Cisco ISE Guest Hot-Spot Access.
Guest Hot-Spot Access is used for Guest visiting out Office premises and required Access to Internet network using our office Wi-Fi /LAN network.
As per security concerns we cannot allow guests to access office servers and applications ,Network engineers need to allow Guest to use internet and block all other access.
We can do this in multiple ways like Guest VLAN and Guest SSID and If we are using Cisco ISE We can do this with Guest Hot-spot and Guest Self Registration and guest sponsored Portal.
In this Blog we will focus on Guest Hot-Spot portal.
Requirements - Basic Understanding of NAC solution and ISE work flow.
---------------------------------------------------------------------------
Configuration steps :-
- Cisco Wi-Fi/ Cisco Switch Configuration ( NAD devices ).
- Cisco ISE Guest portal Configuration.
- ISE DACL Configuration.
- ISE Policy Results Configuration.
- ISE Authentication and authorization policy configuration.
In My LAB as there is a limitation for Wireless simulation I am using Cisco switch in virtual environment.
Cisco Switch AAA Configuration
Enable AAA and configuration Radius and aaa setting in switch.
----------------------------------------------------------------------------
aaa new-model
----------------------------------------------------------------------------radius server ISE
address ipv4 ISE-IP auth-port 1812 acct-port 1813
key cisco
----------------------------------------------------------------------------aaa group server radius ISE
server name ISE
----------------------------------------------------------------------------aaa authentication login default group ISE local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
----------------------------------------------------------------------------aaa server radius dynamic-author
client ISE-IP server-key cisco
server-key cisco
----------------------------------------------------------------------------aaa session-id common
----------------------------------------------------------------------------radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
----------------------------------------------------------------------------configuration of switch port for dot1x and Mab authentication.
interface GigabitEthernet0/1
switchport access vlan 20
switchport mode access
negotiation auto
authentication event fail action next-method
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast edge
end
Note :- we can configure access-list and apply to this interface so user will get limited access before authentication and after authentication user will get access as per ISE DACL.
----------------------------------------------------------------------------
ISE Guest portal configurations
In this Blog we will configure Only hot-spot portal remain portals we can cover in other Blogs.
Create new portal and Can provide Access code so Guest will use this access code to login into network.
----------------------------------------------------------------------------
Configure DACL in ISE for guest authorization.
We will create 2 Dacl in ISE for before authentication and after authentication.
When user login into network he will get limited access , only ISE portal and DHCP access.
After Authentication he will get only internet access and nothing else in network.
DACL -1 - Before authentication only ISE access.
Dacl - 2 - Guest Internet Access.
This DACL will be applied to authorization policies.
Create 2 Authorization policies and apply this DACL in this policy and apply guest portal created in this authorization policy.
Authorization profile 1 - Apply ISE only DACL and apply portal created with redirect ACL.
This redirect ACL we need to create in Switch.
----------------------------------------------------------------------------
Create Authentication and authorization policy for this.
Authentication - MAB access with if mab fails action continue.
Guest user will always Use a MAB authentication as dot1x is not enabled by default in any laptops and desktops.
authorization policies - We will create 2 authorization policies.
1 policy for portal redirect and second policy for internet access.
When user fails mab it will hit 1 authorization policy and redirect to portal and once he give access cord and authenticate his mac address will be added in guest endpoints in ISE and his COA - change of authorization will happen and he will get access to second policy.
need to apply authorization profiles with this policies.
Comments
Post a Comment