Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2900
Views
4
Helpful
3
Replies

ISE pointing to External Web Server as GUEST Portal

Go to solution
jmoliner
Cisco Employee
Cisco Employee

‎10-16-2017 06:32 AM

Hi all:

One customer wants to have an external WEB Server as Guest Portal.

I mean, customer wants to customise a web server. Then, the ISE will point to this server in order to show the Captive Portal.

IS it supported?

How to achieve that? ISE Version? WLC Version?

Thanks in advance.


Jesús Molinero.

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Greg Gibbs

‎10-17-2017 05:46 AM

There is no simple option to say "use this external page for CWA".  The CWA flow completes the auth on the PSN, updates specific session and in some cases endpoint attributes, and triggers needed COA.  Even with APIs, there is no option to say "user completed auth, user accepted API, etc".  You could use API to register endpoint similar to CWA flow and assign Portal User, but auth would be associated with the endpoint (MAB).

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎10-16-2017 06:41 AM

You can do this by pointing the Authorization Profile to the external web portal.  Then, using API, you can place the endpoint MAC Address into the proper Endpoint Identity Group and perform a COA.

ExtPort.PNG

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/api_ref_guide/api_ref_book/ise_api_ref_ers1.html

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-16-2017 03:01 PM

The problem with using this type of static web server is that this is essentially a dead-end flow from the ISE perspective, hence the suggestion to use the REST API for any control of the session after the redirect.

Unless the session state is changed by some external system (like the REST API), the session would be stuck in the URL redirect state. Any comms required in this state would need to be exempted from redirection in the redirect ACL.

If the customer's main concern is customising the look & feel of the Guest portal, a better option would be to look into using the ISE Portal Builder.

Go to solution
Craig Hyps
Level 10
Level 10
In response to Greg Gibbs

‎10-17-2017 05:46 AM

There is no simple option to say "use this external page for CWA".  The CWA flow completes the auth on the PSN, updates specific session and in some cases endpoint attributes, and triggers needed COA.  Even with APIs, there is no option to say "user completed auth, user accepted API, etc".  You could use API to register endpoint similar to CWA flow and assign Portal User, but auth would be associated with the endpoint (MAB).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents