Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 371

    Page 371 1InISE,chooseWorkCenters>GuestAccess>Portals&Components>SponsorPortals,andedityour sponsorportal. 2SelectthePortalPageCustomizationtab. 3ScrolldownandselectCreateAccountforKnownGuests. •OnthePreviewdisplayontheright,selectSettings. Thesesettingsdeterminewhichfieldsdisplayandarerequiredforguestaccountswhentheyarecreated onthesponsorportal. ThisconfigurationappliestoKnown,Random,andImportedguesttypes.Thetemplatethatthesponsor... 
    1InISE,chooseWorkCenters>GuestAccess>Portals&Components>SponsorPortals,andedityour
sponsorportal.
2SelectthePortalPageCustomizationtab.
3ScrolldownandselectCreateAccountforKnownGuests.
•OnthePreviewdisplayontheright,selectSettings.
Thesesettingsdeterminewhichfieldsdisplayandarerequiredforguestaccountswhentheyarecreated
onthesponsorportal.
ThisconfigurationappliestoKnown,Random,andImportedguesttypes.Thetemplatethatthesponsor...

    Page 372

    Page 372 Procedure Step 1ChooseOperations>Reports. Step 2UndertheReportSelector,expandtheGuestAccessReportsandEndpointsandUsersselectionstoview thevariousguest,sponsor,andendpointrelatedreports. Step 3SelectthereportandchoosethedatawithwhichyouwanttosearchusingtheFiltersdrop-downlist. Youcanusefiltersonusername,portalname,devicename,endpointidentitygroupandothersuchdata. Step 4SelecttheTimeRangeduringwhichyouwanttoviewthedata. Step 5ClickRun. Metrics Dashboard... 
    Procedure
Step 1ChooseOperations>Reports.
Step 2UndertheReportSelector,expandtheGuestAccessReportsandEndpointsandUsersselectionstoview
thevariousguest,sponsor,andendpointrelatedreports.
Step 3SelectthereportandchoosethedatawithwhichyouwanttosearchusingtheFiltersdrop-downlist.
Youcanusefiltersonusername,portalname,devicename,endpointidentitygroupandothersuchdata.
Step 4SelecttheTimeRangeduringwhichyouwanttoviewthedata.
Step 5ClickRun.
Metrics Dashboard...

    Page 373

    Page 373 ◦InspectHTTPtrafficandsenddatatoCiscoISEMonitoringnode.CiscoISErequiresonlytheIP addressandaccessedURLfortheGuestActivityreport;so,limitthedatatoincludejustthis information,ifpossible. ◦SendsyslogstoCiscoISEMonitoringnode. Sponsor Login and Audit Report TheSponsorLoginandAuditreportisacombinedreportthattracks: •LoginactivitybythesponsorsattheSponsorportal. •Guest-relatedoperationsperformedbythesponsorsintheSponsorportal. ThisreportisavailableatOperations>Reports>GuestAccessReports>SponsorLoginandAudit.... 
    ◦InspectHTTPtrafficandsenddatatoCiscoISEMonitoringnode.CiscoISErequiresonlytheIP
addressandaccessedURLfortheGuestActivityreport;so,limitthedatatoincludejustthis
information,ifpossible.
◦SendsyslogstoCiscoISEMonitoringnode.
Sponsor Login and Audit Report
TheSponsorLoginandAuditreportisacombinedreportthattracks:
•LoginactivitybythesponsorsattheSponsorportal.
•Guest-relatedoperationsperformedbythesponsorsintheSponsorportal.
ThisreportisavailableatOperations>Reports>GuestAccessReports>SponsorLoginandAudit....

