cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1091
Views
4
Helpful
4
Replies

Requirement for ISE not having the guest user credentials

ppsychog
Cisco Employee
Cisco Employee

Hi All,

I have a customer that wants to deploy sponsored guest access with ISE. They have one tricky requirement though: the guest facing PSNs must not contain any user (guest nor sponsor) credentials.

I believe this can be done only by separating the sponsor facing ISE and the guest facing ISE, so two ISE deployments. The sponsor ISE has the sponsor and the guest information, the guest ISE acts as a Radius proxy between the NADs and the sponsor ISE:

NAD <-> Guest ISE (no network user database) <-> Sponsor ISE (guest user database)

Sponsors create guest users on the Sponsor ISE as usual, guest users get authenticated to the network via the Guest ISE proxying all authentication requests to the Sponsor ISE.

Question #1: Does this make sense or is there a better way to do it in ISE alone?

Question #2: Sponsor ISE should need only base licenses (required for guest management) and Guest ISE should need base and plus licenses, the latter if required for authorization policies for example. Is this right?

Regards,

Panos

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Sounds right

Guest only needs base licenses. The sponsor deployment 100 licenses to activate the system. The guest deployment on how many active endpoints would be logged in at one time.

You only need plus licensing if you’re doing profiling or BYOD for example. See license guide on what pluys gives you

View solution in original post

4 Replies 4

Jason Kunst
Cisco Employee
Cisco Employee

Sounds right

Guest only needs base licenses. The sponsor deployment 100 licenses to activate the system. The guest deployment on how many active endpoints would be logged in at one time.

You only need plus licensing if you’re doing profiling or BYOD for example. See license guide on what pluys gives you

paul
Level 10
Level 10

Wow this is one of the times you need to educate the customer and don't let them do something silly.  What is there real concern here?  Typically sponsors are tied to AD so there are no stored usernames and passwords in ISE for sponsors.  Guest users are created and stored in ISE, but what are the concerns here?

But to answer your question you could technically setup a separate guest deployment that simply runs the guest portal.  Your main deployment would run the sponsor portal and store all guest credentials created by the sponsor.  In your guest deployment you setup an external RADIUS server definition pointing at your sponsor portal deployment.  Then simply setup your guest portal to use the external RADIUS server for authentication.

It is similar to the RADIUS callback we do for MyDevices portal authentication, but instead of calling back to the same deployment you are calling over to another deployment.

So technically this is possible, but I would never allow a customer to go down this road.  I would love to hear a valid reason for doing something like this.

agree! the guest creds are encrypted on the PSN. The PSN for guests still needs to communicate to another service. What is the risk and concern here? They are guest accounts

ppsychog
Cisco Employee
Cisco Employee

Thank you all for your feedback!

Long story short, the customer has strict data protection requirements in their home country and the guest access will be available globally. So they have some legal concerns that if something happens at a remote PSN and guest credentials are stolen, they may have legal consequences in their home country. In their mind a portal accessible by end users doesn't belong on a security device.

I explained that ISE is a security device and they should treat it as such and trust it the same way they trust any other web based security service (i.e. their SSL VPN gateway), but unfortunately they would rather have two ISE clusters with all the associated costs and restrictions.