Cisco ISE: Guest Access (Lab)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right guys so now we will get into a bit of uh configuration and demo part right so uh the first one which we will tackle uh is basically the hotspot portal right remember in hotspot portal we are not gonna ask the user for any username and password right we are basically gonna give him access as soon as he connects so we'll see how that is done topology remains the same switch and you have the ice and domain controller and this is my client pc right so let's get to it let's go to uh ice uh work centers uh let me show you the guest access overview so these are like a very you know stepwise uh detailed um um you know they have given you very standard steps on how to configure so if you are stuck somewhere you can just go about doing this you know preparation def define and then um you know you can configure the whole stuff but let me just directly go down to the settings to start with that's just for your reference right you don't have to follow each and every step which is mentioned there settings so whatever settings you do here kind of will be applicable to all the portals right uh we'll probably be discussing like four portals uh guest and sponsor and self service self service with sponsor and so on so these settings are kind of applicable to all of them if you want to get rid of your guest endpoints you know on a daily basis you can configure that here or you can immediately do it as well just by clicking the purge now button custom fields is basically um as in when we create new portals right we would basically need some extra fields custom fields so this is where you define for example i have defined something like person waiting a string and the name of the person and so on right so uh sorry person visiting the person like when you're visiting a branch or something you would wanna uh you'll be the client and basically there'll be some sponsor who will be you know letting you in right so this is a very simple example of that i'll show you where we'll be using such kind of stuff uh smtp server you can set up just by clicking this i'm not gonna do this because it's a lab um but you can set up acceptable smtp server and you can make ice you know kind of like send emails using that smtp server you know for all the passwords you know expiration um you know details and all of that locations and ssid is just the place where you put in your locations of the users guest users coming into your network ssid so if you are not doing anything in wireless but if you were doing in wireless then you would have to pick the ssid of uh from from your where is that wlan right from your wlc you'll have to pick the ssid uh this is basically you can make this ssid available for sponsors to select when they create the guest account so we are basically making the sponsor portal kind of like available only via this ssid so you can do that setting here uh remember we are not doing anything in wireless we are doing everything in wired though obviously i uh it's very rare you will see anyone using guest for wireless sorry for wired but um since i or it's very difficult to i don't think you can emulate wireless using eve so that's why i'm just showing everything using wired right but the process almost remains the same for wireless as well the username policy the password policy you can do changes here you can basically tell what kind of passwords has to be generated what are the characters it needs to have and so on cool so that's mainly the settings uh that being said uh we can quickly move on to uh give me a second so i'll let's move on to the policy stuff now so before we go down to the policy sets let me show you the downloadable acls and the authorization profiles which i have created for this guy for the hotspot right for downloadable asians let's see so you have a acl called ice only so what this asl does is uh i think by now you know right so you you basically have two authorization policies right the first authorization policy um you know is going to be mainly for redirecting the user traffic to the ice portal and after that you know the second authorization policy is basically uh to elevate the privileges you know once the user has put in the right password or accepted the policy and so on so this is the first this is the acr which will be used in the first policy where we are where the user has just connected or the client has just connected to the network uh but we don't want to allow any kind of traffic from the client yet so we are denying everything except you know your dns uh see the domain is the dns one boot ps is your uh dhcp and then obviously traffic towards the ice right because uh all my dns and all the services are basically there on that domain sorry uh my my portal is on the ice at the end of the day so that's why we are allowing that as well right so that's mainly with respect to the let me just click on okay yeah so that was one of the downloadable glacial the other one which i want to show you is the second downloadable acl which is which gets downloaded on the box uh once the user has put in you know the correct password and once we have like uh you know authenticated the user right uh or maybe the user has accepted the policy the uh you know aop policy right so this is the second uh downloadablation i'll show you where these actually come into play so these are the two asians this is basically uh preventing any guest user from doing a icmp ping to the domain controller right and it is allowing every other traffic right uh pretty straightforward i just put in a simple example here because when a guest connects to your network you would want to give him or her only internet access you don't want to give them access to any internal resources so that's why i put in a deny statement here now going back to our authorization