• Introduction
• Prerequisite
• Configuration Overview
• Optional Configurations for better end user experience
• Optional Configurations for group/attribute matching
• Troubleshooting
• Caveats
• End User Experience
• ISE Live Log

Introduction

Note: Starting with Chromebook v66, it is possible to do SSO for 802.1X. Please see Chromebook 802.1X SSO for more information.

Chromebooks have become a dominant platform for much of the K-12 environment in the US. While it makes great sense for the district management to choose Chromebooks over other platforms, it presents a unique problem for the network/security administrators that are managing the network security for the school districts. The challenge is that there is no easy way to enforce each of the Chromebook to use unique identification to login to the network. In the case of MS Windows, one could force the O/S to utilize the Windows login account to be used for Network login, which provides SSO for the users, yet also provides visibility of users to the network administrators. However, with Chromebooks, there is no way to do the same as evident from the issue being tracked here: https://bugs.chromium.org/p/chromium/issues/detail?id=386606. To circumvent the issue, some admins have resorted to instruct the users to connect to the wireless network manually themselves after they receive their Chromebook. While feasible, it only works in an environment where the Chromebook are assigned to a student for a prolonged period and does not work for environments where the Chromebook are shared by multiple students throughout the day, not to mention that password expiry policy often results in additional support calls from the students. Alternatively, some admins have used WPA/WPA2 PSK (Pre-Shared Key) or static username/password combination to authenticate to the network, forfeiting network visibility as every Chromebook logon is seen identical aside from the MAC addresses. Due to lack of visibility, admins cannot effectively enforce differentiated policies based on user accounts nor they can easily track down a user when policy violation occurs on the network nor they can track down an asset for inventory purposes. ISE provides unique solution to the problem by utilizing SAML Guest authentication feature to identify user behind the devices, thus providing visibility into the users for the network and security administrators. This is done by utilizing Open SSID, WPA/WPA2 PSK, or WPA/WPA2 802.1X combined with SAML guest authentication with ISE. In this setup, ISE Guest portal is used as SAML Sp (Service Provider) and the Google Suite is used as IdP (Identity Provider).

This document describes how to configure Cisco ISE to provide SSO on the ISE guest access portal via Google Suite account via SAML. This allows network administrators to see who is logged in to the network on both the WLC and the ISE. Also contains optional configurations to streamline the user experience by auto pop-up of browser upon login and auto-click of the SSO link. This document covers additional configuration to make the Chromebook SSO working on an existing guest setup and will utilize default ISE settings when applicable.

Prerequisite

Already have working Google Suite with test users

Fresh ISE 2.2 install (This document was written while testing with ISE 2.2, but should also work with ISE 2.1)

Working WLC with CWA Guest access running 7.6+ for DNS ACL feature (Preferably running 8.2+ as it provides 20 DNS ACE per ACL as opposed to 10 ACE in the previous versions)

Configuration Overview

1. ISE: Add WLC as RADIUS Client

2. ISE: Enable Default Authorization Policy for guest access

3. ISE: Create SAML identity source

4. ISE: Create Guest portal to use SAML

5. ISE: Take note of SAML Sp settings

6. G-Suite: Create SAML App to use ISE

7. ISE: Import G-Suite SAML metadata into ISE SAML identity store

8. WLC: Configure RADIUS Server

9. WLC: Configure Redirect ACL

10. WLC: Configure WLAN

Quick video showing the configuration flow:

ISE: Add WLC as RADIUS Client

1. Go to Administration > Network Resources > Network Devices > Add

2. Provide Name, IP Address, and the RADIUS shared key for the WLC and save

ISE: Enable Default Authorization Policy for guest access

1. Go to Policy > Authorization
2. Click on 'Edit' for 'Wi-Fi_Guest_Access' and 'Wi-Fi_Redirect_to_Guest_Login' rule. Click on the status field to mark both rules to be active
3. (Optional) If using 802.1X WLAN, add an additional condition for 'WiFi_Guest_Access' rule to check 'CWA:CWA_Username' Ends With the Google domain name that is being configured (I.e. wonderlandisd.org). This ensures both 802.1X identity and the SAML (WebAuth) identity are visible in the live log and via pxGrid.
4. Click Save

ISE: Create SAML identity source

1. Go to Administration > System > External Identity Sources > SAML Id Providers, click on Add

2. Enter ‘Google_SAML’ in the Id Provide Name, click Save

    

ISE: Create Guest portal to use SAML

1. Go to Work Centers > Guest Access > Portals & Components > Guest Portals, click on Create

2. Select Sponsored-Guest Portal and click Continue…

3. Enter Google_SSO in the Portal Name

4. Expand Portal Settings, select Google_SAML from the Authentication method pull down menu

5. Expand Acceptable Use Policy (AUP) Page Settings, uncheck ‘Include and AUP page’

6. Expand Guest Device Registration Settings, uncheck ‘Automatically register guest devices’

7. Expand Post-Login Banner Page Settings, uncheck ‘Include a Post-Login Banner Page

8. (Optional) Expand Authentication Success Settings, change accordingly to send user after the SSO is completed

9. Scroll up and click Save

10. Click Close to go back to the list of Guest Portals

11. Click on the Self-Registered Guest Portal (default)

12. Expand Login Page Settings, Uncheck ‘Allow guests to create their own accounts’, Check ‘Allow the Following identity-provider guest portal to be used for login’ and select Google_SSO from the drop down list

13. Expand Acceptable Use Policy (AUP) Page Settings, uncheck ‘Include and AUP page’

14. Expand Guest Device Registration Settings, uncheck ‘Automatically register guest devices’

15. Scroll up and click Save

     

ISE: Take note of SAML Sp settings

1. Go to Administration > System > External Identity Sources > SAML Id Providers, click on Google_SAML

2. Click on Service Provider Info. tab

3. Click on Export button

4. Save the ‘Google_SAML.zip’ file

5. With the file manager on your PC/OSX, expand the ‘Google_SAML.zip’ file

6. Use notepad or text editor and open up the Google_SSO.xml file

7. Take note of the two values; entityID and Location. Location value is multi-valued. Take note of the Location value with the host name instead of IP address. See below for example:

entityID="http://CiscoISE/4a089df2-3ede-11e7-97dd-0242ebf188ae"

Location="https://ise22.example.com:8443/portal/SSOLoginResponse.action"

G-Suite: Create SAML App to use ISE

1. Logon to the Google Suite account as a google admin user

2. From Home, go to Apps > SAML Apps > Click on ‘+’

3. Select ’SETUP MY OWN CUSTOM APP’ on the bottom

4. Click on ‘Download’ button user Option2, IDP metadata

5. Save the file to the local HDD, we will import this into ISE SAML settings

6. Click Next

7. Enter ISE-Guest as application name and click NEXT

8. For ACS URL, enter the ‘Location’ value that was noted from the Google_SAML.xml file above

9. For Entity ID, enter the ‘entityID’ value that was noted from the Google_SAML.xml file above

10. Click NEXT, then FINISH

11. Click OK on the pop up

12. Select the 3 dot icon and choose ‘ON for everyone’

13. Click ‘TURN ON FOR EVERYONE’

ISE: Import G-Suite SAML metadata into ISE SAML identity store

1. Go to Administration > System > External Identity Sources > SAML Id Providers, click on Google_SAML

2. Click on Identity Provider Config. tab

3. Click on Choose File button

4. Select IDP Metadata that was downloaded from the Google Suite during the step above

5. Click Save

WLC: Configure RADIUS Server

1. Go to Security > AAA > RADIUS > Authentication > New...

2. Enter server IP, RADIUS key, Enable CoA, and change the server timeout to 5 seconds and click Apply

3. Go to Security > AAA > RADIUS > Accounting > New...

4. Enter server IP, RADIUS key, and change the server timeout to 5 seconds and click Apply

WLC: Configure Redirect ACL

Go to Security > Access Control Lists > Access Control Lists > New

1. Enter 'ACL_WEBAUTH_REDIRECT' for the name and click Apply
2. Click on 'ACL_WEBAUTH_REDIRECT'
3. Click on 'Add New Rule' and add ACE to allow DNS and access to ISE node (See below example), click Apply

1. Hover mouse next to the 'ACL_WEBAUTH_REDIRECT' and select 'Add-Remove URL'

2. Add following entries one by one and click on 'Back'

.google.co

accounts.youtube.com

gstatic.com

.googleapis.com

.appspot.com

ggpht.com

market.android.com

android.pool.ntp.org

.googleusercontent.com

.google-analytics.com

WLC: Configure RADIUS Server

1. Go to WLANs > Select 'Create New' and click on 'Go'

2. Add profile name and SSID name

3. Click on Apply

4. Check Enabled for Status

5. Select appropriate interface

6. Click on 'Security' tab under WLAN

7. Select 'None' for the Layer 2 Security

8. (Optional) If running WLC 8.3+ and would like to use WPA/WPA2 PSK to encrypt traffic on the WLAN, select WPA+WPA2 for the Layer 2 Security

9. Select 'MAC-Filtering'

10. (Optional) If WPA+WPA2 was selected previously, select PSK for Authentication Key Management and enter PSK for the WLAN in the PSK Format area

11. Select 'AAA Servers' tab

12. Select RADIUS server that was added to the WLC in the previous step for both Authentication and Accounting servers

13. Click 'Advanced' tab under WLAN

14. Check AAA Override

15. For NAC State, select ISE NAC (or RADIUS NAC for older version of WLC)

16. Check DHCP Profiling and HTTP Profiling for 'RADIUS Client Profiling'

17. Click Apply

Optional Configurations for better end user experience

Following three settings can be used to provide better user experience by allowing the SAML flow to be auto initiated when the user logs in to the Chromebook. The first optional setting forces auto SSO by opening up a browser window upon a user logging in to the Chromebook. The second optional setting provides auto clicking for the SSO link using a javascript. And, the third optional setting ensures the ISE guest portal page certificate is trusted by the Chromebook in case ISE self-signed certificate is used. Last step is optional if 3rd party CA signed certificate is used for the portal.

Make browser auto popup when user signs in to the Chromebook

1. Logon to the Google Suite account as a google admin user

2. From Home, go to Device Management > Chrome > User Settings

3. Scroll down to the 'Startup' section and locate the 'Pages to Load on Startup' setting and enter any http (Non-secure) site that is not part of google domains (i.e. http://www.cisco.com)

4. Click Save

    

Hide login portal and auto click SSO link

1. Logon to the ISE GUI

2. Go to Administration > System > Admin Access > Settings > Portal Customization

3. Select ‘Enable Portal Customization with HTML and JavaScript’ and click Save

4. Go to Work Centers > Guest Access > Portals & Components > Guest Portals

5. Click on the Self-Registered Guest Portal (default)

6. Click on the Portal Page Customization on the top

7. Select Pages > Login from the left side and go to the section that shows ‘Google_SSO’

8. Check the ‘as link’ next to the ‘Alternative Login Portal’

9. Click on ‘X’ right next to the Icon to remove the icon

10. Under Optional Content 2 box

11. Click on the ‘Toggle HTML Source’ button on the Optional Content 2 box area

12. Paste in following Javascript

<script>

$(document).ready(function(){

$('#idp-login-link-text-container').trigger('click');

$('[id="page-login"]').hide();

});

</script>

1. Click on the ‘Toggle HTML Source’ button on the Optional Content 2 box area again, the script will disappear (But it is still applied. If applied correctly the preview pane on the right hand side will show that the page is blank)

2. Scroll up and click Save

Make Chromebook trust ISE Self-Signed certificate

1. Logon to the ISE GUI

2. Go to Administration > System > Certificates > Certificate Management > System Certificates

3. Click on Generate Self Signed Certificate

4. Select DNS Name for ’Subject Alternative Name (SAN)’ and enter the ISE host name in the box

5. Select 2048 for Key length and SHA-256 for Digest to Sign With

6. Check Portal: Use for Portal

7. Select ‘Default Portal Certificate Group’

8. Click Submit

9. Select Yes when prompted to replace existing certificate

10. ISE node will be restarted to use the new certificate

11. Once ISE is back up, login to the Admin GUI

12. Go to Administration > System > Certificates > Certificate Management > System Certificates

13. Check the certificate that is shown as used by ‘Portal’ and click 'Export'

14. Leave setting as ‘Export Certificate Only’ and Click Export
15. Save it to the local HDD. We will import this certificate into the Google Suite
16. Logon to the Google Suite account as a google admin user
17. Go to Device Management > Device Settings > Network
18. Click Certificates
19. Click Add Certificate
20. Select the one exported from ISE in step above
21. Check 'Use this certificate as an HTTPS certificate authority' check box
22. Click Save

Optional Configurations for group/attribute matching

At the time of writing, the Google IdP cannot include group information in the SAML assertion. As a workaround, following settings can be used to configure the G-Suite to send user attribute during SAML flow where ISE can be configured to utilize it for authorization condition. It is useful if one needs to provide differentiated access to certain groups of users. For instance, students are assigned an ACL or a security group tag that is different from faculty members.

Note: Currently SAML assertion for group/attribute patching is possible when the WLAN is configured as Open or WPA/WPA2 PSK.

Configure G-Suite to include additional attribute during SAML flow

1. Logon to the Google Suite account as a google admin user
2. From Home, go to Apps > SAML Apps > Click on 'ISE-Guest'
3. Click on 'Attribute Mapping'
4. Enter Department, Select 'Employee Details', then select 'Department'
5. Click Save

Configure ISE to map the attributes to ISE attributes

1. Logon to the ISE GUI
2. Go to Administration > System > External Identity Sources > SAML Id Providers, click on 'Google_SSO'
3. Click on 'Groups' tab
4. Enter 'Department' in the 'Group Membership Attribute' box
5. Click on 'Add' below and add Department names used in the G-Suite Below Showing few examples
6. Click Save. The newly added Authorization condition is now available in the policy rules.
   

Troubleshooting

Common issues

Chrome browser complains about the certificate

• Make sure the ISE portal certificate is using SHA256 and includes a SAN field. ISE default installation uses SHA1, so if using self-signed certificate, one has to issue a new certificate
• Check chrome policy to ensure that it is using latest policy
  • On the client PC, in the URL bar, enter ‘chrome://policy’
  • If the policy is stale, click on ‘Reload Policies’ button to renew policy

When SSO link/button is clicked, the user gets Application is not enabled error

• Validate that the Chromebook being used is being managed by the G-Suite
• Validate that the user is using the managed user account that is member of the domain
• After enabling SAML on the G-Suite, it may take 24 hours to propagate the settings to all users. Even for small organization, it may take 30 minutes
• Validate SAML setting between ISE and G-Suite SAML App

If the SSO link/button is visible but unclickable

• Validate SAML IdP setting on the ISE. It should look similar to the following

Debugging

Enable debug guestaccess, portal-web-action

Enable trace for SAML

Open two separate SSH access to ISE and run

terminal length 0

show logging application ise-psc.log tail

and on the second SSH

terminal length 0

show logging application guest.log tail

Caveats

Shared Chromebook

At the time of writing the Google as SAML IdP doesn't support logout. Thus, when multiple users are sharing the same Chromebook as is with the case in many K-12 environments, there is a opportunity that when the time between the first user logging off and a second user logging is too short, the second user may assume the identity of the first user in the ISE and WLC view. This does not mean the second user has access to google apps and resources. If one needs to minimize the possibility of such incidents, one can reduce the idle timeout for the WLAN to be short enough to clear out the sessions while the Chromebook is transferred to new student during class breaks. In addition to the short idle-timeout, multiple sign-in access setting on the G-Suite needs to be setup accordingly. The setting can be changed by logging into the G-Suite and going to 'Device Management > Chrome > User Settings > User Experience > Multiple Sign-in Access' settings.

End User Experience

Without Optional Configuration

1. User enters google ID to log in to the Chromebook (Chromebook is booted up and it associates to open SSID and ISE assigns 'Cisco_WebAuth' Authorization Profile that redirects any web request to ISE WebAuth portal page while allowing access to G-Suite related sites for policy download and user login)
2. Once on the desktop, user opens up a browser window and tries to go to a non Google related site (If using the automated JS in the optional section above, this and the next 2 steps happens automatically when user logs in to Chromebook)
3. User is redirected to ISE portal page
   
4. User clicks on SSO link/button
5. SAML completes and user is presented with Success page
6. User now has Internet access

With Optional Configuration

1. User enters google ID to log in to the Chromebook (Chromebook is booted up and it associates to open SSID and ISE assigns 'Cisco_WebAuth' Authorization Profile that redirects any web request to ISE WebAuth portal page while allowing access to G-Suite related sites for policy download and user login)
2. Browser auto pops-up upon login and SAML completes and user is presented with Success page
3. User now has Internet access

ISE Live Log