Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 349
•SponsorstomanuallysendSMSnotificationstoguestswiththeirlogincredentialsandpasswordreset
instructions.
•GueststoautomaticallyreceiveSMSnotificationswiththeirlogincredentialsaftertheysuccessfully
registerthemselves.
•GueststoautomaticallyreceiveSMSnotificationswithactionstotakebeforetheirguestaccountsexpire.
Whenenteringinformationinthefields,youshouldupdatealltextwithin[],suchas[USERNAME],
[PASSWORD],[PROVIDER_ID],etc.,withinformationspecifictoyourSMSprovider'saccount.
Before You Begin...](http://img.usermanuals.tech/thumb/17/104725/w64_ise-13-user-guide-1524841621_d-348.png "Page 349
•SponsorstomanuallysendSMSnotificationstoguestswiththeirlogincredentialsandpasswordreset
instructions.
•GueststoautomaticallyreceiveSMSnotificationswiththeirlogincredentialsaftertheysuccessfully
registerthemselves.
•GueststoautomaticallyreceiveSMSnotificationswithactionstotakebeforetheirguestaccountsexpire.
Whenenteringinformationinthefields,youshouldupdatealltextwithin[],suchas[USERNAME],
[PASSWORD],[PROVIDER_ID],etc.,withinformationspecifictoyourSMSprovider'saccount.
Before You Begin...")
Guest Access with Hotspot Guest Portals CiscoISEprovidesnetworkaccessfunctionalitythatincludes“hotspots,”whichareaccesspointsthatguests canusetoaccesstheInternetwithoutrequiringcredentialstologin.Whenguestsconnecttothehotspot networkwithacomputeroranydevicewithawebbrowserandattempttoconnecttoawebsite,theyare automaticallyredirectedtoaHotspotGuestportal.Bothwiredandwireless(Wi-Fi)connectionsaresupported withthisfunctionality. TheHotspotGuestportalisanalternativeGuestportalthatallowsyoutoprovidenetworkaccesswithout requiringgueststohaveusernamesandpasswordsandalleviatestheneedtomanageguestaccounts.Instead, CiscoISEworkstogetherwiththenetworkaccessdevice(NAD)andDeviceRegistrationWebAuthentication (DeviceRegistrationWebAuth)tograntnetworkaccessdirectlytotheguestdevices.Sometimes,guestsmay berequiredtologinwithanaccesscode.Typically,thisisacodethatislocallyprovidedtoguestswhoare physicallypresentonacompany’spremises. IfyousupporttheHotspotGuestportal: •BasedontheHotspotGuestportalconfigurationandsettings,guestsaregrantedaccesstothenetwork iftheguestaccessconditionsaremet. •CiscoISEprovidesyouwithadefaultguestidentitygroup,GuestEndpoints,whichenablesyouto cohesivelytrackguestdevices. Guest Access with Credentialed Guest Portals YoucanuseacredentialedGuestportaltoidentifyandauthorizetemporaryaccessforexternaluserstointernal networksandservices,aswellastotheInternet.Sponsorscancreatetemporaryusernamesandpasswords forauthorizedvisitorswhocanaccessthenetworkbyenteringthesecredentialsintheportal'sLoginpage. YoucansetupacredentialedGuestportalsothatguestscanloginusingausernameandpasswordthatis obtained: •Fromasponsor.Inthisguestflow,guestsaregreetedbyasponsor,suchasalobbyambassador,when theyentercompanypremisesandaresetupwithindividualguestaccounts. •Aftertheyregisterthemselves,usinganoptionalregistrationcodeoraccesscode.Inthisguestflow, guestsareabletoaccesstheInternetwithoutanyhumaninteractionandCiscoISEensuresthatthese guestshaveuniqueidentifiersthatcanbeusedforcompliance. •Aftertheyregisterthemselves,usinganoptionalregistrationcodeoraccesscode,butonlyafterthe requestforaguestaccountisapprovedbyasponsor.Inthisguestflow,guestsareprovidedaccessto thenetwork,butonlyafteranadditionallevelofscreeningisdone. Youcanalsoforcetheusertoenteranewpasswordwhenloggingin. CiscoISEenablesyoutocreatemultiplecredentialedGuestportals,whichyoucanusetoallowguestaccess basedondifferentcriteria.Forexample,youmighthaveaportalformonthlycontractorsthatisseparatefrom theportalusedfordailyvisitors. Cisco Identity Services Engine Administrator Guide, Release 1.3 305 Guest Portals
