Solved: Mist AP and Cisco ISE Guest Portal

JPavonM · ‎02-10-2025

Hi colleagues,

I need some help from somebody who setup Cisco ISE Captive Portal for Juniper Mist (or any other cloud vendor as this maybe similar).

I'm following this Mist guide about how to configure the Cisco ISE policies and profiles for the Captive Portal to be served to the Mist APs (https://www.mist.com/wp-content/uploads/Mist-Integration-with-ISE-for-Guest-Access.pdf) using CoA (https://www.mist.com/wp-content/uploads/COA-Change-of-Authorization.pdf), but there are few missing pieces in the process to create the "Guest_Access" authorization profile (under step C in page 5 of the Guest document).

From Mist documentation above, this is the configuration for the CWA authorization profile:

As the Authorization profile for CWA in ISE must be attached to a "Network Device Profile", I don't know if we need to use Cisco or a custom one for Mist, like this:

If it would be like this, we need to create a custom NAD profile with all RADIUS attributes that are needed, and that's the point, as I cannot find any repository here (looking for tag "ise-nad-profile"), or the Internet. HEre all Msit information about supported RADIUS attributes (https://www.mist.com/documentation/mist-radius-attributes/) but this is a huge work to be done, unless I'm missing something here.

Arne Bier · ‎02-11-2025

If you use the default Cisco NAD profile, then you will get all the IETF RADIUS behaviour, as well as the CoA support that Cisco devices understand (as well as the Cisco icon etc.). Unless you know exactly how the Juniper/Mist NAD device behaves with regards to RADIUS, I would not make a custom one. if their guide uses the example given, then follow their advice. The only thing I don't like from their example is that they use an IP address instead of an FQDN - it's not clever to use an IP address, because that will 100% lead to certificate warnings. Use a DNS resolvable FQDN. The guest endpoint will get an IP via DHCP, and in the DHCP offer will be a DNS server. That DNS server must resolve the ISE Portal FQDN, and all other domains (internet).

In general, if you make a custom NAD profile and assign it to your NAD device, then you MUST tag your Authorization Profiles with that same NAD Profile, else ISE won't return any attributes for that Access-Accept. There is one exception - some Authorization Profiles have a NULL profile (blank) - that one can be used for all NAD profiles.

View solution in original post

Arne Bier · ‎02-11-2025

If you use the default Cisco NAD profile, then you will get all the IETF RADIUS behaviour, as well as the CoA support that Cisco devices understand (as well as the Cisco icon etc.). Unless you know exactly how the Juniper/Mist NAD device behaves with regards to RADIUS, I would not make a custom one. if their guide uses the example given, then follow their advice. The only thing I don't like from their example is that they use an IP address instead of an FQDN - it's not clever to use an IP address, because that will 100% lead to certificate warnings. Use a DNS resolvable FQDN. The guest endpoint will get an IP via DHCP, and in the DHCP offer will be a DNS server. That DNS server must resolve the ISE Portal FQDN, and all other domains (internet).

In general, if you make a custom NAD profile and assign it to your NAD device, then you MUST tag your Authorization Profiles with that same NAD Profile, else ISE won't return any attributes for that Access-Accept. There is one exception - some Authorization Profiles have a NULL profile (blank) - that one can be used for all NAD profiles.