profiles your downloadable acls have no meaning if they are not assigned or if they are not attached to any authorization profiles right so that's where we'll basically use this so first one is the hotspot access so this is the first authorization profile which will kick in where you know look at here we have used the darker which i showed you earlier the ice on the tackle and the second one is the because we are talking now about the hot spot so you can see you got a select hotspot here and this is the acl which is connected on the bot so this is this is the acl which is configured on the box right on your switch so the name should exactly match um i'll quickly show you give me a second right so here you can see this is the access list i was talking about right so uh from here you can clearly understand that um this is the downloadable acl let me just put it once again yeah so what you see from here is that we are trying the permit lines over here basically are trying to match any kind of http or https traffic right so when it finds any of such kind of a traffic uh you know uh it is going to trigger that redirection url so always remember that the redirect acl will not permit or deny any traffic this is just there to kind of only map only only match the um you know traffic which has to be redirected so here http and https will be redirected whereas the rest of all the traffic will be denied right so it has nothing to do with permitting and denying uh traffic as such right so that's the same acl and the name has to match so that's why be careful here and the portal uh uh this is this is basically uh uh the place where you uh kind of like put in the name of the hotspot portal which you created right i'll spend few minutes on this portal i'll show you where to create this but for now just to remember that uh you know this is where you select your hotspot uh you you have many other options you have cwn or which we will probably use later but for now select hotspot select you know put in the redirect acl um so that the traffic the http traffic will get redirected to the you know to the hotspot portal and here you basically have all the portals which you would have created you just need to select the portal right so that being said let me quickly also show you the policy sets and then we could finally wrap it up by showing you the uh portal itself how to create the photo right so that'll be pretty cool okay give me a second all right so this is basically uh same from my previous video right this is a policy set called wired uh you go inside that you will basically find the authentication policy the only interesting thing to remember here is let me actually move my map up here right so what you see here is wired map and wire.1x which you probably would have seen 100 times by now but uh only thing which you need to remember here is um in the options section right because just uh understand this the users were coming into a network right the guest users they really are not part of our organization so they don't have a dot one x credentials their mac addresses are not part of the you know area they are not part of our internal identity source so if they are bound to fail this authentication is bound to fail right so that is why always change this second option which is here right so if user is not found what do you want ice to do you want ice to continue because you know they are bound to fail here but we will capture that in the authorization policy so this is one change which you have to do do it for both your dot one x and map so that you know if a user is trying to connect your network and if they are not uh you know if they if they are not part of your id source then this will get kicked in and if because it is continue now this will come down over here to the authorization policy and on the authorization policy you can see i've done a couple of things here so i've defined two authorization policies one is hotspot access other one is the guest access so this is what i was telling there are two authorization policies which kick in the first one is this one why because you know you can see the um you know you can see the conditions here right it's the other wired map of wired linux basically because of this it's going to come down here and here on the authorization profile i've selected the profile which i created earlier right which i showed you hotspot profile hotspot which had a downloadable acr which is ice only and it also had the cw redirection right once this one succeeds right which means the user you know locks into that new you know ice portal and probably accepts the policy then the second authorization policy will kick in and observe the condition here for the second policy it basically tells that this should kick in only if the endpoint has now entered the guest endpoints you know identity group right so i'll show you where to uh where you'll basically see this so when we do the uh when we when we set up the demo portal right when we set up the hotspot portal we are basically telling the user to the users you know mac address to be added to this particular endpoint identity group right so we are using that as our you know we are using that as a condition here uh and telling that okay if the user is now or if the mac address is now part of this particular endpoint then provide him a elevator access right so the guest access is basically that you know permit internet right which i showed you in the downloadable acl or the profiles right so that gets kicked in so that's pretty much straightforward i would say nothing very complicated in the policy sets now let me show you the portals uh so you go down to uh guest access go down to portals right so here um you can create your demo portals right so by default you'll actually have these guys i believe you'll have these three default given to you you can just take