Employee Access with Credentialed Guest Portals EmployeescanalsoaccessthenetworkusingCredentialedGuestPortalsbysigninginusingtheiremployee credentials,aslongastheircredentialscanbeaccessedbytheidentitysourcesequenceconfiguredforthat portal. Guest Device Compliance Whenguestsandnon-guestsaccessthenetworkthroughcredentialedGuestportals,youcanchecktheir devicesforcompliancebeforetheyareallowedtogainaccess.YoucanroutethemtoaClientProvisioning pageandrequirethemtofirstdownloadthepostureagentthatcheckstheirpostureprofileandverifiesiftheir deviceiscompliant.YoucandothisbyenablingtheoptionintheGuestDeviceComplianceSettingsina credentialedGuestportal,whichdisplaystheClientProvisioningpageaspartoftheguestflow. TheClientProvisioningserviceprovidespostureassessmentsandremediationsforguests.TheClient ProvisioningportalisavailableonlywithaCentralWebAuthorization(CWA)guestdeployment.Theguest loginflowperformsaCWA,andthecredentialedGuestportalisredirectedtotheClientProvisioningportal afterperformingacceptable-use-policyandchange-passwordchecks.Theposturesubsystemperformsa ChangeofAuthorization(CoA)onthenetworkaccessdevicetoreauthenticatetheclientconnectiononcethe posturehasbeenassessed. Guest Portals Configuration Tasks Youcanuseadefaultportalanditsdefaultsettingssuchascertificates,endpointidentitygroup,identity sourcesequence,portalthemes,images,andotherdetailsprovidedbyCiscoISE.Ifyoudonotwanttouse thedefaultsettings,youshouldcreateanewportaloreditanexistingonetomeetyourneeds.Youcanduplicate aportalifyouwanttocreatemultipleportalswiththesamesettings. Aftercreatinganewportaloreditingadefaultone,youmustauthorizetheportalforuse.Onceyouauthorize aportalforuse,anysubsequentconfigurationchangesyoumakeareeffectiveimmediately. Ifyouchoosetodeleteaportal,youmustfirstdeleteanyauthorizationpolicyrulesandauthorizationprofiles associatedwithitormodifythemtouseanotherportal. UsethistableforthetasksrelatedtoconfiguringthedifferentGuestportals. Self-Registered Guest Portal Sponsored-Guest PortalHotspot Guest PortalTask RequiredRequiredRequiredEnablePolicyServices, onpage307 RequiredRequiredRequiredAddCertificatesforGuest Portals,onpage307 RequiredRequiredNotapplicableCreateExternalIdentity Sources,onpage308 RequiredRequiredNotapplicableCreateIdentitySource Sequences,onpage308 Cisco Identity Services Engine Administrator Guide, Release 1.3 306 Guest Portals
Self-Registered Guest Portal Sponsored-Guest PortalHotspot Guest PortalTask Notrequired(definedby guesttype) Notrequired(definedby guesttype) RequiredCreateEndpointIdentity Groups,onpage501 NotapplicableNotapplicableRequiredCreateaHotspotGuest Portal,onpage310 NotapplicableRequiredNotapplicableCreateaSponsored-Guest Portal,onpage311 RequiredNotapplicableNotapplicableCreateaSelf-Registered GuestPortal,onpage312 RequiredRequiredRequiredAuthorizePortals,on page314 OptionalOptionalOptionalCustomizeGuestPortals, onpage315 Enable Policy Services TosupporttheCiscoISEend-userwebportals,youmustenableportal-policyservicesonthenodeonwhich youwanttohostthem. Procedure Step 1ChooseAdministration>System>Deployment Step 2ClickthenodeandclickEdit. Step 3OntheGeneralSettingstab,checkPolicyService. Step 4ChecktheEnableSessionServicesoption. Step 5ClickSave. Add Certificates for Guest Portals Ifyoudonotwanttousethedefaultcertificates,youcanaddavalidcertificateandassignittoacertificate grouptag.Thedefaultcertificategrouptagusedforallend-userwebportalsisDefaultPortalCertificate Group. Procedure Step 1ChoseAdministration>System>Certificates>SystemCertificates. Step 2Addasystemcertificateandassignittoacertificategrouptagthatyouwanttousefortheportal. Cisco Identity Services Engine Administrator Guide, Release 1.3 307 Guest Portals
