Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Authentication of Guest users without certififcate

Hi Team,

 

   I have employess doing certificate based authentication to connect to the network. Hwever I have few users which donot have certificates at all and they want to have internet access only.

 

I want to understand what all  are my options here to make sure that guest users skip there authentication and get only internet vlan and connect.

 

Is it possible to have a rule in ISE stating skip the authentication and push only internet VLAN through AUthorization profile.?

 

Or of there is any other alternate or way available.

 

Minakshi

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Hi Minakshi, There are

Hi Minakshi, 

There are several different ways you can do this. The simplest and probably the easiest way to do this via the Guest Portal that is already included in ISE. If this is for wireless, you would:

1. Create a separate SSID and configure it for CWA (Central Web Authentication). You can set the portal to look to AD for let's say allow all "Domain Users" to authenticate

2. You can restrict the actual access either by ACLs configured on the WLC (WLCs do not support dACLs) or dynamic VLAN(s)

 

If this is for wired, the setup would be similar. You would:

1. Any sessions that fail 802.1x can be redirected to the guest portal. The gust portal can again be set to look to AD for authentications

2. Access can be restricted via DACLs (configured on ISE) or via dynamic VLAN(s)

 

Take a look at the following docs:

 http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_40_webauthentication_dg.pdf

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_41_guest_services.pdf

 

Hope this helps!

 

Thank you for rating helpful posts! 

 

Thank you for rating helpful posts!
Cisco Employee

For your question #1: Someone

For your question #1: Someone else can chime in here but I think this is only possible via the BYOD provisioning flow with dual SSIDs. You would have the first SSID where the end user would connect and get redirected to the web portal. After login, the machine would go through an on-boarding process during which a certificate would be installed and the supplicant would be configured to perform EAP-TLS. After that the client would connect to the corporate SSID via EAP-TSL

 

For your question #2: You do not need AD integration to perform EAP-TLS authentication. AD integration comes handy when you want to also check for an AD user or machine group and/or when you want to use GPO to auto-enroll machine/user certs. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
11 REPLIES
Cisco Employee

Hi Minakshi, There are

Hi Minakshi, 

There are several different ways you can do this. The simplest and probably the easiest way to do this via the Guest Portal that is already included in ISE. If this is for wireless, you would:

1. Create a separate SSID and configure it for CWA (Central Web Authentication). You can set the portal to look to AD for let's say allow all "Domain Users" to authenticate

2. You can restrict the actual access either by ACLs configured on the WLC (WLCs do not support dACLs) or dynamic VLAN(s)

 

If this is for wired, the setup would be similar. You would:

1. Any sessions that fail 802.1x can be redirected to the guest portal. The gust portal can again be set to look to AD for authentications

2. Access can be restricted via DACLs (configured on ISE) or via dynamic VLAN(s)

 

Take a look at the following docs:

 http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_40_webauthentication_dg.pdf

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_41_guest_services.pdf

 

Hope this helps!

 

Thank you for rating helpful posts! 

 

Thank you for rating helpful posts!
New Member

Thanks Neno!!  My next

Thanks Neno!!

 

 My next question is , I am doing EAP TLS authentication for wireless users, My customer wants that all the users should get customized java based web page, Before they authenticate using EAP-TLS.

 

Is it possible? I checked Central web authentication However, Not sure, if It takes customised java scripted web page

 

Minakshi

Cisco Employee

Just to make sure I

Just to make sure I understand the requirements correctly: The customer wants the users to authenticate through a web portal and then perform EAP-TLS authentication? If so may I ask why? :)

Thank you for rating helpful posts!
New Member

Hi Neno,   Yes, Kind of ,

Hi Neno,

 

  Yes, Kind of , They have a customized web page and they want users to see that customised web page first and then perform EAP-TLS.

 

- I also, want to know, Since customer wants to do eap tls authentication using online certificate store. Is this possible to have certificate based authentication for eap tls, without integrating it with AD.

 

Minakshi

Cisco Employee

For your question #1: Someone

For your question #1: Someone else can chime in here but I think this is only possible via the BYOD provisioning flow with dual SSIDs. You would have the first SSID where the end user would connect and get redirected to the web portal. After login, the machine would go through an on-boarding process during which a certificate would be installed and the supplicant would be configured to perform EAP-TLS. After that the client would connect to the corporate SSID via EAP-TSL

 

For your question #2: You do not need AD integration to perform EAP-TLS authentication. AD integration comes handy when you want to also check for an AD user or machine group and/or when you want to use GPO to auto-enroll machine/user certs. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

Hi Neno,   Thanks. So If  I

Hi Neno,

 

  Thanks. So If  I have understood it correctly, without AD integration the authentication will work. However I would like to know, How ISE validates the identity of the user basis on the CN value.

 

For ex: If I select CN attribute and configure Authentication profile as external Identity store, How will the ISE validate the identity of the user and authenticate?

 

Can you explain the traffic flow?

 

for exam:

User--Wlc--ISE-- Certificate profile---(How Certificate profile validates the identity)

 

Question 2: Is there any way we can integrate online third party certificate server with ISE? through which it can validate the identity.

 

 

Cheers!!

Minakshi

Cisco Employee

You remind me a lot of the

You remind me a lot of the days when I first was getting myself into ISE, 802.1x and certificates :) Back then I found the following link that greatly help me understand how EAP-TLS works. Some good examples are given as well:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

For your second question: There are several companies out there that provide managed PKI service. I have heard good things about the Symantec solution but have never tried it myself:

http://www.symantec.com/managed-pki-service

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
New Member

Hey Neno,   I have worked in

Hey Neno,

 

  I have worked in TAC for 5 years!! in AAA/ACS. Below is just one of my articles that were published by Cisco :

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

 I am x-tac engineer.

 

I would just like to know How ISE validates the identity of Username basis on CN.

I just wanted to know if there is any way we can integrate ISE with online certificate server, Coz I dont see any place in ISE where we can add URL or something for the external certificate server and define it under Identity store. 

 

 

 

Cisco Employee

Sorry Minakshi. I did not

Sorry Minakshi. I did not mean to offend you nor imply that you were not technically savvy. I already saw your Cisco e-mail address so I had no doubt about your skills. I just remembered the days when I was struggling with certificates and it made me smile because I hate it it :)

Give that link a try and see if it helps.

Thank you for rating helpful posts!
New Member

Hey Neno!!   No worries!!!

Hey Neno!!

 

  No worries!!! Could you kindly check if the ISE can integrate with online certificate server, Coz I really doubt if we can do this!!

 

Thanks a lot!!

Minakshi

Cisco Employee

It is possible. I know a

It is possible. I know a colleague of mine that have done it before with Symantec. I am sure there other providers out there as well. 

Thank you for rating helpful posts!
84
Views
0
Helpful
11
Replies
CreatePlease to create content