Cisco ISE: Wireless dot1x and Guest access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey folks welcome back this is joelle and in this video we will look at uh you know ice and the wireless network right so we have talked about ice with wired networks in my eyes series but i've been getting a bunch of comments where people are asking me uh if i can make a quick video on how to how do you provision a wireless network right for probably a small office or a building and then how do you do the whole uh you know how do you make your life easier integrating it with eyes and you know the whole basically whole wireless provisioning right so i've actually already set up the lab and you know the the configuration the policies everything is up so i'm gonna take you through it in this video rather than configuring it because configuring it would take a lot of time so i'll probably take you through the whole flow and uh we'll try to look at this right cool that being said what do we have in my lab a very simple switch right i have a cat9k switch you can use any switch technically you can use even a uh you know cat 3k or any older switches right uh so i this is yeah just a disclaimer i'm not doing this on eve you can actually technically do this on eve as well but i'm using a physical gear here so i'm gonna i'm using it i'm doing it actually in a lab right so i have a switch here uh a cat 9k switch and i have an access point access point which is a 4800 access point right so i may write it here for reference so this is the 4800 access point which i'm using okay and then like i said the switch is a cat like a switch this is a trunk link right between the switch and the access point because we really need uh multiple vlans here for different ssids right let's actually quickly have a look at the configuration of these two links right because the switch is connected to a api a drunk link and the switch is then connected to the data center which is nothing but a ucs box again using a trunk link so let's quickly have a look at that config you should be here yeah so this is my switch so if i go to show run interface gig 1 0 12 i think we should do it yeah there you go so that's my access point and you can see my native vlan is 2 0 6 0 and this is basically what i'm using so i have um i have 1 0 3 0 as my vlan for what for my uh corporate ssid right you know i said i'm not gonna dwell uh very much deeper into the wireless section because you know that's a complete different uh you know discussion uh but just the stuff which is very needed for our you know uh lab here right so one zero three zero this vlan is the ssid uh the corporate ssid right and the one zero seven zero is the guest ssid right forget about one zero nine zero nine zero is basically a quarantine vlan which i'm playing around with and 2016 is basically the um uh native video and also the management uh vlan right so but the most important is these both right uh one zero three zero and one zero seven zero which we are going to use so that's the link which is connecting to the access point right let's also look at the other trunk board which is connecting up linked up to the data center which is i'm just calling it data center but it's actually just my ucs care right so if i do i think that's basically 1 0 24 yeah there it goes right so that's another simple trunk link right you have a trunk link and these are all the various vlans again these are a bunch of extra vlans which i'm playing around with some other things in my lab so the ones which are going to concern you is one zero three zero and one zero seventy right so those are enabled here and obviously the management will land 2060 as well right cool so that's mainly the configuration on the switch guys nothing very complicated because with respect to wireless there is nothing else which happens here right it basically um the the switch basically gives power because this access point is a poe base so it basically gives power to your access point and once the access point comes up right it will come up in this particular um on this interface and depending on what ice is configured right so depending on that you either get the vlan 1 0 3 0 or you get vlan 1 seven zero right so depending on which vlan uh depending on the policy which has been configured on the wlc actually for that particular ssid you either get one zero three zero or one zero seven zero right so once you get uh that particular vlan then obviously the ds okay so maybe let's look at the svi show run interface vlan 1030 so this is what happens once the client connects to one of the you know corporate ssid uh the next is this is the svi right to which it connects to and uh uh or it basically this is a vlan in which that particular client is put in right and the very next thing which has to happen is the dhcp so there you go that's the dhcp part so these are the dhcp servers to which you know it will uh connect to and try to you know do the whole dora process until it gets an ip right and uh then obviously you are inside the network so that is basically your wireless wlan or you know ssi that's how it works right and with your um other one which is one zero seven zero which is the guest vlan there's a slight uh difference obviously right uh not with the not with this section this will still remain the same but there is a slight difference with respect to how the ice is configured so we'll look at that as well right but i think that i just wanted to quickly show you what's happening on the switch side so that you know you don't you're not left in the dark this is literally what is you know it's very pretty straightforward on the switch side okay so we are good on the switch so what has happened now our uh ap has been brought up right again maybe let me spend couple of minutes on the ap as well right because if you guys are very much new to wireless and if you're not very sure on how to proceed i'll quickly give you an idea so for this lab obviously you want an ap you want a wlc right the ap has to be physical hardware because you know you don't have you can't virtualize aps but the wlc can be obviously a virtual wlc no issue there right so let's first go and look at the version of the wlc which we are running okay before that now if i go back to my diagram this is my data center and i also have a jump host here right and using that jump post i'm able to connect to any of these um you know any of these uh ibms basically right so let's go to my jump host my jump post is here there you go and yeah so that's good uh that's my jump pose let me okay give me one sec yeah okay so let's go back to the jump host uh where is that i think it's here yeah so that's my jump post and this is my wlc right so again installing wlc and all of that is probably not uh part of this video it's just something you know you can it's pretty easy to install right it's just a vm you just go on to your vcenter and you deploy it um and obviously you got to put some management ip address for your wlc in my case it is 10 20 60.33 uh things to be noted down here is the software version right you see the version of this wlc it is 80.10.130.0 which means if i go back to my documentation let's go to my documentation here right so i've pulled out this documentation which says uh let's look at the give me a second ah i bet okay so let's look at the documentation here it basically tells this is cisco you know solution software compatibility matrix you can see the path here right it's basically a wlc and ap compatibility mattress right so if you scroll down here this is all the latest aps and wlc's which we are not using uh if you haven't explored go check out cisco's you know embedded wlc's right the latest one which are based on this is basically 9800 right based on your ios xc but we are using the older wlc which is the arrow s1 which is over here right this one now if you see the version which i showed you earlier it was 8.10.130. this was the version right and the ap which we are using is the 4800 ap so if you see here the matching for this particular apn for this particular version of wlc the access point release should be this one 1533 jk3 so what you have to do is you have to go to your software cisco you know software center right click on software download and this gives you that page search for 4800 right and click on the lightweight ap you know software which is 1533 jk3 right you have to just take this one and you have to use the using console or using a usb drive you should be able to upload this software into the ap and then clear any existing configuration if the apis you know any old configuration rebate reset it do a factory reset and when the ap comes up it will come up with this new software with new uh lightweight access point software right that's the only thing it's zero touch you don't have to do any configuration as such on the ap because as it comes up you know what what happens is you know it'll it'll do the dhcp query right so everything is taken care of i'll again go through that process again but you know i am just quickly covering up everything which is needed for the lab cool let's go back here so what we did we talked about the we talked about the switch we talked about access point we talked about the compatibility mattress and stuff now let's look at our data center right so let's go one by one let's go to the wlc again right let's look at a little bit from the wlc sites where is my wlc it's over here yeah so like i was saying uh you know i'm not going to take you through every single configuration wlc because this is something you know this is not a wireless video as such but some basic things which you gotta know is obviously having a management ip for your wlc um if you want you can also use a system basically you know put in a dns name as well not mandatory um so apart from that you this is a very quick view to understand you know how are your ap is working right so you can see in my case uh looks like um you know i have the ax radios and i mean this is mainly for your five gigahertz and the second one is mainly for your 2.4 right so if you can see all my radios are working fine i mean at least i am using the dual dual band radio so you can see total two and up is two so i'm just concerned with this if you're using different aps you know uh just make sure your radios are up because without that you know obviously the societies will not be visible uh that being said what else so let's go to the wlan section right what is wlan this is literally the place where you define your ssids right in my network in my lab we are going to have two societies one is called the you know is basically the corporate ssid and the other one is the uh guest ssid right so we're gonna click on the corporate ssid here and um we'll see some configurations right if you want to kind of replicate the same thing right you can give any name to your ssid right i'm just giving it as mango lab car and the things very important is the interface right this one so you can see the interface probably let's open one more tab here so that i'll show you where you define that interface right so let's for that you'll have to go down to uh sorry yeah let's go down to controller go down to interfaces right so this is the place where you define you can go and click on new and this is the place where you define the various uh vlans right where you want that various vlans for that society right in my case uh we have like i said two important uh interfaces have to be defined right one is your vlan 1030 which is your you know corporate ssid and the other one is the guest one so that's one zero seven zero right and you define the uh uh one zero three zero as the you know vlan identifier one zero seven zero sd vlan identifier for the guest and the ip addresses as well right looks like this is getting uh using dhcp again these are these interfaces as well you can even define a static ip as well right you can see this will match with whatever i showed you with the uh switch earlier let's go back to the switch uh you can see the switch here it is 10 10 30. 1 and 10 10 70.1 right so that's the subnet so if you go back to this guy over here let's go back to yeah see 10 10 30.2 10 10 17. so that's the same subnet um from where you know the guest uh the the corporate uh vlan and the guest wheel and source pro right so that's where you define the interfaces and once you define the interfaces you come back to the wlan settings and in the drop down you select the interface right you are basically telling look um and this this particular wireless network is locally switched which means all the traffic right the access point is literally dummy right it won't do anything it won't do any packet switching all the all the all the data or all the uh packets are basically sent via a cap up tunnel to where to your wlc and wlc is the guy who's going to switch it for you right so we are basically telling look when you get a packet from the ssid lab corp send it on the vlan 1030 right that's what we are doing uh security is very important right uh we are using wpa right wpa2 in fact enterprise edition right not the personal edition we are using enterprise because dot one x is what we want to try right this is literally wireless dot one x right so enterprise wpa2 uh nothing complicated apart from this right pretty straightforward enable dot one x obviously here right and uh let's go to layer three right there is nothing again to replace servers you need to obviously set up your ice right provides the eyes ip address this is my eyes 10 20 60.8 that's my eyes ip right so that's what you set up and the port obviously for radius right so the authentication you know wlc is acting as an ad here right i think that was pretty clear right just like in your wired authentication your switch is acting as an ad in case of wireless your wh is acting as an ad right so all the authentication requests are proxied and sent to your eyes and on the ice ice is the place where we are actually doing the um authentication cool all right next so we're done with that there's nothing in qs and policies and uh in advanced as well i don't remember doing any settings so all of this is pretty default right so that was about one of the while um wlan the same thing goes into the other um wlan which is the guest one only difference is you see here the vlan is different it is one zero seven zero right uh also remember to broadcast necessary right in both ex both the cases otherwise it wouldn't work all right so that's mainly it apart from that what should you know so that was about the wlan section um in the um controller sections uh there's nothing else which i can think of right pretty straightforward i showed you the interfaces which was the most important part the rest is all uh straightforward stuff let's go to the wireless section this is where you can see your ap so this is my ap looks like my aps issued an ip address right it's because it is using dhcp right so the ap basically when it comes up uh what what we have done basically here is uh uh we are using option 43 right so option 43 is a very interesting way of instead of static status you know statically defining the wlc ip to the ap what we can do is when the ap comes up right using option 43 we can somehow tell the ap that look this is your wlc right so that has been defined in the dhcp server side and as a result you know the ap is able to come and register to the wlc and get an ip and everything right so that's again like i said this is very uh basic wlc sorry wireless stuff which i'm not going to you know double click much here but that's good uh anything on the security side yeah here we would probably have to think about what is this the acls where are the ac seos that's important right so ah acls are very important right because like i said your wlc is the guy who is going to switch the traffic right if you look at my topology here so you know all the traffic from this um you know uh clients are basically gonna be you know using a captain and it is gonna be proxied up to the wlc and wlc is the one who is then going to you know send the traffic to the required destination so you know the access list everything access control qos everything should be happening on the wlc that's why you can see here um you know we we will need to put some kind of an access control and that's why we have a bunch of you know acls right and these acls are pretty again straightforward right you have a permit all traffic this is obviously from the look of it obviously you understand that this is for your corporate ssid whereas there is a re-author uh redirection uh you know acl which i will again touch upon when we do the guest part and then there's a guest acl as well which again you know we will talk about when we do the guest part right apart from that um you know this is a straightforward stuff you know you all your acls are basically defined here on the wlc side and that's it i mean the management section is not very relevant to our discussion so that's about your wlc part right uh so once we are done with the wl says go back here right so we are done with the wlc um let's then now go to the ice part right the eyes the most important guy where is my eye so again let's go back here and let's come here so i believe i have my eyes here yeah there we go so here's my eyes um on the eye side the first thing you would do is go down to administration network devices right let's see if the wlc has been added okay there you go right we have the wlc let's click on this guy and you can see the wlc is here the ip address is here right the same ip which i showed you earlier 10 20 60.33 and we have enabled radius obviously right because like i showed you over there right the triple a servers so the same secret should be mentioned over there as well right otherwise it won't work okay uh coa is important right coa is here you can see the coi