cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
381
Views
5
Helpful
0
Replies

ISE + 9800 - Guest Wifi with email registration, temporary net access

frost_michael
Beginner
Beginner

Hello! I have created a rundown of a configuration for how to create a guest wireless system with email registration/validation, temporary network access, and a one-click login for users. I used information from other instructions and simple Jquery scripting to create this - it should work on ISE 2.4+, I have confirmed it works with 2.7. We currently use a different guest portal which requires sponsor access to provide the temporary access, but this behaves similarly and should work across most devices - I recommend testing to verify behaviour with your configuration.

 

It works by first directing users to a guest portal allowing them to register an email address. This portal grabs the session ID from the browser to append to a login Portal URL to send a user a clickable login option via their registration email. Users are then directed to a hotspot portal with the original session ID, which allows a valid session, registering the user and device in a 10 minutes access group. After 10 minutes, if they did not click the link in the email they are redirected to a portal of our choice, either the original portal or a login portal, requiring them to enter the emailed username and password

 

We hide the session ID and URL in the "Reason for Visit" guest user registration box - this allows us to email a valid one-click link for login, to a portal which grabs the guest user ID and password, auto-clicking the login button.

 

You should adjust your default password policy for accounts to be as simple or as complex as you desire for the created guest accounts - we use a simple PIN code for guests, and their username is generated from their email address.

 

Note if you use NAC/AAA Override and VLAN direction/steering, you could allow guest users to connect to different security networks, ie. WPA2-Enterprise, after registration, giving them greater security and still keeping them isolated to a guest VLAN.

 

Edit: the trick to blocking multiple account creation: enable the UserName option for login but make it not required. Hide the username box on registration page and duplicate whatever is type in the email address box into the username box. This goes in Optional Content 2 on  Portal #1 -

 

<script>

jQuery("input[name='guestUser.fieldValues.ui_user_name']").parent().hide();

$("#guestUser\\.fieldValues\\.ui_email_address").keyup(function(){
$("#guestUser\\.fieldValues\\.ui_user_name").val($(this).val());
});

</script>

 

For the temp user account, if you set the "Registration Success" page to show username or email address, and you append that to the URL you send forward to Portal #2 in the same way we did the Session ID, you can create a temporary user in Portal #2 based off of their created username. I had it autofill the username box with "temp-USERNAME" so it now shows in logs as temp-user@domain.com for their 10 minutes access instead of some random account name.

 

Additional note: You must set the portal , under portal settings, to Always Use: "English - English". Do not select "Browser Locale" unless you are prepared to test for every language you present as an option, and handle the diferent language variables in the portal's naming structure. Users who have a different browser language locale access different portal language files, which break the syntax of any scripting since this was based off of the English version, resulting in incomplete registrations.

0 REPLIES 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: