cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE Guest SMS for clickatell provider

4425
Views
6
Helpful
5
Comments

 

Introduction

This document describes the configuration required on ISE application to send SMS messages via HTTP and HTTPS methods via Clickatell SMS gateways.

 

Problem Statement

  1. It is only possible to send SMS messages to ISE guest users using email or HTTP GET method. The Http GET method to send SMS messages introduces a security concern whereby the SMS text message is included as part of the Http request URL, and easily be intercepted by a Man in the Middle
  2. The more secure mechanisms, as compared to the HTTP GET option above, for transmitting SMS messages via HTTP and HTTPS using ISE configuration is not functional.

 

Solution

  1. The Clickatell gateway does not support HTTP / HTTPS POST method to include SMS message as part of the message body. As a solution,  the Clickatell REST API has now been employed to send SMS messages as body of the HTTP POST request.
  2. The implementation within ISE for transmitting SMS messages using HTTPS has now been fixed

These fixes are available as part of these ISE releases and patches :

1.4 patch 8, 2.0 patch 3, 2.1 and above

  

ISE Configurations for Sending SMS Messages

 

Send SMS Using HTTP Or HTTPS POST Method

 

sms1.png 

 

Sample URLs:

HTTPS:

https://api.clickatell.com/rest/message?from=15556661212&x-version=1&mo=1&api_id=1234567

 

YOUR API ID 1234567

YOUR FROM #15556661212

 

Upload the Clickatell  certificates (from their website https://www.clickatell.com lock icon )  to the ISE certificate trust store

 

HTTP:

http://api.clickatell.com/rest/message?from=15556661212&x-version=1&mo=1&api_id=1234567

 

 

Note:

  1. The ISE admin has to login to the Clickatell SMS portal and set up a REST API, and the id of that API has to be used while sending the SMS messages over HTTP/S requests
  2. The values of mo=1 and x-version=1
  3. The “From” phone number is provided by the Clickatell SMS two way account ( this type of account and having a From number  is mandatory in the US region by law ). Even in regions such as India, with one way SMS a From number must be used ( which can be obtained from the Clickatell SMS portal or working with the Clickatell helpdesk ). The use of “From” number incurs additional cost compared to sending a one way SMS but is the recommended approach from a security and message credibility standpoint.
  4. The “From” phone number can be entered on an ISE   portal page either in a format (country-code) (phone number) for e.g. 15556661212   or in the E.164 format  +15556661212

                      

Send SMS Using HTTPS GET Method

The ISE application already supports sending SMS messages to the Clickatell SMS gateway

 Using the HTTP GET method. The below configuration is for HTTPS GET method where everything else remains same as for HTTP GET except:

  1. the Clickatell certificate has to be imported into the ISE certificate trust-store
  2. the URL starts with HTTPS 

While importing the certificates,

  1. We Need to ensure the Serial Number of Thawte Primary Root CA which we are having by default (in our trusted store) and api.clickatell.com’s Thawte Primary Root CA’s Serial number matches.
  2. Thawte Primary Root CA issued Certificates to Thawte SSL CA – G2 and also Thawte SSL CA – G3 (G2 to api.clickatell.com & G3 to Clickatell.com). If we import G3, things fail as Trust in cert chain breaks. It is mandatory to import G2 certificate.
  3. And finally, there is a wild card certificate issued to Clickatell (for all its services) than the regular certificate. Imported *.clickatell.com too in to the trusted chain of certificates.
  4. https://api.clickatell.com/rest/message?X-Version=1&from=91xxxxxxxxxx&api_id=1234567&mo=1 points us to Thawte – G2

 

sms2.pngsms3.png 

 

 

 

 

Sample testing using poster

 

sms8.png

 

  1. URL : https://api.clickatell.com/rest/message
  2. Content Type : application/json
  3. HTTP Custom Headers:

                           Authorization : <<Clickatell authorization key>>

                           x-version : 1

  1. Body of the Message:

 

{"text":"My message from Harish testing GUEST", "to":["15605365635"],  "from" : "17752874976", "mo":"1", "api_id" : "3591672" }

 

 

Comments
VIP Advocate

Tested out Twilio and worked with ISE 2.1 p3. Trick is to not add anything in the Post Data section except the $message$. "To" field is automagically added by ISE to POST request before sending.

Contributor

Hmm, just tested in 2.1 P2 and no dice.  Anyone know of a way to debug the SMS component to see what's failing?

Cisco Employee

Rahul is working to clarify the document for twilio, otherwise contact tac

VIP Advocate

Jacob, I just created a doc with the working settings in my lab. Cisco ISE Guest self-registration using Twilio SMS service. Could you check this and see if all your settings match?

Contributor

It's working... i was debugging with a proxy and forgot to turn it off.