but you don't have to enable it i think it's enabled by default so that's good tacx is basically for authentication into the wlc which is not very relevant not mandatory and snmp is also not mandatory right the only mandatory configuration here is the radius part right because we are using dot one x cool that's good apart from that what else so for the next part what we will do is we will try to check if our uh you know ssi corporate ssi is working we'll try to connect to it we'll see if it is working and then we will you know trace the whole policies which are being used for that right so for that let's again go back to our browser where i have my client so what we are doing is we are connecting to this guy this blue you know client right now so we'll go to the blue client which is over here right so let's go here okay so this is my client right is uh think of this guy as an employee as an employee of that corporate company right and he wants to connect to this particular network right to the corporate network of this uh which whichever we have you know set up right so what did what will he do he'll go to his inter wi-fi section right wireless section so we're gonna click here and you can see both the ssids are visible right we have set up two ssids one is your mango lab corp and the other one is the guest one so both the ssids are visible so what is going to do is gonna obviously click on the uh wireless one obviously right so let's click on wireless before that let's also before we actually click let's what we'll do is let's also keep the let's go to our eyes let's open the operations right uh let's go to the you know section let's go to the live lock section and let's keep this ready right because it will be useful for us to see the locks you see the last log which has come is from mango bob right so let's see what is going to happen when this particular user is going to connect to the network so let's come back here yeah so i'm going to say connect right so obviously when i say connect it's going to ask for username password right where is that yeah there you go so in my case we are using uh domain users right which means i can say use my windows user account right why because you know this particular domain user you know has been defined on the active directory right this is my active directory uh you have seen me you know deploy active directory in my previous lab as well right actually i've used active directory at so many places in the whole you know on my channel so you can anytime go and check how to set up active directory how to use it and all of that but this is what we have done right if you this is our active directory domain right so we have the mango dot local and in that you know we have uh you know all the computers right this is mainly for your wired whereas your corporate network right we have defined some users right and you can see the user with which we are connecting right now is eric so if you double click on this guy you will see that this guy is a member of mango dot local right so this this is a domain user this is one of the domain user of this particular network right so we'll come back here and we're going to say yes go and use lx credentials right we're going to click ok and we're going to say connect right so now it's trying to connect to the domain user so let's wait let's wait for a couple of seconds ah that didn't work or did it let's try once again okay there we go so second time the charm so there you go it's connected right pretty cool now we'll see what has happened let's go and see if this guy got an ip address right so let's go to the command prompt ipconfig there we go so it's got an ip address which is in the same you know subnet range which i showed you earlier right 10.10.30.150. 70 is your guest right for your corporate wireless vlan it is 10 10 30 150. so we are on the right track right so we have received the correct ip what we can do next is let's investigate what has happened from the ice side right there we go right ah you see a bunch of cool things right see this was our first you know this thing which did not go through so that's why you see there's a red mark here but it finally vented right now if you scroll a little bit to the right hand side we will get a much more idea of what is happening here you can see it's a it has profiled the endpoint which is a windows 10 machine which is correct but uh the important stuff is this what is the authentication policy which at which it has used right you can see the authentication policy which it has used is this one wired wireless heap chaining and we look at that in a minute and let's scroll to the right let's see if there is anything else we want to understand out of this one nothing pretty much an authorization policy as well you can see the authorization policy it is peep wireless right that's the one so where do we find these guys right let's go here let's go to the policies let's go to policy sets these are all the policies right again very similar to what we did on the wired side nothing difficult nothing different at all right these are all the policies only differences we have a little more policies here right that's it so what was the policy which kind of uh matched it was the first one right and why did this match if you see here the conditions we are using the conditions which says you know this is actually a combined policy for both wired and wireless right so forget about this wired for now right because we are really not doing wired right we could actually do wired but we are not doing it right now for this particular client we are doing wireless so what is going to match this is going to match right so lets actually click on this small arrow mark here on the right side so that we get more insights into this particular policy so you can always edit this right you you you probably know that by now by checking out my previous ice videos right you can click on this pencil mark and you can change the you