Guest Implementation:Self Registration using Cisco ISE-2.2
Guest Implementation:Self Registration using Cisco ISE-2.2
This Document explains the Design plan of Guest Wireless Implementation using automatic self-registration Portal.
This Guest SSID can be used for Both Guests and Internal Employees.
If the user is a Guest they will create self registration account, If the user is a internal Employee he/she can Enter their Active Directory Username/password to login.
Working: -
a) When a user connects to SSID: GUEST, User gets a Login Prompt,
1)If User is Internal employee, they can sign in with their username and password.
2) If User is a guest, they will create an account using the link provided in the same page.
All these traffic is sent to Anchor WLC through Mobility Tunnel.
b) In anchor WLC, default gateway is pointed to Local Firewall DMZ interface.
c)Now all Guest authentications are performed by Cisco ISE server. Once the user is authenticated then they will be accessed to internet.
d) Return traffic from Anchor WLC is send to Firewall, here we will give Access rules Blocking all RFC-1918 IP address (private IP access) and allowing remaining access.
This Document explains the Design plan of Guest Wireless Implementation using automatic self-registration Portal.
This Guest SSID can be used for Both Guests and Internal Employees.
If the user is a Guest they will create self registration account, If the user is a internal Employee he/she can Enter their Active Directory Username/password to login.
Working: -
a) When a user connects to SSID: GUEST, User gets a Login Prompt,
1)If User is Internal employee, they can sign in with their username and password.
2) If User is a guest, they will create an account using the link provided in the same page.
All these traffic is sent to Anchor WLC through Mobility Tunnel.
b) In anchor WLC, default gateway is pointed to Local Firewall DMZ interface.
c)Now all Guest authentications are performed by Cisco ISE server. Once the user is authenticated then they will be accessed to internet.
d) Return traffic from Anchor WLC is send to Firewall, here we will give Access rules Blocking all RFC-1918 IP address (private IP access) and allowing remaining access.
Step1:- Create a HTML Self-registration portal which contains following
a)Login page
b)Self Registration Page
c)Registration Success Page
d)support Information.
You can use ISE2.2 pre-defined image or you can customize the HTML page.
Below are some sample which are created for same..
a)Login Page :-
a)Login page
b)Self Registration Page
c)Registration Success Page
d)support Information.
You can use ISE2.2 pre-defined image or you can customize the HTML page.
Below are some sample which are created for same..
a)Login Page :-
b)Self-Registration Page:-
All the above fields are mandatory.
Email Address: it should be Guest email Address rajiv@gmail.com, rajiv@outlook.com etc..
Person Being Visited:- This is very Important Field, Here they have to enter any Employees Email id.
so that the approval/deny email will be sent to this person.
I'm using following Java script to make sure only email id ends with @rajcompany.com works. and all other email ids will be blocked as shown below.
<script>
setTimeout(function(){
$.validator.addMethod("customemailvalidator", function(value, element) {
return (/@rajivcompany.com/).test( value );
}, 'Invalid Email address format');
jQuery("[name='guestUser.fieldValues.ui_person_visited']").rules("add",{customemailvalidator:true});
}, 50);
</script>
Working:- when you enter your company email id to whom they are responsible for Approving/Denying Guest users.
No-working:-
Once the user clicks on REGISTER then a Automatic email will be sent to "Person Being visited" so that they can Appove or Deny the Guest user account.
It uses Following code in ISE2.2 to send automatic email which has Approval/Deny links:
$ui_self_reg_email_approve_link_start$ Approve $ui_self_reg_email_approve_link_end$
$ui_self_reg_email_deny_link_start$ Deny $ui_self_reg_email_deny_link_end$
Please approve (or deny) this self-registering guest by clicking in the link above.
The guest provided the following information:
Username: $ui_user_name$
First Name: $ui_first_name$
Last Name: $ui_last_name$
Password: $ui_password$
Phone Number:$ui_phone_number$
Valid From: $ui_start_date_time$
Valid To: $ui_end_date_time$
--------------------------------------------------------------------------------------------------------------------
This is an Automated Message: Please DO NOT Reply Directly to this email.
For support Please contact the help desk sriramoju@outlook.com
Sample email:-
c)Guest Self Registration success Page:-
Once the Guest user is approved. they will get an automatic email to Guest email along with username and password as shown below.