them and edit them or you can just create something new by clicking on create right in my case uh because we are doing the video on i mean we are doing the lab on hotspot portal you'll have to select this and click on continue i'm gonna cancel this because i've already created one here i'm gonna just show you the configs under it all right so you give a name for your portal over here and uh basic configurations right there are two things here um on the left hand side you basically do your technical configurations on the right hand side this is mainly for customizing your portal if you don't want or if you want to change how it looks like uh you have an editor kind of a view here right so you can see here there is uh there is a view of how it is looking there is a preview right so as when you change probably you can change the logo you can change the banner you can change the text which appears you can change this policy and so on so as in when you change stuff here it will reflect here i'm not gonna do anything much here because it's just a lab i'll keep the demo uh the default one but under uh the portal behavior settings you can do some changes like you know you can go down to the portal settings by default it will be running on the https port the interface is here um you know all of this the endpoint group right this is what i was telling if the first authorization policy succeeds what happens is that mac address gets added to the guest endpoints you can create your own identity so store and kind of change this as well if needed uh apart from that you have coa enabled co is important because you know it has to reauthenticate right or elevate the access if the first authorization policy is passed so that's that pretty much similar to that in a bunch of settings here this is aup is basically the acceptable use policy right you want that policy to be mentioned on the you know registration portal uh i mean on the hotspot portal then you can include this similarly you can also include something like a support page right so i've included a support page where you know if the user is facing issues with connecting to a network you can click on the support page and get some information right so all of that is pretty straightforward uh there's nothing to save here so let's close this so that was mainly on the portal so these are the only configurations which you'll have to do obviously you'll have to add your nat device which we have added you know the switch one long time back but apart from that you will have to just do configurations under your guest uh you know access here probably check the settings probably create your portals and then go down to your policy you know elements go down to your results create your tackles create your authorization profiles go to policy sets and configure authentication authorization policies cool so let me refresh this and we should be good to configure i mean good to test the only problem is since we are using we are doing this in eve there might be some features which might not exactly work as expected so you know but i'm pretty sure this will work properly if you are doing you know actual physical hardware right so anyway so this is the switch what we'll do is uh first let's check if the switch port is up show ip interface brief yep looks like uh the ethernet one slash zero is my port on which the client is connected that looks up uh let's actually turn on debug radius just to see if the radius is going through right so that's pretty good now let's go and see right now if i do ipconfig i shouldn't have any ip address because the you know is this disabled so let's enable this when you enable that it will try to authenticate right so there you go the authentication request is going i can see it let's observe this what is happening here so if i do show auth sessions there you go already the authentication uh you know session is up if i do interface ethernet one slash zero details i'll see some cool stuff you can see on the output of this command here the most important stuff you have the url redirect right the url is mentioned here uh and the redirect url is basically nothing but the hotspot you know portal this is the hotspot portal and you can see that the acl redirect is also mentioned here right so this is that's why you need to exactly mention the same name on your uh configuration so here now i can see uh uh show access list probably yeah there you go so you have the exact same name and this is your acl redirect apart from that there is also another acl which is being pushed which is the dynamic acl right so this dynamic acl is basically uh telling my you can see here is that the dynamic acl should be okay so there's a lot of logs give it a second yeah there you go this is my dynamic acl right so dynamic acl is basically permitting only access to um the dhcp da and dns and obviously to uh my eyes but the rest everything it is denying right so so that you know the user doesn't have any access until he's authenticated now the problem here is uh uh because this is um like i said uh uh the images all the the virtual images uh right at least the ones which i'm using they don't support things like ip device tracking and dhcp snooping and all of that which is very much required for you know the dynamic acls to work properly so that's why i'll have to do a little bit of manual work which means i can't expect the browser to do the redirect for me i'll have to just pick the url from here and you know redirect it myself so that's a bit of a hassle because i'm just testing this uh right so it doesn't matter but in our actual environment you know this should work automatically so in my case i'm just going to plug in my let's go and do this so let's put in the url here uh before that while that is happening we can also see if this guy has received an ip address there you go 172 16 32.3 it has received an ip address which looks good and there you go i can see in the back end uh uh you know the url is trying to load okay there you go we have the acceptance page so this is the policy right you can change all of this however you want i just have kept everything as you know uh common for now um i've also defined an access code in my portal right so i'll have to put in the access code otherwise it will not work so zero eight seven six i guess so um i mean i'll tell you the use of this access code right like let's say you are deploying this guest you know service for a cafe and you don't want random people you know walking on the road to access your internet then you can probably put this access code uh you know inside your cafe where it is visible for people only when they enter and then you know they can connect to the network only with this right so because if i put in something wrong right let's say let me put something wrong yeah it will immediately tell that it's an invalid access code and i'll not be able to connect to the network right so that's one thing if i click on contact support it is this is the other stuff which i was showing you there you can again customize this but i have kept everything basic so look at this is telling me the mac address the ip address uh the agent from where i'm trying to connect and so on so i can use this information when i'm doing raising a ticket and stuff right so for now let me go and put in the right code 130876 good there you go it got connected now let's do a bit of connecting to the internet like yahoo so that should try to connect give it a few seconds meanwhile let's also see uh i'm i should not be able to connect to um you know because because of that second dynamic acl right the internet only uh this particular device should now have access only to internet right and that's why i should not be able to connect to uh the domain controller so if i do thing 172 16 32.40 there you go see i don't i'm not able to ping here because that's my domain controller because of the dynamic ac i'm not able to ping right whereas the internet is working fine so this was mainly what i wanted to show you with the respect to the hotspot portal right the hotspot configuration and the hotspot guest service okay okay let me just show you the locks on the ice as well you can see what has happened here the user first came in as hotspot right so uh uh my uh the authentication was map and the authorization was hotspot access right the first authorization policy got kicked in and after that uh you know after the user uh was redirected and after the user accepted the policy uh a coa you know a change of authorization was sent and then you can see the second authorization policy has kicked in right the guest access guest access has kicked in and you can also see that particular device was now put into what the um the guest endpoints uh identity group right which is in line with our second authorization policy so uh the second authorization policy kicked in and because of that you know the finally the session was uh you know created right so that's that's mainly i wanted to just uh show you that as well to see how you know the multiple authorization policies are playing together here so let's move on to the second one which is basically um uh what is the self registration right so you might have seen in some cases especially in uh in airports right or in malls you might you will have to create your own account and then you probably get the credentials emailed to you or sent you an email sms which you can then leverage to connect to internet right so that's basically something which you're gonna that's basically called as self registration right so uh let's get to it very simple straightforward right so the guest access audio page this is where i am let's quickly jump down to the portals now on the portals page you will basically find me [Music] yeah so this is where this is where we created our demo hotspot portal as well right so similarly i have created by clicking on create i have created one more portal let's get into that that's basically the self registration portal which i have created looks like it's loading all right that looks uh good uh this is something which i probably missed telling out in the previous video uh it's a very interesting you know workflow which tries to tell you the various you know web pages involved and uh you know how each of those web pages are kind of like working together the loops and all of that right pretty cool stuff anyway so um uh the customization part i'm not going to go into that because i've already showed you in the previous one right the uh in the hotspot uh creation video it's gonna be pretty much the same you are free to play around with customization on this page i think a bunch of things probably because we are this is this is basically self registration right and so let me just take you through a bunch of stuff here right so let's uh probably go down to the portal settings here the portal will still run on the https port 8443 the you can select different interfaces if you want you can see the guest portal sequence this is nothing but your identity store sequence i could show you probably that uh you can change that if you want but probably not gonna help much because like i said in our case the endpoint users are generally not inside right guests are not in our network so they'll not be present in any of our identity resources uh so it's very rarely used um load probably okay so yeah this is the place where you can like click on any of these and you can probably uh change the order in which the entity sources are basically consumed okay login page um over in here in the login page you can put in stuff like the aop policy right this is this is where you can re request a access code as well in on top of username and password uh i've