know authentication conditions right you can change all of this you can drag and drop and or add new as well but currently what we are using is we are using we are telling that look if we are getting authentication request from wireless dot one x right and from a particular ssid which is the mango lab core right then it is going to match this you wanna you currently to exit without saying click okay so yeah i don't wanna save anything good so we are basically matching the wireless dot one x and the ssid right and as soon as it matches click on this first arrow mark which is the authentication policy right let's click on that and you see here what is happening is it is checking if the user right is actually part of a identity store right here you can see the identity store is we have used two identity stores one is internal and the other one is the mango corporate right in in short what we have done is we have integrated this ice with our mango 80 right let me show you that as well that's where you do that uh if you go to identities click on this in a new tab probably again all of this i've already done in my wired section so i'm not spending more time here right uh just showing you quickly so if you go to external uh sorry i think i click something else yeah if you go to external identity sources here right you can see uh there is something called mango id here right and there we go right it's operational so we have connected our we have connected our ice node to the active directory right which i earlier showed you over here right in my other browser and you can see it's operational right so because of that you know what is happening is this authentication is passing right because we have actually authenticated with a valid user who is eric right who is part of a company now once that authentication has succeeded what is going to happen is the authorization is going to kick in now if you see earlier if you remember from the log right if you remember from the log do you have the log at not probably at close that window but if you remember the log the log which basically said that authorization policy which matched was peep wireless over here and why so because obviously the authentication authentication you know protocol which matched was peep right and the user was actually part of the mango directory right the active directory so that's why you know this particular authorization rule is going to match so what is the authorization rule it basically provides or this is the authorization profile which is going to be attached to that particular user right and what is this or to that session mainly and you can see we can dig deeper into what this is this is corporate asset wireless so where do we find that let's go back to policy elements and results right let's go to author or authorization profiles and here you will basically find that which is corporate asset wireless right if you click on that you basically get right you can see the access type it is permitting it is access and if you scroll down to the complete bottom you get a clear view of what is happening you can see all the traffic is permitted because this is a valid user of the corporate company right and we can validate as well right if you go down here so this guy has gotten access i think if you go to the browser if you go to his browser we should be able to yeah so there is a small link here to access internal resource of this company which is you know ftp right so i can do an ftp and there you go right i can access it but i will not be able to do this when i authenticate using guest right if i connect to the guest ssid you know the guest ssid has just internet access as a result the guest will not be able to do this right so that's the corporate ssid so now let's switch our attention to the second one which is the guest ssid right all right so for the guest where do we go for guests so let's go back here um so this this is my um this is obviously the pc of um employee of the company right and that's why you know he was able to access the let's go to another pc which i have here right again this is a vm with with the wireless adapter connected to it right so we can test out the guest access as well using this right so what we're going to do is again let's do the same process let's connect the ssid let's go back and quickly check if our ice is all right let's go to the ice let's keep this you know window open here right there you go so let me close this other stuff which is not really needed there it goes yeah so we have this one you can see the last user who got authenticated was eric right let's keep this in mind because now what we're gonna do is let's go back to yeah let's go to the guest machine right so to guess what we do is let's go to guest here right this is the ssid of the guest so i'm gonna say go and connect let's see what's going to happen so for guest society right we have used obviously i'm not sure if you can see that yeah for for the guest ssid what we normally do is we use we don't use dot one x obviously right because obviously this particular whoever is visiting your campus whoever is visiting your company or enterprise they are not part of your company right so they would not have accounts in your active directory right we can actually check that by going to the uh let's go to my second yeah so if you go to your w lance and let's go to the w line here let's click on two here because that's the guest one if you go to security and if you see here it is personal right there's we have not selected enterprise here it's personal correct and when it is personal we have to define a uh password here so that's what we have defined right the wpa password and i know the password so i'm going to use that password to kind of connect to this guest type guess necessary right so let's use the password sweet looks good and i'm gonna say next so i'm gonna say yes i'm connecting yeah there you go so looks like it is trying to connect and it is trying