Firewall Configuration:-
a)Create a sub-Interface and a separate vlan for Guest in Firewall.
b)Create Firewall Rules in such a way that it Blocks RFC-1918 and allows all other IP communication.
Source:Guest subnets, Destination: RFC-1918, protocol:IP==>action: Block
Source:Guest subnets, Destination: any, protocol:IP==> action: Permit
WLC configuration:-
1)Both Foreign and anchor WLC should have similar WLAN configuration. where Interface config and DHCP server will configured in Anchor WLC. There is a mobility tunnel between Anchor and Foreign WLC.
2)Under AAA config configure ISE servers and enable ISE-NAC redirection under WLAN settings.
3)Configure Pre-Auth ACL or REDIRCT ACL in Anchor WLC, this ACL is used to redirect the guest user to ISE selfregistration portal.
ACL:- Permit DNS , Permit ISE servers, Deny all other traffic.
Now all traffic will be redirected from AP to Foreign WLC to Anchor WLC.
If you have any queries then please feel free to comment below.
Email Address: it should be Guest email Address rajiv@gmail.com, rajiv@outlook.com etc..
Person Being Visited:- This is very Important Field, Here they have to enter any Employees Email id.
so that the approval/deny email will be sent to this person.
I'm using following Java script to make sure only email id ends with @rajcompany.com works. and all other email ids will be blocked as shown below.
<script>
setTimeout(function(){
$.validator.addMethod("customemailvalidator", function(value, element) {
return (/@rajivcompany.com/).test( value );
}, 'Invalid Email address format');
jQuery("[name='guestUser.fieldValues.ui_person_visited']").rules("add",{customemailvalidator:true});
}, 50);
</script>
Working:- when you enter your company email id to whom they are responsible for Approving/Denying Guest users.
Once the user clicks on REGISTER then a Automatic email will be sent to "Person Being visited" so that they can Appove or Deny the Guest user account.
It uses Following code in ISE2.2 to send automatic email which has Approval/Deny links:
$ui_self_reg_email_approve_link_start$ Approve $ui_self_reg_email_approve_link_end$
$ui_self_reg_email_deny_link_start$ Deny $ui_self_reg_email_deny_link_end$
Please approve (or deny) this self-registering guest by clicking in the link above.
The guest provided the following information:
Username: $ui_user_name$
First Name: $ui_first_name$
Last Name: $ui_last_name$
Password: $ui_password$
Phone Number:$ui_phone_number$
Valid From: $ui_start_date_time$
Valid To: $ui_end_date_time$
Person being visited: $ui_person_visited$
--------------------------------------------------------------------------------------------------------------------
This is an Automated Message: Please DO NOT Reply Directly to this email.
For support Please contact the help desk sriramoju@outlook.com
Once the Guest user is approved. they will get an automatic email to Guest email along with username and password as shown below.
a)Create a sub-Interface and a separate vlan for Guest in Firewall.
b)Create Firewall Rules in such a way that it Blocks RFC-1918 and allows all other IP communication.
Source:Guest subnets, Destination: RFC-1918, protocol:IP==>action: Block
Source:Guest subnets, Destination: any, protocol:IP==> action: Permit
WLC configuration:-
1)Both Foreign and anchor WLC should have similar WLAN configuration. where Interface config and DHCP server will configured in Anchor WLC. There is a mobility tunnel between Anchor and Foreign WLC.
2)Under AAA config configure ISE servers and enable ISE-NAC redirection under WLAN settings.
3)Configure Pre-Auth ACL or REDIRCT ACL in Anchor WLC, this ACL is used to redirect the guest user to ISE selfregistration portal.
ACL:- Permit DNS , Permit ISE servers, Deny all other traffic.
Now all traffic will be redirected from AP to Foreign WLC to Anchor WLC.
If you have any queries then please feel free to comment below.
hey thanks for the documentation. I have two queries.
1. Where i need to put this script
2. After successful registration where the user is stored.
Network Security Blog: Guest Implementation:Self Registration Using Cisco Ise-2.2 >>>>> Download Now
>>>>> Download Full
Network Security Blog: Guest Implementation:Self Registration Using Cisco Ise-2.2 >>>>> Download LINK
>>>>> Download Now
Network Security Blog: Guest Implementation:Self Registration Using Cisco Ise-2.2 >>>>> Download Full
>>>>> Download LINK