disabled it i really don't want that you can put the aup policy right you're basically telling you know the user will have to when when they are logging in they'll have to accept the policy right a bunch of settings corresponding to that under the registration form settings you can define what is required what is mandatory right the username password this is basically we are collecting information from our user so that's there and define the locations from where the users are basically going to be connected the sms right if you want to integrate some sms providers there are a bunch of them which are supported here so you can integrate so that you know the users will basically get sms as well custom fields right the ones which we have defined in the previous video we can leverage if you want uh the success page is here um what else so guest device registration where is that okay here let's look at that so this is the interesting piece here automatically register you know guest devices because it's self registration right and allow guests to register extra devices as well so this is another interesting piece if the guests want to kind of register uh maybe another device right let's say they have a printer right and they want to register that and give internet access because the you can only follow the web authentication method only if the user only if the device has some kind of a console right or some kind of a web browser because it's all browser based right you need to have a browser to at least load that authentication page but if you're using a printer how do you give internet connection to it you will not be able to so that's where you can use this option to kind of register it you know from another device right so that's very cool um then obviously the support page right i've showed you in the previous one as well you can enable this so that you know you can get let your users collect some useful information before opening your support case uh coming to the uh this thing though i don't have to show you probably the results yeah there'll be slight change with respect to authorization profiles right nothing else changes the decals will remain the same only the authorization profiles i have created another authorization profile called as self registration access here and the data will still remain the same only the web authentication part will change right so here i have changed from hotspot to cwa now the redirection acl will remain the same and obviously change this to the portal which you really want to kind of redirect to right you are redirecting it to the demo portal so that's why you select that cool so that's pretty cool uh let's go to the policy sets the last part again no much changes over there you'll have to just uh you know the first authorization policy will have to change the second authorization policy will still remain the same all of this also remains the same right from the previous video the authentication still remains the same it's the same logic we are expecting dot one x and map to fail but when it fails um we are not dropping the request rather we are continuing and we are uh you know handing over the session to this guy right so here you see the previous one which we had used hotspot access have kind of like disabled it i mean i don't want that to be acted upon right i want the self registration which is exactly similar to this only the difference is i have change selected the self registration uh profile which i showed you earlier instead of the hotspot access right that's pretty cool so now let's go and test it so let's refresh this here and that's good so which means we are good here oh yeah the debugs are there let's go and enable this guy right so we have enabled him give me a second all right so i've enabled it let's go and see what has happened here similar to the previous guy show art sessions you can see the acl is available now and uh you know this is the tackle preventing the uh preventing the client from accessing anything else and allowing only the traffic towards the ice and this is the uh you know url which you know sadly i'll have to manually put it because i think uh it's an issue with all these virtual systems it doesn't virtual images especially doesn't work as expected uh before i'll do that let me also show you what has happened here on my eyes you should see uh you can see the first authorization policy has kicked in which is self registration access right and it is waiting for the user to kind of load this did i copy everything correctly uh i hope so yep that's good so let's go down here let's click on this now you should see this guy loading the page look at this page it's slightly different when compared to the hotspot one here you have the username and password but currently we don't know the username password right so we have to create one so let's create on let's click on register uh i don't know i can i think i've registered with account called harry before let me create something called tom right so you can make any of these fields compulsory as well you can select the location from where the user is connecting i'm just gonna skip all of this and just gonna click on register do not uh let me know okay so i think i need more right so let's do tom 2020. that's a good thing so you can put in such kind of checks as well so that's good there you go so the username and password has been created i can probably quickly copy this to a notepad so that you know i don't forget this there you go and now let's click on sign on and when i do that i'll have to put in this username and i'll have to put in the password all of this got automatically created right i did not have to do that so there you go i'll have to accept it and sign on so when i do that this is the place where it's asking me do you want to add any additional devices right registered devices if i want to