    Page 374

    Page 374 NAD with Central WebAuth Process Inthisscenario,thenetworkaccessdevice(NAD)makesanewauthorizationrequesttotheCiscoISERADIUS serverfromanunknownendpointconnection.Theendpointthenreceivesaurl-redirecttoCiscoISE. webauth-vrf-awarecommandissupportedonlyinIOSXE3.7E,IOS15.2(4)Eorlaterversions.Other switchesdonotsupportWebAuthURLredirectinvirtualroutingandforwarding(VRF)environment.In suchcases,asaworkaround,youcanaddarouteintheglobalroutingtabletoleakthetrafficbackinto theVRF. Note... 
    NAD with Central WebAuth Process
Inthisscenario,thenetworkaccessdevice(NAD)makesanewauthorizationrequesttotheCiscoISERADIUS
serverfromanunknownendpointconnection.Theendpointthenreceivesaurl-redirecttoCiscoISE.
webauth-vrf-awarecommandissupportedonlyinIOSXE3.7E,IOS15.2(4)Eorlaterversions.Other
switchesdonotsupportWebAuthURLredirectinvirtualroutingandforwarding(VRF)environment.In
suchcases,asaworkaround,youcanaddarouteintheglobalroutingtabletoleakthetrafficbackinto
theVRF.
Note...

    Page 375

    Page 375 •Ifitisapostureflow,wheretheGuestportalisconfiguredtoperformclientprovisioning,theguest devicewebbrowserdisplaystheClientProvisioningpageforpostureagentinstallationand compliance.(Youcanalsooptionallyconfiguretheclientprovisioningresourcepolicytofeaturea “NetworkAccess:UseCase=GuestFlow”condition.) BecausethereisnoclientprovisioningorpostureagentforLinux,theGuestportalredirectstotheClient Provisioningportal,whichinturnredirectsbacktoaguestauthenticationservlettoperformoptionalIP release/renewandthenCoA.... 
    •Ifitisapostureflow,wheretheGuestportalisconfiguredtoperformclientprovisioning,theguest
devicewebbrowserdisplaystheClientProvisioningpageforpostureagentinstallationand
compliance.(Youcanalsooptionallyconfiguretheclientprovisioningresourcepolicytofeaturea
“NetworkAccess:UseCase=GuestFlow”condition.)
BecausethereisnoclientprovisioningorpostureagentforLinux,theGuestportalredirectstotheClient
Provisioningportal,whichinturnredirectsbacktoaguestauthenticationservlettoperformoptionalIP
release/renewandthenCoA....

    Page 376

    Page 376 areWLC5760andCiscoCatalyst3850,3650,2000,3000,and4000SeriesAccessSwitchesrunningreleases IOS-XE3.6.0.Eand15.2(2)E. Figure 22: WLC with Local WebAuth Non-Posture Flow Wired NAD with Local WebAuth Process Inthisscenario,theGuestportalredirectstheguestloginrequesttotheswitch(wiredNAD).Theloginrequest isintheformofanHTTPSURLpostedtotheswitchandcontainsthelogincredentials.Theswitchreceives theguestloginrequestandauthenticatestheguestusingtheconfiguredCiscoISERADIUSserver.... 
    areWLC5760andCiscoCatalyst3850,3650,2000,3000,and4000SeriesAccessSwitchesrunningreleases
IOS-XE3.6.0.Eand15.2(2)E.
Figure 22: WLC with Local WebAuth Non-Posture Flow
Wired NAD with Local WebAuth Process
Inthisscenario,theGuestportalredirectstheguestloginrequesttotheswitch(wiredNAD).Theloginrequest
isintheformofanHTTPSURLpostedtotheswitchandcontainsthelogincredentials.Theswitchreceives
theguestloginrequestandauthenticatestheguestusingtheconfiguredCiscoISERADIUSserver....