to do some redirection ah there it goes i have gotten some guest access portal cool but before proceeding let's do the same exercise let's go to ice there is my eyes yeah there you go right see here what has happened i have received a new entry uh for this particular pc and looks like this is the mac address of that particular pc right we can confirm as well let's confirm right just so that you know we know that we are doing the right thing so let's go to ipconfig ah sorry reduce the forward slash i think yeah i did okay sorry that's there you go okay so that should give me the um mac address of and you see the mac address here starts with d0 ends with 58 right and that's exactly what we saw over uh that as well right there we go starts with these so that's the exact client which just now came in right but what do we see here we see something different right let's scroll to the right hand side see the difference in policy which got kicked in for the employee for the corporate user you see this was the policy right but for our guest user you see this policy kicked in this authentication policy it's wired map right and then it went to default uh the authorization policy also i mean the authorization has not even happened yet right because that's why you see uh it's it's in nothing has changed here right it's still the same um and what has happened on the right hand side that screen yeah there you go the authorization policy is this one this is what is let's see okay can i pull this a bit yeah so this is the authorization profile which has kicked in which is called guest redirect okay now let's explore all these guys right so let us go to again our policy sets let's open this in a new tab it's coming up and it's a bit slow okay there we go so the wireless map so this was the authentication policy the third draw which kicked in right let's let's try to understand what happened here so it was obviously a wireless map right the condition is correct um because you know this particular user is not part of the 80 right obviously nothing else matches right above this if you go back here obviously step number one will not match because it was not part of the ssid mango lab corp step number two will not match because it was not um wired maps obviously the only thing which can match is the wireless map and the ssid which it belongs to is the guest one right so let's click on that let's look at the authentication policy though right so the authentication policy is very interesting here if you see the authentication policy we are telling that look for this particular mac address in the internal store or in the mango corporate right but the funny thing is this mac address will not be that either of the place so what is going to happen are we going to drop this session are we going to drop this user no we are not going to drop it see here we have a special option which is set if user not found continue right so this is this is a very key point when you are doing guest access right we really need to make sure that we don't drop the request or reject it rather if the user is not present we are going to continue right if the authentication fails obviously go for a drop but in this case the user itself is not present so we're going to say continue use the continue drop down and after that what authorization policy did we kick in so let's look at the authorization there are two authorization i mean policies here right which have been added one is called the default another one is the guest access right and currently if you remember from that log i think it is still here right you see the one which authorization profile which kicked in was or the policy which kicked in was default default kicked in and as a result authorization redirect profile was assigned so let's go back here and check so the this is the default one right and the profile was guest redirect now let's look at what this guest redirect is let's again go back to probably results so the guest redirect is very important right because what we are trying to do is let's look at that acl to begin with right we are basically tracing back the whole journey to understand what is happening right so if you go to authorization profiles you will basically find uh you know authorization profile called guest redirect right and if you scroll to the complete bottom you get to see what this guy is trying to do or using this particular profile you can see here you're accepting the session right but at the same time you are you are sending or you are returning a acl right acl called as a web of redirect right and you're also redirecting the session to a particular url there you go right so this is a url and this is exactly the url which we just now got hit right you see this url right which we saw in the uh here so this one right this url sorry here right guest internet so this is a url which we just now hit right looks like it got timed out but that's okay um but that's the url which we got hit right so this is very this is exactly which we have discussed earlier as well in the guest uh of wired uh uh section as well what we do in guest access is we don't want to obviously give access to the user blindly we want to you know i mean there are different ways to do it again you can do it using a hotspot portal you can do it using a uh you know self uh registered you know internet access what we are doing here is more of a self registration plus you know the sponsor has to approve it kind of process right so what i mean by that is let's go back here so now the user has been redirected to this url right before that there is one more thing which i want to you know quickly comment of before we forget it right so let's go back here we were tracing that's where is my yeah so we were tracing this right we saw this acl right you might ask okay where is this acl defined right this acl is defined on the wlc so let's go back to the wlc and let's go to security and under acls i showed you this earlier