Create Custom Guest Success Pages by
Active Directory Group with Cisco Identity
Services Engine 1.2
Secure Access How-To Guide Series
Date: December 18, 2014
Author(s): Imran Bashir, Jason Kunst & Hsing-Tsu Lai, Technical
Marketing Engineers, Cisco Identity Services Engine
SECURE ACCESS HOW-TO GUIDES
Table of Contents
Introduction .......................................................................................................................................................................3 Use Case ............................................................................................................................................................................3 Problem ..............................................................................................................................................................................3 Solution ..............................................................................................................................................................................3 Caveats ..............................................................................................................................................................................3 Configuration Steps ..........................................................................................................................................................4 Create Endpoint Groups ..............................................................................................................................4 Create default and contractor portals ...........................................................................................................5 Create Authentication Policy ........................................................................................................................7 Create Authorization Profiles .......................................................................................................................7 Create Authorization Policies .......................................................................................................................9 Summary ..........................................................................................................................................................................11 Cisco Systems © 2015
Page 2
SECURE ACCESS HOW-TO GUIDES
Introduction
This solution shows how to present a different customized success page to a guest depending on their AD Group.
Use Case
In this requirement we have a company that has Apple and Microsoft Contractors visiting them and they want to
provide a customized ISE web authentication success page for each type of Contractor.
Further information:
•
•
•
Contractors from two different companies that connect to my network. For example: Apple_Contractor &
Microsoft_Contractor.
These contractors connect to the network by logging into a Centralized Web Authentication (Guest Portal)
using their Active Directory Credentials
After the contractor logs into the Web Authentication (Guest) Portal, depending on the group they log into:
w
w
Apple contractors should be presented with an Apple customized success page
Microsoft contractors should be presented with a Microsoft customized success page.
Problem
In ISE, the success page is hardcoded to the Guest Portal; therefore it’s not possible to display different success pages
based on the AD Groups by using only one configured portal in their login flow.
Solution
Leverage Device Registration Webauth flow to present customized success pages based on the AD credentials
Caveats
•
•
•
You will need to clear out the endpoint groups manually as there is no way to purge them. ISE 1.3 has
automatic purge per endpoint group capabilities.
This solution will likely be broken after upgrading to 1.3 as the way portals flow and are built has changed
significantly. If you’re planning on upgrading it is recommended to proof out how your system will work after
being upgrade.
ISE 1.3 has a different way to address this customization effort and will not be covered in this document.
General recommendation is to try and proof any new solutions in a lab before putting into production.
Cisco Systems © 2015
Page 3
SECURE ACCESS HOW-TO GUIDES
Configuration Steps
This configuration document assumes you have some experience in configuring ISE 1.2 Authentication and
Authorization Polices with Guest Access. We will cover the screens and minimal steps required to make this happen.
Create Endpoint Groups
Create the necessary endpoint groups for each of your contractor (visitor) types.
Step 1
Step 2
Step 3
•
•
Create two Endpoint Identity groups for the contractor endpoints. MAC addresses will be registered after
redirection to the DRW portal.
Navigate to Administration > Groups > Endpoint Identity Groups
Add in the following endpoint groups.
Apple_Contractor = Endpoint Identity Group for Apple Contractors
Microsoft_Contractor = Endpoint Identity Group for Microsoft Contractors
Figure 1. Endpoint Identity Groups
Step 4
Create three customized Guest Portals.
§
§
Custom portal for CWA login with a success page timer that will trigger redirection.
DRW pages (1for each contractor group) that will insert MAC addresses into the approproate
EndPoint Identity Groups.
Cisco Systems © 2015
Page 4
SECURE ACCESS HOW-TO GUIDES
Use this link, How To Customize ISE12 Web Portals as a reference when creating your own custom portal
pages:
Create default and contractor portals
First Portal = Default_Custom
Step 1
Navigate to Administration à Settings à Guest à Multi-Portal Configurations
First Portal = Default_Custom
This is the default portal where all endpoints connecting to Open SSID (MAB) are redirected as result of
CWA
The success page is set to redirect after 3 seconds to a URL, which is blocked, by your redirect ACL.
An example of this code:
Step 2
Place the following HTML redirect code between the <HEAD> and </HEAD> tags of your HTML code.
<meta HTTP-EQUIV="REFRESH" content="3” url=”http://www.yahoo.com">
The above HTML redirect code will redirect your visitors to another web page instantly.
The content="3” is the time in seconds before redirection takes place. Don’t set it lower then
this value as this is required to be longer than the COA time.
Step 3
Map the uploaded files that you will be using. At minimum you need a login, success and error page.
Figure 2. Login File
Second Portal = APPLE_DRW
Cisco Systems © 2015
Page 5
SECURE ACCESS HOW-TO GUIDES
Step 4
Create a portal for each of the contractor types. The steps are the same for each contractor type.
This is a Custom DRW portal. This portal puts the Apple Contractor’s device MAC address in to the
Endpoint Identity Group = Apple_Contractor.
This page should be customized with your message for the Apple Contractor.
Example: Welcome Apple! Here is the apple info
You can use the same how-to document you used before to create these pages. These are of the same type.
Step 5
Disable the AUP (uncheck the box for Guest users should agree to an acceptable use policy)
Figure 3. Multi-Portal Configuration List> Apple_DRW
Step 6
Step 7
You must customize and map Success and Error pages needs to the customized and mapped
Map the uploaded files
Figure 4. Multi-Portal Configuration List> Apple_DRW - Error Page
Use the same steps above to create another portal for the other contractor type:
Third Portal = MICROSOFT_DRW
Cisco Systems © 2015
Page 6
SECURE ACCESS HOW-TO GUIDES
Create Authentication Policy
Create an Authentication Policy to redirect as result of MAC Authentication Bypass (MAB)
Step 1
Step 2
Navigate to Policy à Authentication.
Create a MAB rule to match.
Figure 5. MAB Rule
Step 3
Step 4
Step 5
Change the Guest Portal Sequence to include your Active Directory instance.
Navigate to Administration à Identity Source Sequence à Guest_Portal_Sequence
Move your AD instance to the right.
Figure 6. Authentication Search List
Create Authorization Profiles
Step 1
Step 2
Create Authorization Profiles for the three different portals.
Navigate to Policy à Results à Authorization à Authorization Profiles
Cisco Systems © 2015
Page 7
SECURE ACCESS HOW-TO GUIDES
Create the following three profiles: WLC-CWA, DRW_Apple, DRW_Microsoft
WLC-CWA = Basic Customized Guest portal redirection profile
This is the portal that the contractors will first see when accessing the network.
•
•
•
Choose Centralized Web Auth for the Web Redirection.
The ACL “WLC-ACL_ISE-RESTRICTED” is the ACL that is passed to the controller that will be your
redirection ACL.
Default_Custom is the portal you created
Figure 7. Authorization Profile - WLC-CWA
DRW_Apple = DRW Policy for Apple Contractor
This is the portal that the Apple Contractor will be redirected to after they authenticate against the CWA portal.
•
•
•
Choose Device Registration Web Auth for the Web Redirection
The ACL “WLC-ACL_ISE-RESTRICTED” is the ACL that is passed to the controller that will be your
redirection ACL.
APPLE_DRW is the portal you created for DRW success for Apple Contractors
Cisco Systems © 2015
Page 8
SECURE ACCESS HOW-TO GUIDES
Figure 8. Authorization Profile - DRW_Apple
DRW_Microsoft = DRW Policy for Microsoft Contractor
This is the portal that the Microsoft Contractor will be redirect to after they authenticate against the CWA portal.
•
•
•
Choose Device Registration Web Auth for the Web Redirection
The ACL “WLC-ACL_ISE-RESTRICTED” is the ACL that is passed to the controller that will be your
redirection ACL.
MICROSOFT_DRW is the portal you created for DRW success for Microsoft Contractors.
Figure 9. Authorization Profile - DRW_Microsoft
Create Authorization Policies
Finally Create Authorization Policies per the information and screenshot below.
Step 1
Navigate to Policy > Authorization
Although not required, it is recommended to enter the policies in the same order.
Cisco Systems © 2015
Page 9
SECURE ACCESS HOW-TO GUIDES
Figure 10. Authorization Policies
WLC DRW Apple = Authorization Policy for Device Registration
WebAuth for Apple contractors checks the following:
•
•
•
Device is connected through Wireless
Device is still in Guest Flow since it authenticated earlier using the WLC CWA policy
User belongs to the AD group = Apple
Result: Take this MAC address and put it in to the endpoint identity group = Apple_Contractor AND issue a
COA_Session_Terminate
WLC DRW Microsoft = Authorization Policy for Device Registration
WebAuth for Microsoft contractors checks the following:
•
•
•
Device is connected through Wireless
Device is still is Guest Flow since it authenticated earlier using the WLC CWA policy
User belongs to the AD group = Microsoft
Result: Take this MAC address and put it in to the endpoint identity group = Microsoft_Contractor AND issue a
COA_Session_Terminate
Guest_Access_DRW = Authorization Policy
Policy to grant access to employees based on the EndPoint Identity Groups, this could also be split in to multiple
policies if which to grant differentiated access to Apple_Contractor vs Microsoft-Contractor
If EndPoint Identity Group is Apple_Contractor OR Microsoft_Contractor then PermitAccess
Note: The MAC addresses were inserted in to these EndPoint Identity Groups by the DRW polices defined earlier.
WLC CWA = Redirection to Default Custom portal to contractors to log-in
Cisco Systems © 2015
Page 10
SECURE ACCESS HOW-TO GUIDES
Summary
To summarize the user experience:
Step
Step
Step
Step
Step
1
2
3
4
5
Step 6
Step 7
Step 8
Contractor connects to Open wireless network
Device is redirected to Web Authentication Portal
Contractor logs in with their AD credentials
COA is sent to reauthorize the session while success page is displayed
Success page will automatically try to get to yahoo.com and cause another redirection to DRW portal
depending on
The DRW portal will automatically register the endpoint into the correct group and present a customized
success page
COA takes place again and the device is authorized on the endpoint group
Future connections are directly permitted access (until the endpoint is cleared from the respective
contractor endpoint group)
For more information check out our other How-to guides
Cisco Systems © 2015
Page 11