Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Cisco ISE Deployment Guide Deploying ISE for Guest Network Access © 2018 Cisco

Cisco ISE Deployment Guide Deploying ISE for Guest Network Access © 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Deploying Cisco ISE for Guest Network Access Jason Kunst September 2018 Cisco ISE Deployment Guide Deploying ISE for Guest Network Access © 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Table of Contents Introduction ................................................................................................................................................................................................ 4 About Cisco Identity Services Engine (ISE)............................................................................................................................ 4 About This Guide .................................................................................................................................................................. 4 Define .......................................................................................................................................................................................................... 6 What is Guest Access?.......................................................................................................................................................... 6 Guest Access with Hotspot Guest Portals ............................................................................................................................ 6 Guest Access with Credentialed Guest Portals ..................................................................................................................... 6 Licensing ............................................................................................................................................................................... 6 Design .......................................................................................................................................................................................................... 6 ISE Deployment Model Considerations ................................................................................................................................ 6 Survivability .......................................................................................................................................................................... 8 Configuration Best Practices for Cisco WLC ......................................................................................................................... 8 Apple Captive Network Assistant (CNA) ............................................................................................................................... 9 IP Address and VLAN changes .............................................................................................................................................. 9 Caveats ................................................................................................................................................................................. 9 Wireless Deployment Models............................................................................................................................................. 10 Deploy ....................................................................................................................................................................................................... 10 Configuring the WLC for ISE Web Authentication .............................................................................................................. 10 Configure ISE as RADIUS Authentication Server on WLC ............................................................................... 10 Configure a Guest WLAN (SSID) ..................................................................................................................... 12 Configure an ACL to Redirect Guest Devices to the ISE Guest Portal ............................................................. 14 Configure a Catalyst Switch for Guest Access .................................................................................................................... 16 Configure ISE for Guest Access ........................................................................................................................................... 18 Add the Network Access Device to ISE ........................................................................................................... 19 Policy Set for Credentialed Guest Access ....................................................................................................... 19 The Guest “Remember Me” Feature .................................................................................................................................. 23 Policy Configuration for the Guest “Remember Me” Feature ....................................................................... 23 Using an Authorization Profile to Redirect Guest Endpoints to ISE .................................................................................... 26 Access Control for Guest Traffic ......................................................................................................................................... 28 Configure the Minimum Settings for Self-Registered Guest Flow ...................................................................................... 31 Cisco ISE Deployment Guide Deploying ISE for Guest Network Access © 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Configuring Guest Type Access Times, Location, and Time Zone .................................................................. 33 Configuring From First Login ......................................................................................................................... 33 Working with Locations and Time Zones ....................................................................................................... 35 Configure Settings for the Sponsored Guest Flow .............................................................................................................. 36 Guest Portal for the Sponsored Flow ............................................................................................................. 36 Working with Sponsor Accounts .................................................................................................................... 42 Using Sponsor Accounts from Active Directory ............................................................................................. 42 Set Up the Active Directory Sponsor Group in All_Accounts ......................................................................... 44 Set Up ISE Sponsor Portal FQDN-Based Access.............................................................................................. 46 Configure Basic Portal Customization ................................................................................................................................ 48 Setting up a Well-Known Certificate .................................................................................................................................. 50 Create a Certificate-Signing Request and Submit it to a Certificate Authority .............................................. 51 Import Certificates to the Trusted Certificate Store ....................................................................................... 53 Bind the CA-Signed Certificate to the Signing Request .................................................................................. 