Thiscertificategrouptagwillbeavailabletoselectduringportalcreationorediting. Step 3ChooseGuestAccess>Configure>GuestPortals>CreateorEdit>PortalSettings. Step 4SelectthespecificcertificategrouptagfromtheCertificategrouptagdrop-downlistthatisassociatedwith thenewlyaddedcertificate. Create External Identity Sources CiscoISEcanconnectwithexternalidentitysourcessuchasActiveDirectory,LDAP,RADIUSToken,and RSASecurIDserverstoobtainuserinformationforauthenticationandauthorization.Externalidentitysources alsoincludescertificateauthenticationprofilesthatyouneedforcertificate-basedauthentications. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources. Step 2Chooseoneoftheseoptions: •CertificateAuthenticationProfileforcertificate-basedauthentications. •ActiveDirectorytoconnecttoanActiveDirectoryasanexternalidentitysource(seeActiveDirectory asanExternalIdentitySource,onpage249formoredetails). •LDAPtoaddanLDAPidentitysource(seeLDAP,onpage271formoredetails). •RADIUSTokentoaddaRADIUSTokenserver(seeRADIUSTokenIdentitySources,onpage279 formoredetails). •RSASecurIDtoaddanRSASecurIDserver(seeRSAIdentitySources,onpage283formoredetails). Create Identity Source Sequences Before You Begin EnsurethatyouhaveconfiguredyourexternalidentitysourcesinCiscoISE. Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. ForallowingguestuserstoauthenticatethroughLocalWebAuth,youmustconfigureboththeGuestPortal authenticationsourceandtheidentitysourcesequencetocontainthesameidentitystores. Cisco Identity Services Engine Administrator Guide, Release 1.3 308 Guest Portals
Procedure Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences>Add. Step 2Enteranamefortheidentitysourcesequence.Youcanalsoenteranoptionaldescription. Step 3ChecktheSelectCertificateAuthenticationProfilecheckboxandchooseacertificateauthenticationprofile forcertificate-basedauthentication. Step 4ChoosethedatabaseordatabasesthatyouwanttoincludeintheidentitysourcesequenceintheSelectedList box. Step 5RearrangethedatabasesintheSelectedlistintheorderinwhichyouwantCiscoISEtosearchthedatabases. Step 6ChooseoneofthefollowingoptionsintheAdvancedSearchListarea: •DonotaccessotherstoresinthesequenceandsettheAuthenticationStatusattributetoProcessError —IfyouwantCiscoISEtodiscontinuethesearch,iftheuserisnotfoundinthefirstselectedidentity source. •Treatasiftheuserwasnotfoundandproceedtothenextstoreinthesequence—IfyouwantCisco ISEtocontinuesearchingtheotherselectedidentitysourcesinsequence,iftheuserisnotfoundinthe firstselectedidentitysource. Whileprocessingarequest,CiscoISEsearchestheseidentitysourcesinsequence.Ensurethatyouhave theidentitysourcesintheSelectedlistboxlistedintheorderinwhichyouwantCiscoISEtosearch them. Step 7ClickSubmittocreatetheidentitysourcesequencethatyoucanthenuseinpolicies. Create Endpoint Identity Groups CiscoISEgroupsendpointsthatitdiscoversintothecorrespondingendpointidentitygroups.CiscoISE comeswithseveralsystem-definedendpointidentitygroups.Youcanalsocreateadditionalendpointidentity groupsfromtheEndpointIdentityGroupspage.Youcaneditordeletetheendpointidentitygroupsthatyou havecreated.Youcanonlyeditthedescriptionofthesystem-definedendpointidentitygroups;youcannot editthenameofthesegroupsordeletethem. Procedure Step 1ChooseAdministration>IdentityManagement>Groups>EndpointIdentityGroups. Step 2ClickAdd. Step 3Enterthenamefortheendpointidentitygroupthatyouwanttocreate(donotincludespacesinthenameof theendpointidentitygroup). Step 4Enterthedescriptionfortheendpointidentitygroupthatyouwanttocreate. Step 5ClicktheParentGroupdrop-downlisttochooseanendpointidentitygrouptowhichyouwanttoassociate thenewlycreatedendpointidentitygroup. Step 6ClickSubmit. Cisco Identity Services Engine Administrator Guide, Release 1.3 309 Guest Portals