i told you that we will come back to this when we talk about guest and there you go right acl about redirect let's look at this asia generally in this acl the section which is of very interest for you is the deny section right so let's observe the deny section here right the permit section is your permitting you know traffic to the dhcp so that you get some ip address right because the client has to talk to the dns php so all of that is permit but what is of interest to you is the deny section so there are four lines of deny section here right and you can see the deny section is basically denying any traffic to http right any http and https traffic you can see here in this four lines right so that's exactly what we are trying to do we are telling that look if you are if you are a guest you are connecting to my network right what we are doing is any traffic which comes to from your client we are going to match it using this acl right and generally what people do is people as soon as they connect to the internet right as soon as they connect to ssid they open a browser to try to browse something right so when they do that these lines match right in the redirect acl which is defined on the wx right so it will match this acl and the traffic will be redirected to all it will be redirected to that redirect url which was provided by ice right then your redirective which i just now showed you over here this one right it gets redirected over there right so that's very important so now what we'll do is let's retry this hope it's let's retry i hope this session is not okay so there we go so we have this but we really don't have a username password so what we'll do is we'll click on don't have username password so this is uh this is exactly what we did in the spa in the previous videos right in the guest access so we are going to create a user right so we create a user called i don't know maybe a new user let's call this guy as tommy right and maybe last name is something like p email address so i'm gonna say tommy at xyz.com doesn't matter right the email address i mean technically the email address matters because you know the username password is kind of emailed to you but then in my case i don't really have a exchange server for this user so i'm gonna just go with this that's fine there's a company name i'm gonna say just xyz doesn't really matter the person you are visiting so this is important right so remember we have already authenticated a user who is part of this company who is eric right so we are going to put his email id we are going to say eric at right eric at mango dot local so that's the email id of the employee of a company right so this is the sponsor right we have talked about this before uh you can go and check my previous guest access videos where we have talked in detail about what is the sponsor and all of that so we're going to put the email id of the sponsor and the reason for the visit i know maybe visiting a friend right can be anything right and then i'm gonna say register awesome so now looks like it has registered so what is going to happen is our eric will basically get an email so let's go to eric's email box right so there you go that's eric so let's click on eric and sign into eric's email box and uh don't update yeah and you see we have received an email right and it's a guest approval email right it's basically telling that look let's probably pull this a bit on the left it's basically telling that look there is a guest who wants to visit and he has put you as the sponsor would you want to approve it so i'm going to say yeah go ahead approve this my friend right so here for approving i'll obviously need my credentials i'm going to say eric and what is my credentials i know my credentials i'm not going to tell it to you but let's see if this works ah that didn't work let's try again yeah there we go that works uh and you can see tommy has been approved right now normally tommy would have received an email now with the whole his username and password but since we don't have an exchange server for him so what we'll do is we'll again login to the sponsored portal and we look at the password right so the sponsor yeah sorry or we could probably do that from probably from my jump post as well i think i already have the url saved over there so it's better to do it from there not here yet okay so let's go to sponsor right so i'm gonna again log in with my eric right yeah okay okay and the password is going to be save yeah there you go so uh and you can see here that is called something called as manage accounts right again how to set up the guest portal and all of that we have already covered right um but if you really want to need to just touch base on it we can quickly go through it so under the advantage under the sorry work centers you have a complete workflow for guest access here click on that and it clearly goes through everything you need to do to set up the guest access but the main thing which we are interested is the portal so if you go to the portals and components you can see uh the guest photo which has been set up here right so the mangoes have signed portal and the self-registered guest port right again this is very much clearly explained in my previous video i'm not going to again spend more time on this that's why i said the configuration of this session is too big so i did not want to do all of that on the video rather take you through it that way you know we can concentrate more on the theory and understanding the concept right coming back to the sponsored portal so i have logged in as eric and you can see the user has been basically seen here and there you go the password is available here right this is my username which is tommy xyz.com and the password is 969564 cool so let's go back and try that now right so let's try here we are on the guest machine so i'm gonna say tommy type that out okay tommy xyz.com and the password is i forgot was it 93 something let's check that again it was nine five six four okay let's do that again nine five nine five six and four okay i'm gonna say sign on ah there you go so looks like it has authenticated me i'm gonna say don't save scroll down let's accept this uh aop right it's like acceptable use policy which will say do this do that don't do that and all of that so i'm gonna say accept it and within few seconds we should be authenticated right so it is trying to authenticate you can see there is a small yellow mark which is still saying no internet but this should quickly in another few seconds there you go right it got connected now we have internet access we can check that out we can say you know google.com and we should be we should have internet access right let's wait for a second now there we go right so google came up but we will not have access to the internal network which is the ftp you know ftp server which is internal right that one will not have or we can just open it in a new tab as well there we go that will keep on buffering we will not have because this guy is not a actual you know employee of the company so he will basically have only the internet access and that's the that's the reason why we put it in a separate vlan right good so that's good final touch-up is let's go and look at the ice all right let's go to the eyes see there you go uh we had we had worked or we have worked our way till where till uh let's go to the left yeah we had worked our way till here i believe right till before tommy okay till here right till this line but now that tommy has come you can see what has happened right looks like we got a blue session here which means the session has been initiated everything looks green which means authentication has passed let's scroll to the right hand side to see what has happened the authentication policy still shows wired map which is correct and there you go the authorization policy earlier it was going for default now it is going for guest access right that's the difference and the authorization rule authorization now this thing the authorization profile has changed from guest redirect to guest access right we can quickly have a look at that so let's go to our policies maybe we can just go from here right so if we go to policy sets again we are interested in this wireless map so let's go here we we looked at the all of that stuff we had looked we had looked at the default earlier we looked at how the default authorization policy was getting kicked in but now what has happened is once the user you know was registered once the user registered and was approved by a sponsor right what happens is that users mac address will be added to a internal identity group called as guest endpoints right and when this rule matches you see we get the guest access authentication profile authorization profile right what is this guest endpoints we can go and quickly have a look we will go to identity groups right so that is already configured on the portal right so whenever the sponsor approves it right we did the very same process even in our wired access as well right you can double check that but to keep it short whenever the sponsor approves it that particular mac address will be added here see there we go d0 starting with the israeli ending with five eight so that mac address is added to the guest endpoints and now that that mac address is available here um you know the policy which is going to be hit is different right and as a result we are basically going to get the guest access and you know we can actually look at what guest access is right so this is guest access the authorization profile is guest access but what do you where do you see that we'll go to um policy elements let's click on authorization profiles here let's click on guest access there we go right this is the guest access let's scroll to the complete bottom you can see the acl now which is going to be applied is called as guest earlier it was asl redirect acl right it was the web auth redirection now it is the guest acl again this acl has to be compulsively defined on your wlc because all the switching of the traffic happens on the wlc right so we will go and check that as well here where is that so this is the acls let's go back to the acls there you go right so we have the gas station and the guest acl will obviously um you know deny uh deny any traffic to the internal network so that's why you see any traffic to the 10 network 170 to 16 and 190 to 198 right so these are the private networks traffic to any of these private networks is denied and traffic to the internet is allowed right so that's what you define over there right so that was the complete uh idea guys behind this video uh hope that was kind of a bit useful because people have been asking me you know can you do something a little bit on wireless and ice so i thought this would be a good example to show how you can spin up the whole you know you can deploy uh you know wireless ssids you can you know do the whole authentication using eyes in collaboration with your ad obviously and kind of bring this up so quickly right again feel free to try this out even on even g right it should technically work you will probably need uh to figure out the how to create this wireless clients right and also there are there are different i've seen people on the internet doing it right doing a bit of pci pass through and all of that but it might be a bit complicated to do it on eve technically possible yes a simplest way is if you have access to a physical gear right like this so it becomes much simpler to demonstrate and to check out the whole how wireless works with ice and uh you know how easy it is to build it right cool hope that was useful guys and thanks for watching have a good one bye

Info

Channel: BitsPlease

Views: 1,967

Rating: undefined out of 5

Keywords: cisco, ise, wireless, AP, wlc, dot1x, guest

Id: fmA7HeKKT10

Channel Id: undefined

Length: 49min 28sec (2968 seconds)

Published: Sat Apr 03 2021