guest 4 Hours From Login' by assigning an Authorization Profile or using another method upon receiving a new RADIUS request?

Aref Alsouqi · ‎11-13-2024

You're welcome. You can change the guest type from the guest portal settings, however, that applies to all guests, still no difference to the first time guest and the returning guest.

omerfaruk · ‎11-19-2024

Hi,

I added the following attributes from Context Visibility > Endpoints > Attributes. I want to use them in an Authorization Policy condition, but they are not available for selection. How can I use them?

Portal.Name	Self-Registered Guest Portal test
SelectedAuthorizationProfiles	WLC_CWA_login
PortalUser.CreationType	Self Registration Guest

Aref Alsouqi · ‎11-22-2024

Not sure if you can use those attributes in the authorization rules. Maybe @thomas or @Arne Bier can share some thoughts on this.

thomas · ‎11-22-2024

Endpoint Custom Attributes are simply another dictionary:attribute and should be available to use in any policy and authorization rule. See my webinar for how to configure them:

▷ User & Endpoint Custom Attributes 2022-09-06

03:09 Endpoint Profiles, Endpoint Groups versus Custom Attributes
05:01 Defining User Custom Attributes for ISE Internal Users
06:10 Defining Endpoint Custom Attributes and their Common Uses
07:36 Demo: Creating User Custom Attributes
10:41 Demo: ISE 802.1X Policy Review, and Authentication
13:51 Demo: Customize 802.1X Authorization Policy using Custom Attributes
15:20 Demo: Edit User Custom Attribute and Authenticate with Custom Attribute
16:51 Demo: Endpoint Custom Attributes
19:29 Demo: Custom Attribute Policies for IOT Endpoints
22:12 Demo: Raspberry Pi Authorizations using ISE Profiling Policies
22:36 Demo: Use Context Visibility to Edit Endpoint Custom Attributes in ISE