    Page 377

    Page 377 IP Address and Port Values Required for the Login.html Page TheIPaddressandportvaluesmustbechangedinthefollowingHTMLcodeforthelogin.htmlpagetothose valuesbeingusedbytheCiscoISEPolicyServicesnodes.Thedefaultportis8443,butyoucanchangethis value,soensurethatthevalueyouassigntotheswitchmatchesthesettinginCiscoISE. ISEGuestPortal Redirecting...LoginISEGuestPortal Becausethecustomloginpageisapublicwebform,considertheseguidelines:... 
    IP Address and Port Values Required for the Login.html Page
TheIPaddressandportvaluesmustbechangedinthefollowingHTMLcodeforthelogin.htmlpagetothose
valuesbeingusedbytheCiscoISEPolicyServicesnodes.Thedefaultportis8443,butyoucanchangethis
value,soensurethatthevalueyouassigntotheswitchmatchesthesettinginCiscoISE.
ISEGuestPortal


Redirecting...LoginISEGuestPortal

Becausethecustomloginpageisapublicwebform,considertheseguidelines:...

    Page 378

    Page 378 Procedure Step 1Tospecifytheuseofyourcustomauthenticationproxywebpages,firststoreyourcustomHTMLfileson theswitchflashmemory.TocopyyourHTMLfilestotheswitchflashmemory,runthefollowingcommand ontheswitch: copytftp/ftpflash Step 2AftercopyingyourHTMLfilestotheswitch,performthefollowingcommandsinglobalconfigurationmode: Specifiesthelocationintheswitchmemory filesystemofthecustomHTMLfiletouse inplaceofthedefaultloginpage.The device:isflashmemory. ipadmissionproxyhttploginpagefile device:login-filename a.... 
    Procedure
Step 1Tospecifytheuseofyourcustomauthenticationproxywebpages,firststoreyourcustomHTMLfileson
theswitchflashmemory.TocopyyourHTMLfilestotheswitchflashmemory,runthefollowingcommand
ontheswitch:
copytftp/ftpflash
Step 2AftercopyingyourHTMLfilestotheswitch,performthefollowingcommandsinglobalconfigurationmode:
Specifiesthelocationintheswitchmemory
filesystemofthecustomHTMLfiletouse
inplaceofthedefaultloginpage.The
device:isflashmemory.
ipadmissionproxyhttploginpagefile
device:login-filename
a....

    Page 379

    Page 379 Device Registration WebAuth Process UsingDeviceRegistrationWebAuthentication(DeviceRegistrationWebAuth)andtheHotspotGuestportal, youcanallowguestdevicestoconnecttoaprivatenetworkwithoutrequiringusernamesandpasswords. Inthisscenario,theguestconnectstothenetworkwithawirelessconnection.SeeFigure23:WirelessDevice RegistrationWebAuthenticationFlowforanexampleoftheDeviceRegistrationWebAuthprocessflow. ThefollowingisanoutlineofthesubsequentDeviceRegistrationWebAuthprocess,whichissimilarforboth... 
    Device Registration WebAuth Process
UsingDeviceRegistrationWebAuthentication(DeviceRegistrationWebAuth)andtheHotspotGuestportal,
youcanallowguestdevicestoconnecttoaprivatenetworkwithoutrequiringusernamesandpasswords.
Inthisscenario,theguestconnectstothenetworkwithawirelessconnection.SeeFigure23:WirelessDevice
RegistrationWebAuthenticationFlowforanexampleoftheDeviceRegistrationWebAuthprocessflow.
ThefollowingisanoutlineofthesubsequentDeviceRegistrationWebAuthprocess,whichissimilarforboth...

    Page 380

    Page 380 isenabled,theguestisrequestedtomanuallyrenewtheirIPaddress.Formobiledeviceusers,werecommend usingAccessControlLists(ACLs)ontheWLC,ratherthanusingVLANs. Figure 23: Wireless Device Registration Web Authentication Flow Cisco Identity Services Engine Administrator Guide, Release 1.3 334 Guest Access Web Authentication Options 
    isenabled,theguestisrequestedtomanuallyrenewtheirIPaddress.Formobiledeviceusers,werecommend
usingAccessControlLists(ACLs)ontheWLC,ratherthanusingVLANs.
Figure 23: Wireless Device Registration Web Authentication Flow
   Cisco Identity Services Engine Administrator Guide, Release 1.3
334
Guest Access Web Authentication Options
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals