Solved: ISE Guest Integration with CRM

bawagne · ‎02-08-2018

Hello ISE Community,

I have a Bank customer that is using a CRM for its customers.

They want to use the account number and Date of Birth in order to authenticate them with the ISE Guest services.

This bank has around 10M customers.

Question1:

Guest Local DB scalability on the 3415/95 on ISE2.3.

Question2:

Can we use the ERS API in order to either take the information of a user based on his bank account and populate the

ISE local DB in order to validate the user authentication before granting access?

Question3:

Are you aware of any customer that is using this kind of integration with a CRM in order to validate user information

Before granting acess?

If yes what would be the best way to do it.

I know that we do not support external DB AUth for guest user.

Best Regards,

Babacar

Jason Kunst · ‎02-08-2018

You will likely have more exposure to this under the Public Community would recommend moving it there with my answer or I can do that

http://cs.co/ise-community

Question 1 is answered in our performance and scale section

https://communities.cisco.com/docs/DOC-68347

Question 2 yes this might be possible depending on how you setup the username and password policy

Question 3 is likely but people don’t share examples

How about instead having ISE lookup information via ldap server that is populated with the correct username and password? This will likely scale, maybe the CRM can do this?

Another way would be to have the user onboard themselves when they come in, hit a registration portal front end before connecting to guest or something in a flow that would create the account for them

Either way would have to be setup in lab and validate your options with partner

View solution in original post

Jason Kunst · ‎02-08-2018

You will likely have more exposure to this under the Public Community would recommend moving it there with my answer or I can do that

http://cs.co/ise-community

Question 1 is answered in our performance and scale section

https://communities.cisco.com/docs/DOC-68347

Question 2 yes this might be possible depending on how you setup the username and password policy

Question 3 is likely but people don’t share examples

How about instead having ISE lookup information via ldap server that is populated with the correct username and password? This will likely scale, maybe the CRM can do this?

Another way would be to have the user onboard themselves when they come in, hit a registration portal front end before connecting to guest or something in a flow that would create the account for them

Either way would have to be setup in lab and validate your options with partner

paul · ‎02-08-2018

I think this was similar to another post. I definitely wouldn't program banking numbers into ISE guest database. I would look to have a kiosk or something in the branches. The kiosk runs a customer web interface that asks the user to provide their bank account number and date of birth. The web program then validate the information against the CRM. Once validated the application pulls the user's first name and last name from the CRM. The program then uses ISE API to create a guest account using the first name/last name and then supplies the guest sign in information to the user.

I wouldn't scaling would really come into play. The bank may have 10M customers, but I would bet less than 10K would actually uses guest wireless. How many customers go to bank branches these days? How many actually stay long enough where they would wonder "Do they have guest wifi here?".

Jason Kunst · ‎02-08-2018

Agree, even if you did hit the 1 million accounts you could always set them for a day or a week of access and then when the default 90 day purge of guest accounts hit it should keep below that mark

bawagne · ‎02-12-2018

Many Thanks Jason, Paul,

I do agree that going from the CRM to ISE and only create accounts that have been requested by Guest is the most scalable way of handling the bank customers.

I Will discuss with the customer to see how a portal linked to the CRM is feasible and then linked it to the ISE API

in order to create the accounts.

Many Thanks