ISE Version 1.3 Hotspot Configuration Example Document ID: 118741 Contributed by Michal Garcarz and Nicolas Darchis, Cisco TAC Engineers. Feb 11, 2015 Contents Introduction Prerequisites Requirements Components Used Topology and Flow Configure WLC ISE Verify Additional Posture Troubleshoot Related Information Introduction Cisco Identity Services Engine (ISE) Version 1.3 has a new type of Guest Portal called Hotspot. This type of portal allows you to provide guest access to the network and does not force the user to provide any credentials. This document describes how to configure and troubleshoot this functionality. Prerequisites Requirements Cisco recommends that you have experience with ISE configuration and basic knowledge of these topics: ISE deployments and Guest flows Configuration of Wireless LAN Controllers (WLCs) Components Used The information in this document is based on these software and hardware versions: Microsoft Windows 7 Cisco WLC Version 7.6 and Later ISE Software, Version 1.3 and Later Topology and Flow
This scenario is for guest users who accept the Acceptable Use Policy (AUP) and only then be given access to the Internet (or any other limited access). Step 1. Guest user associates to Service Set Identifier (SSID): Hotspot. This is an open network with MAC filtering with ISE for authentication. This authentication matches the second authorization rule on the ISE and the authorization profile redirects to Hotspot. ISE returns a RADIUS Access Accept with two cisco av pairs: url redirect acl (which traffic should be redirected, and the name of Access Control List (ACL) defined locally on the WLC) url redirect (where to redirect that traffic to ISE) Step 2. A guest user is redirected to the ISE, accepts the AUP, and optionally provides a secret access code. Step 3. ISE sends a RADIUS Change of Authorization (CoA) Admin Reset to the WLC. The WLC re authenticates the user when it sends the RADIUS Access Request. ISE responds with the Access Accept and Airespace ACL defined locally on the WLC, which provides access to the Internet only. Note: The CoA Admin Reset is specific for Hotspot functionality and described in Cisco bug ID CSCus46754. The behavior for ISE Version 1.2 with a guest portal was different; a CoA Re authenticate or Terminate was sent. Step 4. A guest user desires access to the network. The network administrator is certain that the user has accepted the AUP. The guest user can be redirected to the original URL, a statically configured URL, or a success page. All pages displayed by ISE can be customized. Integration with an optional posture check is presented in the last section. Configure WLC 1. Add the new RADIUS server for Authentication and Accounting. Navigate to Security > AAA > Radius > Authentication in order to enable RADIUS CoA (RFC 3576).
There is a similar configuration for Accounting. It is also advised to configure the WLC to send SSID in the Called Station ID attribute, which allows the ISE to configure flexible rules based on SSID: 2. Under the WLANs tab, create the Wireless LAN (WLAN) Hotspot and configure the Correct Interface. Set Layer2 security to None with MAC filtering. In Security/Authentication, Authorization, and Accounting (AAA) Servers, select the ISE IP address for both Authentication and Accounting (Accounting is optional). On the Advanced tab, enable AAA Override and set the Network Admission Control (NAC) State to RADIUS NAC (CoA support). 3. Navigate to Security > Access Control Lists > Access Control Lists and create two access lists: HotspotRedirect, which permits traffic that should not be redirected and redirects all other traffic Internet, which is denied for corporate networks and permitted for all others Here is an example of HotspotRedirect ACL (need to exclude traffic to/from ISE from redirection):
ISE 1. Navigate to Guest Access > Configure > Guest Portals, and create a new portal type, Hotspot Guest Portal: 2. Choose the portal name that will be referenced in the authorization profile. In order to customize the portal from Portal Behavior and Flow Settings, enable AUP, and a secret code (optional):
3. Several more options can be enabled under Portal Page Customization; all pages presented can be customized. Navigate to Policy > Results > Authorization > Authorization Profile in order to configure Authorization profiles. HotSpot (with redirection to Hotspot portal name and ACL HotspotRedirect): Internet (with Airespace ACL equals Internet): 4. In order to verify the authorization rules, navigate to Policy > Authorization. In ISE Version 1.3 by default for failed MAC Authentication Bypass (MAB) access (MAC address not found),
authentication is continued (not rejected). This is very useful for Guest Portals because there is no need to change anything in the default authentication rules. For the first MAB authentication, the second rule is matched (endpoint is not yet in any identity group). Then the user is redirected to a webportal (hotspot), accepts the AUP, and optionally types the correct secret access code. ISE sends a RADIUS CoA and the WLC performs re authentication. For the second authentication, the first rule is matched along with authorization profile PermitInternet and returns the ACL name that is applied on the WLC (this time, the endpoint is already in the GuestEndpoints group). By default, guests who accept the AUP are put into the GuestEndpoints identity group. The identity group that is assigned for those endpoints is configured under guest portal configuration, which can be different for every portal. 5. Add the WLC as a Network Access Device from Administration > Network Resources > Network Devices. Verify Use this section in order to confirm that your configuration works properly. 1. After guest users associate with the SSID Hotspot and type a URL, they are redirected to the AUP:
2. If the access code was configured under the guest portal, then it is required. If the user provides an incorrect code, an error displays: 3. Here is the screen that displays if the correct code is entered:
4. Once the correct code is entered, the WLC performs re authentication and presents Internet ACL attached to the session. Additional Posture If there is a need to provide access to guest users, but only when they satisfy a specific policy (Posture) such as fresh Anti Virus updates and Microsoft Windows updates, then it can be accomplished with these rules:
HotSpot rule will not provide access to the Internet, but instead performs redirection to a posture service. Then the Web Agent can be pushed to the station (Client Provisioning rules) and perform policy checks (Posture rules). Report compliance is sent by the Web Agent to ISE. After the station is compliant, ISE sends another CoA reauthenticate, which triggers an authorization update on the WLC. Then the HotSpot_Compliant rule is encountered and access to the Internet is provided. Posture configuration with NAC or Web Agent is very similar as in ISE Version 1.2 and is out of scope for this document (see the Related Information section for more information). Troubleshoot This section provides information you can use in order to troubleshoot your configuration. ISE should present: Here is the flow: Guest user encounters the second authorization rule and is redirected to Hotspot ("Authentication succeeded"). After user accepts the AUP, ISE sends the CoA Admin Reset, which is confirmed by the WLC ("Dynamic Authorization succeeded"). The WLC performs re authentication, and the ACL name is returned ("Authorize Only succeeded"). This can be also verified if you navigate to Operations > Reports > ISE Reports > Guest Access Reports > AUP Acceptance Status:
Related Information Posture services on Cisco ISE Configuration Guide Cisco ISE 1.3 Administrators Guide Central Web Authentication on the WLC and ISE Configuration Example Central Web Authentication with FlexConnect APs on a WLC with ISE Configuration Example Technical Support & Documentation Cisco Systems Updated: Feb 11, 2015 Document ID: 118741