cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1297
Views
0
Helpful
10
Replies

Identity Service Engine 2.3: hotspot guest portal with RSA token?

r.delmonte
Level 1
Level 1

Hello Community,

I'd ask your help..

Customer asked us if it's possible to authenticate WiFi guest users using RSA tokens; in his idea, WiFi guest will be redirect to CWA, where they will be asked just for the RSA code. No user registration (like in the self-registered portal), no username or password, just RSA code.

At first I thought to something like the hotspot guest portal, where you can ask for an access code, but it seems that this code is only locally significant for ISE and not dependant from any external ID source.

It's the first time I received this kind of request, I was unable to find anything useful about, so I'd like to ask if someone managed something like this.

Thanks

2 Accepted Solutions

Accepted Solutions

Sounds like you can use one
of the following but don’t understand big deal since they are not worried about security per say since it’s a shared password regardless?

Also seems like rsa token is overkill as security is not really a focus

Ipsk on wlc to a hotspot with AUP

Or sponsored guest access (create an account per room) you can setup a password only portal (examples under guest webauth page) where they only have to enter one piece of information. Sponsored account can say it belongs to a certain classroom or sponsor

Or a hotspot portal with access code depending on ap group could be different portal and code (messy it seems)

View solution in original post

hslai
Cisco Employee
Cisco Employee

ISE guest portals may use RSA token to login but, like the other commented, each token needs tied to a username.

If only one user token per portal, it might be easier to hide it and asking only the generated OTP. If more than one, it would likely need a lot more coding and skill to allow selecting the meeting rooms, etc.

View solution in original post

10 Replies 10

howon
Cisco Employee
Cisco Employee

In this flow if there is no username and just the token, how do we know which token to match against? Is the token universal for all users connecting during certain timeframe?

Hello,

as you wrote, the token is meant to be universal for all users logging in during its time of validity.

Thank you

FYI there is no current type integration you’re looking for this would be advanced customization paid with partner someone with heavy coding skills if even a possibility

Hello,

as you wrote, the token is meant to be universal for all users logging in during its time of validity.

Thanks

Charlie Moreton
Cisco Employee
Cisco Employee

How about a Captcha type verification?

 

Cisco ISE Guest Portal Human Verification

 

You can use it on a Hotspot Portal, too.

Hello,

Thanks for your answer.

Unfortunately, captcha isn't enough: the requirement is to allow guest access using RSA tokens. The customer wants to distribute one token in each meeting room, which is the only place guests are allowed to stay, and force them to use the token to authenticate. This also to prevent unauthorized wifi access from outside the building.

Thank you

Sounds like you can use one
of the following but don’t understand big deal since they are not worried about security per say since it’s a shared password regardless?

Also seems like rsa token is overkill as security is not really a focus

Ipsk on wlc to a hotspot with AUP

Or sponsored guest access (create an account per room) you can setup a password only portal (examples under guest webauth page) where they only have to enter one piece of information. Sponsored account can say it belongs to a certain classroom or sponsor

Or a hotspot portal with access code depending on ap group could be different portal and code (messy it seems)

Not sure how that applies? And its old implementation method

hslai
Cisco Employee
Cisco Employee

ISE guest portals may use RSA token to login but, like the other commented, each token needs tied to a username.

If only one user token per portal, it might be easier to hide it and asking only the generated OTP. If more than one, it would likely need a lot more coding and skill to allow selecting the meeting rooms, etc.