register a printer or a scanner and so on i don't want to do that so i'm going to skip that and there you go so welcome continue to connect to the network when i click on continue i have access now so let's try that yahoo there you go yahoo works i sh give it a second yeah i can see it loading and the same thing as previous right we should not be able to ping boom the uh uh the domain controller because we have put another dakul over there the second tackle so it's 172 16 um i think 32.40 right that shouldn't work okay so that's mainly it guys so uh that's that was related to your self registration portal right so we did hotspot portal we did the self registration portal and okay give it let's also check the locks from the let's look at the change in the logs right now that we have authenticated you should see the second log come in there you go so we can see now guest access has come in which is the authorization profile has switched from here to the guest access that because of the coa you know even on our device we should be able to see that right if i do something like show art sessions you'll no longer see the redirect url rather you will see the second you know acl visible here okay so hope that was clear that's mainly with respect to self registration portal all right guys let's move on to the next variant of self-service so this is basically self-service which has to be approved by a sponsor right so earlier we in cell service in the previous one we created a username and password we ourselves did it and we used them to authenticate you know into the guest portal uh but this time we will create we will just register and then it is up to the sponsor to kind of approve or reject it so that's something which we'll check out so coming back to ice if i go down to my let's go down to the guest portals so what i've done is have created the demo self registration sponsor right a new one and under this let's have a look at what's happening right name for the portal pretty straight forward the rest of the conflicts remain same as the previous one except except there is a small change i believe it should be under registration maybe sms provider so this is all pretty much straightforward i think i think it's maybe under self registration let's check it here yeah over here okay it's under uh your registration form settings you can see you want require guests to be approved right so that's important and you need to put in a email address as well because um you know the notification will basically be sent to the sponsor but then since we we really uh don't have a smtp server put in some uh you know random stuff uh so that's fine but other than that the configuration there is nothing changed from the previous video it's almost the same i've added the aop over here um but yeah this is this is much it right you just and obviously you have the customization feature to play around uh going back to the very next step what we do after creating the portal i think by now you know the format so we got to go to the policy results let's see if something has changed over there so under the authorization uh sorry not download variation the authorization profiles have created a new profile called self registration access with the sponsor right over here the tackle remains the same only the changes under the this thing what is that web authentication web redirection my bad so under web redirection we will have to put the centralized uh cwa right we have to select cwa here the acl as we have done in the previous videos and here you have to select the portal which you want to use in our case we want to use this demo self register uh sponsor and uh the policy sets basically undergoes the same change um you know we will we will still not change anything with respect to the second authorization policy that will remain the same only the change would be with respect to the first authorization policy let's go down there so the first i have disabled the previous two which i've used uh i've enabled the new one uh the conditions remains the same the only changes the results over here have you know i've added the self registration access sponsor right so i've added a new one over here so that being said pretty much um we are set to test this as well let's go and do that so let's refresh the stuff here let's see where is our client our client is here and let's see if our this is pretty good let's see show auth sessions okay there are no sessions currently so let's go and enable this guy so as i enable that guy we should start seeing radius flowing around here let's give it few seconds you know because it has to as soon as you enable it it has to go and get an ip address as well right so let's wait for that i don't see the ip address yet let's see what's happening here show auth sessions okay i can see the downloadable ac has come in but the ipad is you know the dhcp has not gone in yet so we'll have to wait for the dhcp to happen let's wait for a few seconds all right looks like we have got the sap now 172 16 32.3 so let's do the same process which we do which we have done till now let's go and grab that uh you know url right the redirect url because you know because we really can't uh get this to work on this virtual you know system i think it's an issue with the images i guess but anyway so let's get the url to work and this is what you get right so looks almost similar to the previous uh cells you know self registration porter the only difference is let's try to register now so it's asking me for some stuff that's um given name as what philip probably philip 20 and that'll be our user philip 20 that's putting the first name probably the rest of the stuff probably will have to put in an email address as well so it's a philip 20 at i don't know xyz.com right so let's register this one so it's gonna give me a alert saying that you know the smtp