Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
2122
Views
16
Helpful
2
Comments

Providing temporary internet access for ISE Guests to retrieve their credentials

Jason Kunst
Cisco Employee
Cisco Employee
‎11-20-2015 10:08 AM

This post explains the use case of having an ISE Guest user access the internet temporarly to be able to check their email for their credentials.

User wishing to access Internet from local library either via own wifi-only device or public shared PC in library

This is not a current feature of the product, please work with your account team to request this feature. Read below for other options.

1.       User connects to open SSID with device
2.       Captive portal requires them to complete personal details including valid email address
3.       User completes the form and submits and is then given time-limited Internet Access (web security filtered)
4.       User accesses their email from either their own device or from public shared device
5.       User clicks a verification link sent from the guest management system which verifies the user and tells the portal service to reset the timer from 15 minutes to 24 hours (or similar)
6.       User now has full, non- time limited access to the Internet
7.       Provider can track usage of service by valid user email ID
8.       Guest accounts are purged after expiry of timer

You can provide Internet access during portal redirect phase and set RADIUS session timeout in Authorization profileto 5 min, but nothing prevents user from constantly going back to redirect phase after timeout so not a good option if goal is Internet Only access.  They could check their email this way with the cavaet you couldn’t redirect all internet to the ISE Guest Portal. You would need to setup a certain site in your redirect ACL that is interesting and only redirect on that. For example www.yourcompany.com So when they first came in the network and connected to Guest they would need to manually access this site to be redirected to the guest portal to create an account

Another option is to have a kiosk setup using a self-registration portal for email checking and/or printing

I attached a PDF of a sample way doing advanced customization on how to make a self-reg portal that could be used for this KIOSK concept. This could be adapted to have them go through self-reg sending the creds via email.

A better approach would be to use SMS with self-reg instead of email. As tracking to a mobile account is better tracking and don't need internet access to check for a text message.

For any help on advanced customization efforts please work with cisco partner for customized work flows. Cisco Supports the use of advanced customization with our portals but the TAC is not there to providing scripting or web development support. 

Labels:
Preview file
236 KB
2 Comments
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents