Ise Guest Portal Certificate



Guest

  1. Cisco Ise Guest Portal Certificate Chain
  2. Ise Guest Portal Certificate
  1. When guest and BYOD user connects to portal they get certificate error because ISE sends certificate of portal only. Thus in order to rid off certificate error, can ISE be configured in such a way that ISE will send portal certificate with root or sub CA or CA chain?
  2. Connection is protected by ISE admin certificate. As a result of this probe ISE can return session ID back to the client if node where probe landed is the same node where user has been authenticated. Hotspot Guest Portal: The Hotspot Guest portal is an alternative Guest portal that allows you to provide network access without requiring.
  3. Certificates are an important part of a properly functioning Cisco Identity Services Engine 2.4 install. Certificates aren’t just for getting rid of the https warning at the ISE admin login screen. Certs are also used for dot1x authentication, BYOD, pxGrid, adding and communicating with new ISE nodes, etc.

If required complete a Certificate Signing Request for a Portal certificate (ensure the assign Portal tag is referenced in the Guest Portal). Figure 1 – ISE Portal Certificate. Navigate to Work Center Guest Access Portal & Components Guest Portals; Click Self-Registered Guest Portal (default). Guest portal certificate on ise Background: Customer don't have an internal DNS server. We are using the google DNS server, which doesn't resolve the internal guest ISE server name. Hence, we are directly using the ip-address in redirect URL and guest authentication portal.

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 9: Guest and web authentication
Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS, because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.
There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.
To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.
You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.
Configuration
Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.
Edit the DefaultGuestPortal to your needs:

  • Password policies
  • Need of posture client
  • self service
  • device registration
  • DHCP settings
  • Policies
  • etc


Click Policy – Policy elements – Results – Authorization – Authorization Profiles and create a new profile with “web authentication” checked.
The mentioned ACL is not available in ISE, this ACL should be available in the switch. Choose “manual” as redirect option.
To configure web authentication as a fallback. Click Policy – Authentications and edit the needed rule. Select “Continue” in all three options:
Create a new rule for no matches in the identity groups, use webauth as authorization. Click Policy – Authorization and edit the needed rule. Select the guest portal as authorization option:
You can edit the DACL for company users after authorization.
Click Policy – Policy Elements – Results. Selecht Authorizations – Downloadable ACLS > Dot1x_Valid_Domain_User. Add a permit to the ISE policy node IP(s).
Make sure that the client can access the webauth portal before authentication (by a preauth ACL).
Enable CoA on the switch:

Guest portal configuration
First, create a sponsor group. Click Administration – Identity management – groups, click Add and enter a name.
Next, configure the SMTP settings under administration – System – Settings. Select SMTP and enter the smtp server.
Click Administration – Guest management – Settings and click General – ports. Check and/or change the port numbers.
Create a user group in active directory for sponsor users. Add this group in ISE: click Administration – identity management – external identity sources. Select Active directory and click Groups. Add the sponsor group.
Click Administration – Guest management – Sponsor group policy. Change the identity groups field to Any. In the other conditions field, click the plus sign and select Create new Condition. In the expression field, select your domain. In the most right field, select the active directory sponsor group.
Do not forget to apply the correct authentication sequence to the sponsor portal. Click Administration – Guest management – Settings. Selecht Sponsor – Authentication source
In the WLC configure a ACL with only access to the ISE node and DNS lookups to your DNS server. Make sure you use the same ACL name as you use in the “Authorization profile”. In the WLC, click: Wireless – All AP’s, click a AP, click Flexconnect, External Webauthentication ACL.
Click Add under Webpolicies, to add the ACL.
Repeat these steps for every AP.
The authentication Rule looks like:
Authorization rules look like:
This is the basic configuration. All other settings are customizable.
Happy testing!
Next week the last part, part 10 of this blog post series: Profiling and posture

Cisco ISE supports Guest Access Portals, which allows users from outside an organisation to connect to the network (wired or wireless) and access the internet. In a typical deployment a Guest Web Portal is used for the users to self-register their device and gain access.

In this guide we will be performing Wired Guest access on a Cisco Catalyst switch. It is the same principle for Wireless, which is covered in great depth in the Cisco ISE Guest Access Prescriptive Deployment Guide. This guide is designed to be used an environment where ISE and the switch are already configured.

Ise Guest Portal Certificate

We will also demonstrate how to provide Active/Standby load balancing without a Load Balancing.

ISE Configuration

Certificates

For each ISE PSN hosting a Portal, use a wildcard certificate issued from a Public Certificate Authority. In this example an Internal CA is used in the lab, the local computer certificate stores has the certificate installed, this is unlikely in a real-life scenario.

  • Navigate to Administration > System > Certificates > Certificate Signing Request
  • If required complete a Certificate Signing Request for a Portal certificate (ensure the assign Portal tag is referenced in the Guest Portal).

Figure 1 – ISE Portal Certificate

Guest Portal

  • Navigate to Work Center > Guest Access > Portal & Components > Guest Portals
  • Click Self-Registered Guest Portal (default)
  • Amend the portal configuration using the settings in the table below

Table 1 – Self-Registered Guest Portal (default)

  • Click Save

Cisco Ise Guest Portal Certificate Chain

Downloadable ACL

A Downloadable ACL (DACL) is applied to the initial session, prior to the guest user authenticating to ensure they can only access the Guest Portal to register or re-authenticate.

  • Navigate to Policy > Policy Elements > Authorization > Downloadable ACLs
  • Click Add
  • Define an appropriate Name for the DACL, e.g. – Guest-DACL
  • Enter the DACL Content as per the figure below

Figure 2 – Downloadable ACL (DACL)

The IP addresses within this DACL are the ISE PSN nodes hosting the Guest Portal.

Authorisation Profiles

Authorisation Profiles define the Guest Portal attributes to be applied to the users’ session. In this lab scenario we have 2 PSN nodes hosting the Guest Portal, so we will define 2 Guest Authorisation Profiles for each Portal. These Authorisation Profiles will then be referenced in the Policy Set.

  • Navigate to Policy > Policy Elements > Authorization > Authorization Profiles
  • Click Add
  • Define the name Guest-Portal-ISE1
  • Select the DACL Name as Guest-DACL
  • Select Web Redirection (CWA, MDM, NSP, CPP)
    • From the drop-down list select Centralized Web Auth
    • Type the ACL name REDIRECT_ACL_CWA
    • From the drop-down list select Self-Registered Guest Portal (default)
    • Select Static IP/Host name/FQDN = guest-ise1.lab.local

Figure 3 – Authorisation Profile (Guest-Portal-ISE1)

Ise Guest Portal Certificate

  • Click Save
  • Create an Authorisation Profile for each PSN node hosting the Guest Portal, ensure to change the Static IP/Host name/FQDN to represent the additional PSN hosting the Guest Portal.

Policy Set

It is important that the ISE PSN that owns the session for radius is the same PSN that is used for the URL redirection. This can normally be achieved using persistence on a Load Balancer or in this example we will be using the Host Name of the ISE PSN node in conjunction with the 2 x Authorisation Profiles previously defined.

  • Navigate to Policy > Policy Sets
  • Select an existing Policy Set
  • Create authorisation rules as per the table below

Table 2 – Guest Policy Set

Switch Configuration

  • Define an ACL on the switch (the name must be the same as defined in the Authorisation Profile in ISE).
  • Enable HTTP Server on the switch, in order to redirect http traffic

Testing/Verification

For testing we will connect a computer to the switch, dot1x is not configured in Windows. Opening Firefox we are presented with the message You must log in to this network before you can access the internet.

  • Click the Open Network Login Page at the top right of the webpage.

Figure 4 – Firefox Network Login Page

The Guest Portal for PSN1 (as defined in the Authorisation Profile) is displayed.

Figure 5 – ISE Guest Portal Login

At this point the user can login using previously defined credentials or create a new account.

  • Click Or register for guest access from the bottom of the login page
  • Complete the registration form

Figure 6 – Guest Registration

  • Click Register
  • The account will be created and will display the username and password to login.

Figure 7 – Guest Account Created

  • Click Sign On
  • Accept the Acceptable Use Policy

The user should now have internet access.

Wireshark Redirect from client

If you run wireshark on the local computer during the guest portal redirection phase we can determine how it works. From the figure below we can see that a connection attempt was made to http://detectportal.firefox.com, this is a built-in feature of Firefox brower to detect captive portals on public wifi networks.

Figure 8 – Wirehshark detectportal.firefox.com

Within the subsequent packet we determine that the response was HTTP 302 Page Moved and the location is the URL of the ISE PSN Portal, as defined in the Authorisation Profile.

Figure 9 – Wireshark page moved

Switch Output

Ise portal builder
  • Login to the switch
  • Enter the command show authentication session interface fas 0/4

Figure 10 – Switch, URL redirection

From the output we can determine dot1x failed over to MAB, which was successful. The DACL Guest-DACL, the ACS ACL REDIRECT_ACL_CWA and the URL Redirect of the FQDN of the PSN authenticating the session was applied to the session.

This can be confirmed from the ISE Live logs.

Figure 11 – ISE Live Log, guest redirection

Once the user logins into the session we can determine the newly created user was successfully authenticated.

Figure 12 – ISE Live Log, authorisation successful

Repeating the command show authentication session interface fas 0/4 on the switch you will notice the DACL, Redirect ACL have been removed. This is because the user successfully re-authorised and ISE sent a CoA (change of authorisation) to the switch to remove the DACL and Redirect ACL.

Figure 13 – Successfully authorised to Guest

For failover testing we will define a null route to the first ISE PSN node hosting the Guest Portal.

  • Enter the command ip route 192.168.10.10 255.255.255.255 null0
  • Confirm the PSN is DEAD use the command show aaa server

Figure 14 – DEAD aaa server

  • Remove the computer MAC address from the ISE Endpoint Identity Group GuestEndpoints
  • Clear the authentication session on the interface with the command show authentication session fas 0/4
  • After a while run the command show authentication session interface fas 0/4

Observe the output from the figure below, the URL Redirect is now of the 2nd ISE PSN hosting the Guest Portal.

Figure 15 – PSN2 Guest Portal


PortalCertificate

Observe the output from the figure below, the ISE Live Logs confirms the Server is that of the 2nd ISE PSN.

Figure 16 – ISE2 Live Logs


This failover example demonstrated will not load balance connections between PSNs like a true Load Balancer will, it is more Active/Standby. It will however ensure that the PSN that terminates the RADIUS session is the same PSN that is used for the Guest Portal, for that session.