Solved: ISE guest access with ODBC as authentication method

Abdul Pallares · ‎06-28-2024

Hi community,

I'm working in a solution for one of our customer. The have a bussiness with a lot of customers which stays in their buildings for different periods, this users are maintained by internal applications in a database. There are also a lot of other people who pass through the buildings but are not considered customers and are not in the database.

The customer wants to allow guest access to the users added to the database. Here the question begins.

I'v read this post https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200544-Configure-ISE-2-1-with-MS-SQL-using-ODBC.html#anc5

Which explains clearly the ODBC integration procedure. It talks about the following authentication methods:

- PAP, EAP-GTC inner method, TACACS

- CHAP, MSCHAPv1/v2, EAP-MD5, LEAP, EAP-MSCHAPv2 inner method, TACACS

Our idea is to ask users only for their passport or equivalent ID which is stored in the ODBC database.

Here is the question. How can we merge an sponsored guest portal with ODBC asking only for the username?

My guess is to use the passport number as the username, using a customized portal, and use an stored procedure to match it on the database.

But I'm not sure which authentication method will send the guest portal to ODBC, it should be any of the supported ones but need confirmation on that.

Does any one knows if my guesses are correct and we can procceed in this way.

Thanks!

Arne Bier · ‎06-30-2024

I have a vague recollection of a use case that a former colleague of mine worked on. It was for a hospital, and the ISE Guest Portal would accept the patient's ID (a unique number assigned to the patient after being admitted, usually printed on the patient's wristband) and the password would be their surname.

The solution involved the Guest Portal auth using the ODBC integration - and the ODBC "magic" involved stored procedures that returned the correct results to ISE. The ISE web portal presents the username and password as simple text data (PAP) to the ODBC engine, and that is sent to the database for processing/comparison. The stored procedure should return attributes that ISE can match, and then present to the ISE Admin as attributes for Authorization Policy (e.g. patient A is a long-term user, and needs 30 day access, versus, patient B, who only gets 1 day access)

Best to test this out in a lab and build it up stage by stage. ISE doesn't perform anything special here - the hard work is done on the SQL server and its stored procedures.

View solution in original post

Arne Bier · ‎06-30-2024

I have a vague recollection of a use case that a former colleague of mine worked on. It was for a hospital, and the ISE Guest Portal would accept the patient's ID (a unique number assigned to the patient after being admitted, usually printed on the patient's wristband) and the password would be their surname.

The solution involved the Guest Portal auth using the ODBC integration - and the ODBC "magic" involved stored procedures that returned the correct results to ISE. The ISE web portal presents the username and password as simple text data (PAP) to the ODBC engine, and that is sent to the database for processing/comparison. The stored procedure should return attributes that ISE can match, and then present to the ISE Admin as attributes for Authorization Policy (e.g. patient A is a long-term user, and needs 30 day access, versus, patient B, who only gets 1 day access)

Best to test this out in a lab and build it up stage by stage. ISE doesn't perform anything special here - the hard work is done on the SQL server and its stored procedures.

Abdul Pallares · ‎07-01-2024

Hi Arne,

Thanks a lot for your response! My main doubt was the authentication protocol used by guest portals. So knowing that it's PAP and this is well supported by gues portals we can procceed with this approach.

The use case mentioned by you is very similar so now we do the movement with confidence that will work!

Thanks
Regards