54 Operate ...................................................................................................................................................................................................... 55 Validation of flows ............................................................................................................................................................. 55 Testing Web Portals ....................................................................................................................................... 55 Clearing Guest Endpoints ............................................................................................................................... 56 Monitoring Guest Connections ...................................................................................................................... 56 Troubleshooting Common Issues ....................................................................................................................................... 58 How Do I Get Support? ....................................................................................................................................................... 59 Cisco ISE Deployment Guide Deploying ISE for Guest Network Access © 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Introduction About Cisco Identity Services Engine (ISE) Figure1: Cisco Identity Services Engine Cisco ISE is a leading, identity-based network access control and policy-enforcement system. It is a common policy engine for controlling end-point access and network device administration for enterprises. ISE allows an administrator to centrally control access policies for wired, wireless, and VPN endpoints in a network. ISE builds context about endpoints, including users and groups (Who), device type (What), access time (When), access location (Where), access type (Wired/Wireless/VPN) (How), threats, and vulnerabilities. By sharing vital contextual data with technology partner integrations and the implementation of the Cisco TrustSec® policy for software-defined segmentation, ISE transforms a network from a conduit for data into a security enforcer that accelerates the time-to-detect and time-to-resolution of network threats. About This Guide This guide describes the process and best practices for configuring ISE with a Cisco Wireless LAN Controller (WLC) or a Cisco switch to provide guest access. This guide is designed to be used in an environment where WLC and ISE have already been set up. The purpose of this guide is to help you with common setup and deployment questions, and to describe configurations with a Cisco WLC, Cisco switch, and ISE. Note that the guide does not cover more complex configurations, such as configuring load balancing or foreign/anchor controllers. Cisco ISE Deployment Guide Deploying ISE for Guest Network Access © 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Figure2: ISE for Guest Implementation Flow There are four major sections in this document. The Define section shows how to define problem areas, plan for deployment, and other considerations; the Design section shows how to design a guest access network; the Deploy section provides guidance about the various configurations and best practices; and lastly, the Operate section shows how to manage a guest network controlled by Cisco ISE. What is Covered in This Guide? This guide provides information about the following configurations: • Basic portal settings in ISE 2.3. • Authorization polices and rules for hotspot, self-registered, and sponsored Guest portals. • Minimum settings required for a guest flow. • Configuring a Cisco WLC 8.5 and later with any type of Guest portal in ISE. • Configuring a Cisco switch, for example, Cisco Catalyst 3850 Series Switch for guest access. What is Not Covered in This Guide? This guide does not cover the following topics: • Tools required to configure multiple controllers and switches • Deployment models and modes, such as: ▪ SDA/DNA ▪ VRF ▪ Other Wireless systems, such as: o Mobility Express o CMX o Third-Party Network Devices o Meraki • Easy setup wireless tools, such as: ▪ Wireless Easy Simplified Controller Setup ▪ ISE Secure Access Wizard ▪ Profiling ▪ Load Balancing ▪ Other Guest Features and Flows DEFINE STEP 1 DEPLOY STEP 3 DESIGN STEP 2 OPERATE STEP 4 Cisco ISE Deployment Guide Deploying ISE for Guest Network Access © 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Define What is Guest Access? When people outside your company attempt to use your company’s network to access the internet or the resources and services in your network, you can provide them with network access using Guest Access portals. Guests typically include authorized visitors, contractors, customers, or other temporary users who require access to your network. The two types of Guest Access portals supported by this guide are: • Guest Access with Hotspot Guest Portals • Guest Access with Credentialed Guest Portals Guest Access with Hotspot Guest Portals A Hotspot Guest Portal provides network access to guests without requiring usernames and passwords. This type of guest access eliminates the overhead required to manage each individual guest account. When guests connect to a network, they are redirected to the ISE Hotspot Guest Portal where they must accept an Acceptable Use Policy (AUP) to gain access to the network, and eventually, the internet. Guest Access with Credentialed Guest Portals A Credentialed Guest Portal requires guests to have a username and password to gain access. Using a self-registration portal, guests can create their own account credentials, which they can then use to log in to the Guest portal. Credentials can also be created for a guest by a sponsor. A sponsor can be an employee or a lobby ambassador. When guests connect to a network, they are redirected to a portal. They log in to that portal using the credentials that they created through self-registration, or were provided by a sponsor. After guests log in, they may be required to accept an AUP before they can access the network, depending on the portal. Access can also be set up using a Sponsored Guest Portal, which requires users to have the credentials created by a Sponsor. For more information about Guest portals and features, refer to the “Cisco Guest Access” section in the Cisco Identity Services Engine Administrator Guide. . Licensing ISE guest access requires base license for each guest endpoint. For more information about licensing, see the community page for ISE Licensing. Design ISE Deployment Model Considerations A frequent question that is asked is about safely deploying an ISE Guest portal in DMZ. While multiple options exist, it is the customers' prerogative to determine the best approach, based on their requirements. The following are some general guidelines: Printed in USA Cxx-xxxxxx-xx 05/17 Cisco ISE Deployment Guide Deploying ISE for Guest Network Access © 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. ISE PSN in the DMZ—You must enable communication between the PSN and the PAN and MNT nodes for database synchronization. Note that in this context, this PSN is only used for Guest portals. You should use more than one PSN for redundancy. Your sponsors connect to a PSN inside the network to create guest accounts. ISE PSN with an interface in the DMZ - You will have a separate interface on the internal ISE PSN for Guest portal traffic by having an interface in the DMZ. Here, you will only allow communication to the PSN from the wireless controllers and clients for RADIUS and the Guest portal. This same PSN uploads/s1/ ise-guide 1 .pdf