server is not configured so the email cannot be sent but that's fine we know that right we have an issue with rsmtp but you see this is what you get as soon as you register so i'm gonna say i agree and i'm gonna sign on now but i really don't have the username password yet so by if you had configured if i had configured email or sms service then i would have gotten you know the stuff i mean not yet because you know the sponsor has not yet approved it right so let's go down and do that so for the sponsor to up to it we'll have to go down to guest access manage accounts and over here let's click on the manage accounts page there you go the page is loading all right looks like it has loaded this is what you see you also can create your own accounts but in my case i'm probably gonna go down to the pending account so this is where you know as a sponsor um you know there is uh there is a tab here which allows me to go and approve any of the pending requests all right so you can see this actually let me click on this one and let's see uh the various stuff which is there under it right there you have um you know the username password and all of that let me just grab all of this and probably save it because i would need this to then go and log into the other box right so let's go down here let's probably save it here okay so that's fine uh now i have to approve this so it's going to ask me for the sponsors email id i'm just gonna put this it's probably gonna give me an error but that's fine because i really don't have this smtp server set up right so the emails would basically not go that's fine i guess all right so there you go all the four users till now we have created is visible here philip is the latest one so let's go and uh you know probably log in using that let's go to fill put in the username as philip 20 the password is gonna be this one so let's go and do that let's agree let's say sign on and i'm gonna skip the device registration let's click on continue and there you go it's success so let's go and try to access yahoo let's do the other check which we have been doing let's see if we are able to do a ping to my domain controller which shouldn't go because we have put that as a dynamic acl right 16 32.40 there you go so that is not working we are not able to uh i mean the ping is not going to the domain controller as expected and your internet access is available right so that was uh domain that was basically self registration with um you know the approval of your sponsor right so that was it guys hope you that was useful oh let's move on to the last variation of guest access which is the sponsored guest portal the difference here is that you know there is there will be someone like a sponsor right you would have seen in the previous video the sponsor was approving the accounts which are created by the guest but in this case uh the guest will not be able to create an account rather you know the sponsor will have to proactively kind of create it um you know earlier and then you know provide it to the uh guest right so uh but then when you talk about sponsor your questions would be who is the sponsor right and what are his permissions does he have his own portal yes so we will basically go about configuring that in this video right so uh to start with um let's go back to uh what we have been doing the first step would be to go to the portal components so here you can see there is a new portal which i have created called demo sponsored pretty straightforward i would say like the other uh you know portals which we have created right uh pretty uh you have the portal settings here and the login page right by now i think you guys would have got an understanding about how to do this i think i put a aop here as well um you know on the login page um apart from that yeah pretty straightforward i mean nothing fancy here you you are free to play around add more stuff you know go through all the settings you can customize it we are not going to customize it in this one uh let's roll down to our results here obviously the only difference would be uh till now like how we have done the only difference would be going down to the the downloadable acls are of that remains same i have just created another authorization profile called as sponsor and uh even here the tackle will remain the same only the difference would be with the um cwa right the the only difference is the value of the sponsored portal would be uh different from the what we won from the one we have created before here it is demo sponsored the one which i just now showed you right and coming down to the policy sets as well the only difference you will see is that under the first authorization policy right basically i would have created a new authorization policy right let's see that all right so here you can see under the authorization policy i have disabled the earlier you know authorization policies which i had created i created a new one which is called sponsored and i've added the sponsored profile here right but now uh because it is sponsored we'll have to do one more extra step which is playing around with the let's go down to um let's go to the portals so we'll have to create another portal which is for our sponsor portal so you can see on the left hand side till now we have been playing with the guest portals so we'll now create a sponsored portal before that we could probably create a sponsored group as well right so you can see there are already pre-populated groups i have just created one extra group called demo all i think the group number one three and four these are ones which automatically you know they come by default so i've just duplicated one of them and i've created a new uh you know group called demo all to be used uh this is basically like a um has all the information around uh you know the sponsored permissions who are um you know allowed