Create a Hotspot Guest Portal YoucanprovideaHotspotGuestportaltoenablegueststoconnecttoyournetworkwithoutrequiringa usernameandpasswordtologin.Anaccesscodecanberequiredtologin. YoucancreateanewHotspotGuestportal,oryoucaneditorduplicateanexistingone.Youcandeleteany HotspotGuestportal,includingthedefaultportalprovidedbyCiscoISE. AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected inthegraphicalflowintheGuestFlowdiagram.Ifyouenableapage,suchastheAUPpage,itappearsin theflowandtheguestwillexperienceitintheportal.Ifyoudisableit,itisremovedfromtheflowandthe nextenabledpagedisplaysfortheguest. AllthePageSettings,excepttheAuthenticationSuccessSettings,areoptional. Before You Begin •Ensurethatyouhavetherequiredcertificatesandendpointidentitygroupsconfiguredforusewiththis portal. •EnsurethattheWLCthatguestswillconnecttofortheHotspotportalissupportedbyISE.SeetheCisco IdentityServicesEngineNetworkComponentCompatibilityguideforyourrelease,forexample, http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/compatibility/ise_sdt.html. Procedure Step 1ChooseGuestAccess>Configure>GuestPortals>Create,EditorDuplicate. Step 2Ifcreatinganewportal,intheCreateGuestPortaldialogbox,selectHotspotGuestPortalastheportal typeandclickContinue. Step 3ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 4UsetheLanguageFiledrop-downmenutoexportandimportlanguagefilestousewiththeportal. Step 5Updatethedefaultvaluesforports,Ethernetinterfaces,certificategrouptags,endpointidentitygroups,and sooninPortalSettings,anddefinebehaviorthatappliestotheoverallportal. Step 6Updatethefollowingsettings,whichapplytoeachofthespecificpages: •AcceptableUsePolicy(AUP)PageSettings—Requiregueststoacceptanacceptableusepolicy. •Post-AccessBannerPageSettings—Informguestsoftheiraccessstatusandanyotheradditional actions,ifrequired. •VLANDHCPReleasePageSettings—ReleasetheguestdeviceIPaddressfromtheguestVLANand renewittoaccessanotherVLANonthenetwork. •AuthenticationSuccessSettings—Specifywhatguestsshouldseeoncetheyareauthenticated. •SupportInformationPageSettings—HelpguestsprovideinformationthattheHelpDeskcanuseto troubleshootnetworkaccessissues. Step 7ClickSave.Asystem-generatedURLdisplaysasthePortaltestURL,whichyoucanusetoaccesstheportal andtestit. Cisco Identity Services Engine Administrator Guide, Release 1.3 310 Guest Portals
What to Do Next Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou authorizeitforuse. Create a Sponsored-Guest Portal YoucanprovideaSponsored-Guestportaltoenabledesignatedsponsorstograntaccesstoguests. YoucancreateanewSponsored-Guestportal,oryoucaneditorduplicateanexistingone.Youcandelete anySponsored-Guestportal,includingthedefaultportalprovidedbyCiscoISE. AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected inthegraphicalflowintheGuestFlowdiagram.Ifyouenableapage,suchastheAUPpage,itappearsin theflowandtheguestwillexperienceitintheportal.Ifyoudisableit,itisremovedfromtheflowandthe nextenabledpagedisplaysfortheguest. AllthesepagesettingsenableyoutodisplayanAcceptableUsePolicy(AUP)foraguestandrequireits acceptance: •LoginPageSettings •AcceptableUsePolicy(AUP)PageSettings •BYODSettings Before You Begin Ensurethatyouhavetherequiredcertificates,externalidentitysources,andidentitysourcesequencesconfigured forusewiththisportal. Procedure Step 