cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1743
Views
10
Helpful
8
Replies

ISE Guest Access clarifications

john5
Level 1
Level 1

Hi,

I have just some questions a bout the guest solution provided by ISE.

1- my customer needs to create guest accounts in an external DB "Oracle", I know that ISE can integrate with ODBC and can authenticate guest users from external DB but my question what will I'm going to lose if I put the guest accounts in external DB over ISE internal DB ? I know that no self-registration will be available also we can't control the account duration and so on "correct me if I'm wrong" ,is there anything else ?

 

2- I will have PSN nodes behind load balancers, what should I take care of regarding the guest solution ? I know that each PSN must be reachable directly from the clients for redirections and each PSN gets listed individually in the Dynamic-Authorization (CoA) in all switches but what about the WLCs ? should I configure all PSNs as a RADIUS servers beside the the VIP of load balancers and then list them for the guest SSID ? is there any documentation that describe the best practice with steps? 

2 Accepted Solutions

Accepted Solutions

Arne Bier
VIP
VIP

If you don't have more than two PSN's I would recommend not using a load balancer (because of the complexity).  But if you have to use a load balancer (i.e. > 2 PSN nodes) then have a goo dread through BRKSEC-3699 from CiscoLive archives.  You can join CiscoLive web site for free and download the PDF.  It's very detailed and gives exact examples and advice for different scenarios.

 

As for the external ODBC repository - I don't have any experience there - but I would have expected that part of your database schema would be a "valid from" and "valid to" date fields.  And you could use those in your queries (or stored procedures).  But I don't have any experience with ISE.  In other radius platforms you would have to build this logic into your queries.  It seems that the customer is introducing a lot of complexity in a process that ISE does pretty well.  Perhaps the customer can look at the ISE API and then populate the internal Guest Identities using API (the typical CRUD operations).

View solution in original post

ISE cannot put users into external database. You didn’t ask as such. All guest users from API, Sponsor and self-reg are put into the guest store on ISE

View solution in original post

8 Replies 8

Arne Bier
VIP
VIP

If you don't have more than two PSN's I would recommend not using a load balancer (because of the complexity).  But if you have to use a load balancer (i.e. > 2 PSN nodes) then have a goo dread through BRKSEC-3699 from CiscoLive archives.  You can join CiscoLive web site for free and download the PDF.  It's very detailed and gives exact examples and advice for different scenarios.

 

As for the external ODBC repository - I don't have any experience there - but I would have expected that part of your database schema would be a "valid from" and "valid to" date fields.  And you could use those in your queries (or stored procedures).  But I don't have any experience with ISE.  In other radius platforms you would have to build this logic into your queries.  It seems that the customer is introducing a lot of complexity in a process that ISE does pretty well.  Perhaps the customer can look at the ISE API and then populate the internal Guest Identities using API (the typical CRUD operations).

Thanks a lot Arne,

 

for load balancer part I will check the mentioned session, thanks.

I need more info about the external Guest DB part , I need to know what if they have their own DB what are the options that I have ? can I control the duration ? also the self-registration will not be applicable because ISE will have no control to create passwords in their DB "or at least that what I know".

I think the API is used in the reverse situation, when customer has his own app and need to create internal guest users on ISE but not sure.

also I don't know if that customization to match on some fields from the DB query is exist or not, so if you have this info please share any documentation that I can look at.

If you’re using the external database, you lose all the functionality of the web portal listed under the Guest Type. Such as max devices allowed to login, access times, amount of hours, etc

Here are some example threads perhaps that might help.
https://www.google.com/search?q=ise+external+odbc&oq=ise+external+odbc&aqs=chrome..69i57j69i64.4560j1j7&sourceid=chrome&ie=UTF-8

Like arne said you might might be able to craft some attribute but there is nothing document besides what’s listed in the above search links and admin guides.

Thanks Jason so much.

 

what about self-registration ? could it work by away or another ?

 

Self-registration would still work. they would be redirected to the guest portal. Existing guests would be told to enter the creds from external system. Self-register guests would just click the link to create an account

I'm still can't get that Jason.

How could ISE integrate with the external DB and create new username and password in the external DB for the self-registered guest account ?

is there any documentation that shows the steps for any kind of DB ?

ISE cannot put users into external database. You didn’t ask as such. All guest users from API, Sponsor and self-reg are put into the guest store on ISE

yes, that's what I know and I just wanted to confirm that.

so self-registration will not work if we need the accounts to be created in the external DB but this will be done in ISE internal guest store.

Thanks again Jason.