to be sponsors and what are the permissions how long um you know what what kind of accounts they can create how many they can create and all of that right so that's pretty much here we will basically be using the sponsor group inside the sponsored portal which you'll create by clicking here right so here on the sponsored portal page you can see i have created a demo sponsor portal this is the new one which i have created you will get one by default you can just take that and duplicate it and you know edit it as per your requirements right so here you can see pretty straight forward this is also having a look and feel of your guest portal but this is the sponsored portal um you can do the customizations if you want uh you can see the various stuff over here right you can you can even add a fk execution name like you know the fully qualified domain name uh something like sponsor dot i don't know example.com and then you you can directly reach to that right using using that particular url right and the only uh thing here is something different is you're using the port 8445 when compared to you know the other portals the login settings all of this looks pretty straight forward nothing much of a difference here so let me you also have the link here to test your portal you can bookmark this link and keep right in case needed so in our case what do we do we will let's go and check what we have created right so i'm going to login with the user which is present in my active directory which is going to be alice cisco123 i guess that's loading right so this is the portal where the sponsors will basically come and create accounts so uh let's go and click on random so i've already defined uh kind of like a prefix right uh while doing the settings so any usernames will have this prefix let me just create one account probably a new account right so uh i can create up to maximum of 200 in one shot so if you have like a bunch of people coming to your office probably you can create such kind of accounts and you know probably print it out and give it to them right uh then let's select the timeline um just because i'm not sure what my other vm the timezone of that vm is so i'm going to to be on the safer side just select the previous day here so that you know they are valid for let's say five days okay there you go we created okay so that's the username password right which we have created so let's uh kind of like go and copy this and into my other machine over here all right so i've copied it here let's click on done here so it'll take probably a couple of seconds to fully create it right so looks like our new account has been created let's go back and uh you know enable the adapter now right so we should see our radius fly around here let's wait for a few seconds until our client gets the dhcp let's do short sessions interface ethernet one slash zero details okay i still don't see the dhcp let's wait for a few seconds all right so looks like we have received the dhcp now which means we are good to pick that url like how we have been doing it till now right let's let's copy that uh redirection url and let's pick this one like i said uh you know you don't have to really do this in actual you know network with like proper devices this is just a you know trick or a hack way to get it to work in your at least the image which i have if the automatic redirection doesn't seem to happen cool so it's asking me for the username so now it's the time to go and check if this username works the one which was created by the sponsor and provided to us let's pick this one let's click this let's say sign on and there you go it says you now have connection internet connection right let's do a let's go and check if you can connect to yahoo or probably youtube let's do yahoo right there you go so while that happens let me also see if i have connectivity when i shouldn't have connectivity to domain controller so that's 170 to 16 32.40 there you go i don't seem to have it which is in line with the um you know dynamic acl sorry with the downloadable acl which we have put right as part of the second authorization policy cool so that basically concludes uh everything you know i know about the guest services right in ice i think i've kind of covered almost everything right all various types of guest service portals which you can kind of create so just to recap before that let me just look at the locks of radius here uh you can see um you know the first uh attempt was seen here right this is when um you know the wired map authentication when it went in and the sponsor authorization profile was triggered and then you know the user uh you know went down to the uh you know open the browser and we loaded the url right which is the guest url or the guest portal and over there you know we provided the username and password which was provided to us by sponsor and once that happened you know you can see the switch in the authorization profile right it has changed from sponsor to guest access which is obviously elevated access right and meanwhile you can see the corresponding uh um you know user or corresponding uh client has actually been added to the guest endpoints as well over here right so uh uh that's mainly it guys uh hope you like this set of videos i believe mainly around guest services and ice to summarize we looked into uh four various variants the hotspot portal the self registration third one was the self registration but with the sponsor approved and the last one was sponsor you know was the one who was basically creating the accounts and sharing it with the guest users right thanks for watching guys have a good one

Info

Channel: BitsPlease

Views: 1,957

Rating: undefined out of 5

Keywords: cisco, ise, security, ccie, guest access, sponsor, hotspot

Id: sMokab2LA54

Channel Id: undefined

Length: 53min 0sec (3180 seconds)

Published: Tue Jul 28 2020