1ChooseGuestAccess>Configure>GuestPortals>Create,EditorDuplicate. Step 2Ifcreatinganewportal,intheCreateGuestPortaldialogbox,selectSponsored-GuestPortalastheportal typeandclickContinue. Step 3ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 4UsetheLanguageFiledrop-downmenutoexportandimportlanguagefilestousewiththeportal. Step 5Updatethedefaultvaluesforports,Ethernetinterfaces,certificategrouptags,identitysourcesequences,and sooninPortalSettings,anddefinebehaviorthatappliestotheoverallportal. Step 6Updatethefollowingsettings,whichapplytoeachofthespecificpages: •LoginPageSettings—Specifyguestcredentialandloginguidelines.IfyouselecttheAllowgueststo createtheiraccountsoption,userswillbeabletocreatetheirownguestaccounts.Ifthisoptionisnot selected,sponsorswillberequiredtocreateguestaccounts. •AcceptableUsePolicy(AUP)PageSettings—AddaseparateAUPpageanddefinetheacceptableuse policybehaviorforguests,includingemployeeswhousethecredentialedGuestportals. •EmployeeChangePasswordSettings—Requiregueststochangetheirpasswordafterthefirsttime theylogin. Cisco Identity Services Engine Administrator Guide, Release 1.3 311 Guest Portals
•GuestDeviceRegistrationSettings—SelectwhetherCiscoISEautomaticallyregistersguestdevices ordisplaysapagewhereguestscanmanuallyregistertheirdevices. •BYODSettings—Letemployeesusetheirpersonaldevicestoaccessthenetwork. •Post-LoginBannerPageSettings—Notifyguestsofadditionalinformationbeforetheyaregranted networkaccess. •GuestDeviceComplianceSettings—RoutegueststotheClientProvisioningpageandrequirethem tofirstdownloadthepostureagent. •VLANDHCPReleasePageSettings—ReleasetheguestdeviceIPaddressfromtheguestVLANand renewittoaccessanotherVLANonthenetwork. •AuthenticationSuccessSettings—Specifywhatguestsshouldseeoncetheyareauthenticated. •SupportInformationPageSettings—HelpguestsprovideinformationthattheHelpDeskcanuseto troubleshootnetworkaccessissues. Step 7ClickSave.Asystem-generatedURLdisplaysasthePortaltestURL,whichyoucanusetoaccesstheportal andtestit. What to Do Next ThetestportaldoesnotsupportRADIUSsessions,soyouwon'tseetheentireportalflowforallportals. BYODandClientProvisioningareexamplesofportalsthatdependonRADIUSsessions.Forexample, aredirecttoanexternalURLwillnotwork. Note Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou authorizeitforuse. Create a Self-Registered Guest Portal YoucanprovideaSelf-RegisteredGuestportaltoenablegueststoregisterthemselvesandcreatetheirown accountssotheycanaccessthenetwork.Youcanstillrequirethattheseaccountsbeapprovedbyasponsor beforeaccessisgranted. YoucancreateanewSelf-RegisteredGuestportal,oryoucaneditorduplicateanexistingone.Youcan deleteanySelf-RegisteredGuestportal,includingthedefaultportalprovidedbyCiscoISE. AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected inthegraphicalflowintheGuestFlowdiagram.Ifyouenableapage,suchastheAUPpage,itappearsin theflowandtheguestwillexperienceitintheportal.Ifyoudisableit,itisremovedfromtheflowandthe nextenabledpagedisplaysfortheguest. AllthesepagesettingsenableyoutodisplayanAcceptableUsePolicy(AUP)foraguestandrequireits acceptance: •LoginPageSettings •Self-RegistrationPageSettings •Self-RegistrationSuccessPageSettings Cisco Identity Services Engine Administrator Guide, Release 1.3 312 Guest Portals
