Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
214
Views
3
Helpful
4
Replies

Guest Web authentication using external web servers

PSM
Level 1
Level 1

‎01-02-2025 01:00 AM

Hello All,

We have been thinking about improving our guest and byod wifi access to accommodate multiple use cases.

One of the main goal for the new solution is to cater all connections using single SSID.

We are using Cisco 9800 wireless controllers. In the current scenario we have configured MAB authz and local web auth on WLC in case of MAC authz failure (web page is hosted on wlc but actual authentication is sent to external AAA servers).  Now the new requirement is we want to add multiple options in the captive portal page. One option for the guest users who can just click and accept some some conditions and get internet vlan. Second option on the same page can be for employees and contractors for BYOD devices in which they can use some sort of credentials and get different vlan with better security. Much like the captive portals on some airports where different buttons on the page give different authentication flows. 

We have Cisco ISE as well which we can use as an external web server. But ISE built-in portals are for simple use cases with one type of authentication flow . Would appreciate suggestions on this topic. Thanks in advance. 

 

4 Replies 4

MHM Cisco World
VIP
VIP

‎01-02-2025 02:14 AM

I dont fully get your request but 
Quest have three type of config with ISE

portal
sponsor 
self-register 

check each type 

MHM

0 Helpful

srimal99
Level 1
Level 1

‎01-02-2025 04:47 AM

@PSM 
"One option for the guest users who can just click and accept some some conditions and get internet vlan. Second option on the same page can be for employees and contractors for BYOD devices in which they can use some sort of credentials and get different vlan with better security. Much like the captive portals on some airports where different buttons on the page give different authentication flows. "

You can use guest portal and customize for your need. For BOYD for employee you can create authorization rule and assigned dynamic vlan. 

0 Helpful

Flavio Miranda
VIP
VIP

‎01-02-2025 06:51 AM

@PSM 

 I do believe that if you explore all the information on this link, you will get what you want

https://community.cisco.com/t5/security-knowledge-base/ise-guest-amp-web-authentication/ta-p/3657224#jive_content_id_Special_Flows

 

ammahend
VIP Alumni
VIP Alumni

‎01-02-2025 05:47 PM

you are mixing BYOD and Guest with on same SSID, not a good idea.

BYOD - are for your employees bringing their personal devices and want to connect securely to production network. In this case you would ideally want to built an ISE BYOD portal, where they will login using their AD account, then will be provisioned through ISE, where they will be assigned a certificate, then COA will happen and they will rejoin again using the certificate issued by ISE using EAP-TLS. They will also have access to my device portal where they can mark the device as lost or stolen in case they loose the device with certificate on it and depending on their what they choose certificate can be revoked in backend on ISE. you still do role based access based on types on contractor or employee. Additionally you can include MDM for additional management of these BYOD devices.

Guest - these are the devices you know nothing about, this should not touch your network, not even DNS and DHCP, they should be ideally tunneled to DMZ and out to internet, that's it.

Let us know how you want to proceed and I will recommend further.

-hope this helps-
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card