cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE Guest SMS support for Twilio provider

5380
Views
13
Helpful
8
Comments

Introduction

 

Cisco Identity Services Engine (ISE) provides the ability for a guest user to create an account using the Self-Registered Guest Portal. Newly created guest account credentials can be sent to the user via SMS or Email (or both). This guide provides the steps required to use the Twilio SMS service to send SMS to guest users. Twilio uses the HTTPS POST method to receive API calls to send messages.

 

Components Used:

 

1) Cisco ISE 2.1 patch 3

2) Twilio SMS service (https://www.twilio.com/)

 

Prerequisites:

 

1) ISE Policy Nodes have to be able to communicate with the URL https://api.twilio.com. The Twilio service is hosted on the Amazon Web service (AWS) cloud that has a dynamic IP range. Twilio servers are in the East Servers of the IP ranges described in http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html. Allow outbound Firewall rules to these ranges to allow for successful communication.

 

2) ISE running the minimum versions given below:

 

  1.     1.4 patch 8
  2.     2.0 patch 3
  3.     2.1 and above

 

3) Twilio Account with Phone number.

 

Configuration Steps:

 

Twilio setup

 

1) Sign up for a Twilio account at Twilio | Try Twilio Free. You would need to verify your phone number for successful account creation. This is an important security step that is mandatory to trying Twilio.

 

2)  Navigate to Home > Account > Account Settings to see your Live and Test credentials. Each of these will have an Account SID and Auth Token. These will translate to your HTTPS Username and Password on ISE SMS gateway settings.

 

account1.PNG

 

3) Obtain a new phone number with SMS capabilities by going to https://www.twilio.com/console/phone-numbers/getting-started. Twilio provides a few free credits and a phone number for you to test the account without having to purchase a number and account balance.

 

phonenumber1.PNG

 

More information on Twilio's trial capability is given here:

 

https://support.twilio.com/hc/en-us/articles/223136107-How-does-Twilio-s-Free-Trial-work-

 

 

ISE setup:

 

1) Upload the HTTPS CA certificate for the Twilio API URL (https://api.twilio.com) to allow ISE to have trusted communication. Twilio uses an SSL certificate issued by Thawte. Only the Thawte intermediate certificate (thawte SSL CA - G2) needs to be uploaded on to ISE as it should already have the Thawte Root CA certificate. The uploaded certificate is shown below (box checked).

 

certs.PNG

 

2) Create an SMS Gateway at with the following Administration > Settings > SMS Gateway Provider List using the below settings.

 

ISE setting Value
Provider Interface Type SMS HTTP API
URL

https://api.twilio.com/2010-04-01/Accounts/<Account_SID>/Messages.json?From=%2B1<10-Digit_FromNumber>

 

For eg. https://api.twilio.com/2010-04-01/Accounts/ACdd19409d93e6d32ec2c47c7a93ad649d/Messages.json?From=%2B15005550006

Data (Url encoded portion) $message$
Use HTTP POST method for data portion Checked
HTTP POST data content type application/x-www-form-urlencoded
HTTPS Username <Twilio Account SID>
HTTPS Password <Twilio Auth Token>
HTTPS Port 443

 

From Number is the number obtained from Twilio. This is added in the URL section.

To Number is the number provided by Guests to send the message. This is automatically added by ISE in the request.

 

A snapshot of a working setup is below:

 

ise-sms1.PNG

 

3) Configure the Self-Registered Guest Portal to use the new SMS Gateway.

 

Sample URL = https://api.twilio.com/2010-04-01/Accounts/ACea78bcaca92922a9ecf9a6bf47942c99/Messages.json?From=%2B19513392481

 

guestportal.PNG

 

4) Once the Guests registers on the portal page, they should receive a message from the Twilio number. During registration, the Guest should add the entire E.164 format (+1xxxxxxxxx or 1xxxxxxxxxx for US numbers) of the phone number as ISE automatically adds the To Number into the POST request.

 

registration.PNG

 

A sample message is seen below. Twilio adds "Sent from your Twilio trial account" for a trial number.

 

message1.PNG

 

Sample POST message with Twilio 

sms8.png

  1. URL : https://api.twilio.com/2010-04-01/Accounts/ACea78bcaca92622a9e5f9a5bf47944c99/Messages.json?From=%2B19513392481
  2. Content Type : application/x-www-form-urlencoded
  3. Body of the Message:

 

From=%2B19514452481&To=%2B15677053635&Body="testmessage 3 from Harish to phone using Twillio !!!

 

Note:

  1. Upload Twillio certificate ( the entire certificate chain ) to ISE trusted certificates Trust store ( ISE certificate Trust Store will already contain he Thawte issued root certificate )
  2. The “From” phone number is URL encoded for e.g. %2B19148765678 to represent +19148765678
  3. The “To” phone number when entered from an ISE portal such as Self-Registration Portal can be entered either as 19199056778 or with the preceding + (the E.164 number format) for e.g. +19199056778.   The To phone number must not be entered as a URL encoded value.

 

Comments
Beginner

Great document!

I am having a little issue.  Running 2.0 Patch 3

When I try to perform a self registration I get the following error on my device

"An attempt to text your account information to you has failed"

Firewall is allowing the traffic out to Twilio but I never see it on Twilio Portal.

Settings on ISE SMS Gateway

URL: https://api.twilio.com/2010-04-01/Accounts/AccountSIDXXXXXXXXXXXX/Messages.json?From=%2B1XXXXXXXXXX

Data (Url encoded portion): $message$

Check in Use HTTP POST method for data portion

HTTP POST data content type: application/x-www-form-urlencoded

HTTPS Username: ACCOUNT SID

HTTPS Password: AUTH TOKEN

HTTPS Host: EMPTY

HTTPS Port: 443

Any help would be much appreciated!

VIP Advocate

Do you see 2 way communication via https? I saw this issue when I did not have the Twilio intermediate certificate installed in the Trusted Certificate Store on ISE.

Beginner

I am not sure how I tell if its 2 way communication.  I did export and install the thawte SSL CA -G2 cert.  The only thing I enabled during the install of the cert was Trust for authentication of Cisco Services, all other check boxes are unchecked.  I confirmed I have the Thawte Primary Root CA as well.

I also see session create and session close on my firewall, not sure why I would have two way communication as this would happen within the session.

Beginner

Great setup document- worked perfectly. Twilio is a much better API for our business case. They allow porting of college phone numbers so users aren't afraid of a seemingly random number texting them. Their billing methods are also preferred by our Finance department.

It would be nice if the user didn't have to type +1 and then their number. Is this possible with field validation? Any good documents on setting this up?

Cisco Employee

Scott have you tried prepending it in the SMS settings page where you setup twillio? So they don’t need to enter it and the system has it there already?

Here are some scripts to help

https://communities.cisco.com/docs/DOC-64018#jive_content_id_SelfRegistration

Community Member

we had this problem also

"An attempt to text your account information to you has failed"

it was a certificate problem

here is our fix

we downloaded the cert from the api link in the instructions and things worked great

here is how we did it click on this link we used the firefox browser

https://api.twilio.com/

download the cert from here (look for the secure tab up by the browser)and export the cert (really easy on a mac)

then import into ISE trusted certificates

hope this helps

Contributor

Agreed on the +1.

I'm not finding where to prepend that in the SMS settings, since the TO is set in the $message$.

Cisco Employee

Maybe this will help by changing it to a 1 ?

ISE Guest Self-Registration form working with phone numbers