•AcceptableUsePolicy(AUP)PageSettings •BYODSettings Before You Begin Ensurethatyouhaveconfiguredtherequiredcertificates,externalidentitysources,andidentitysource sequencesforthisportal. Procedure Step 1ChooseGuestAccess>Configure>GuestPortals>Create,EditorDuplicate.. Step 2Ifcreatinganewportal,intheCreateGuestPortaldialogbox,selectSelf-RegisteredGuestPortalasthe portaltypeandclickContinue. Step 3ProvideauniquePortalNameandaDescriptionfortheportal. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 4UsetheLanguageFiledrop-downmenutoexportandimportlanguagefilestousewiththeportal. Step 5InPortalSettings,updatethedefaultvaluesforports,Ethernetinterfaces,certificategrouptags,identity sourcesequences,,andothersettingsthatdefinebehaviorofthisportal. FormoreinformationaboutPortalSettingsfields,seePortalSettingsforCredentialedGuestPortals,onpage 772. Step 6Updatethefollowingsettings,whichapplytoeachofthespecificpages: •LoginPageSettings—Specifyguestcredentialandloginguidelines.Formoreinformation,seeLogin PageSettingsforCredentialedGuestPortals,onpage774. •Self-RegistrationPageSettings—Specifytheinformationself-registeringguestswillreadandshould enterontheSelf-Registrationform,inadditiontotheguestexperienceaftertheyhavesubmittedthe form. •AcceptableUsePolicy(AUP)PageSettings—AddaseparateAUPpageanddefinetheacceptableuse policybehaviorforguests,includingemployeeswhousethecredentialedGuestportals.Formore information,seeAcceptableUsePolicy(AUP)PageSettingsforCredentialedGuestPortals,onpage 780. •EmployeeChangePasswordSettings—Requiregueststochangetheirpasswordafterthefirsttime theylogin. •GuestDeviceRegistrationSettings—SelectwhetherCiscoISEautomaticallyregistersguestdevices ordisplaysapagewhereguestscanmanuallyregistertheirdevices. •BYODSettings—Letemployeesusetheirpersonaldevicestoaccessthenetwork.Formoreinformation, seeBYODSettingsforCredentialedGuestPortals,onpage782.Formoreinformation,seeBYOD SettingsforCredentialedGuestPortals,onpage782. •Post-LoginBannerPageSettings—Displayadditionalinformationaftertheusersuccessfullylogsin, andbeforetheyaregrantednetworkaccess. •GuestDeviceComplianceSettings—RedirectsgueststotheClientProvisioningpageforposture assessment.Formoreinformation,seeGuestDeviceComplianceSettingsforCredentialedGuestPortals, onpage783. Cisco Identity Services Engine Administrator Guide, Release 1.3 313 Guest Portals
•VLANDHCPReleasePageSettings—ReleasetheguestdeviceIPaddressfromtheguestVLANand renewittoaccessanotherVLANonthenetwork.Formoreinformation,seeBYODSettingsfor CredentialedGuestPortals,onpage782. •AuthenticationSuccessSettings—Specifywheretodirectguestsaftertheyareauthenticated.Ifyou redirectaGuesttoanexternalURLafterauthentication,theremaybeadelaywhiletheURLaddress isresolvedandthesessionisredirected.Formoreinformation,seeAuthenticationSuccessSettingsfor GuestPortals,onpage784. •SupportInformationPageSettings—HelpguestsprovideinformationthattheHelpDeskcanuseto troubleshootnetworkaccessissues. Step 7ClickSave.Asystem-generatedURLdisplaysasthePortaltestURL,whichyoucanusetoaccesstheportal andtestit. What to Do Next ThetestportaldoesnotsupportRADIUSsessions,soyouwon'tseetheentireportalflowforallportals. BYODandClientProvisioningareexamplesofportalsthatdependonRADIUSsessions.Forexample, aredirecttoanexternalURLwillnotwork. Note Youmustauthorizetheportalinordertouseit.Youcanalsocustomizeyourportaleitherbeforeorafteryou authorizeitforuse. Authorize Portals Whenyouauthorizeaportal,youaresettingupthenetworkauthorizationprofilesandrulesfornetwork access. Before You Begin Youmustcreateaportalbeforeyoucanauthorizeit. Procedure Step 1Setupaspecialauthorizationprofilefortheportal. Step 2Createanauthorizationpolicyrulefortheprofile. Create Authorization Profiles Eachportalrequiresthatyousetupaspecialauthorizationprofileforit. Before You Begin Ifyoudonotplantouseadefaultportal,youmustfirstcreatetheportalsoyoucanassociatetheportalname withtheauthorizationprofile. Cisco Identity Services Engine Administrator Guide, Release 1.3 314 Guest Portals