Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
8417
Views
6
Helpful
5
Comments

ISE Guest SMS for clickatell provider

Jason Kunst
Cisco Employee
Cisco Employee

‎03-02-2017 11:09 AM - edited ‎09-19-2018 11:24 AM

 

Introduction

This document describes the configuration required on ISE application to send SMS messages via HTTP and HTTPS methods via Clickatell SMS gateways.

 

Problem Statement

  1. It is only possible to send SMS messages to ISE guest users using email or HTTP GET method. The Http GET method to send SMS messages introduces a security concern whereby the SMS text message is included as part of the Http request URL, and easily be intercepted by a Man in the Middle
  2. The more secure mechanisms, as compared to the HTTP GET option above, for transmitting SMS messages via HTTP and HTTPS using ISE configuration is not functional.

 

Solution

  1. The Clickatell gateway does not support HTTP / HTTPS POST method to include SMS message as part of the message body. As a solution,  the Clickatell REST API has now been employed to send SMS messages as body of the HTTP POST request.
  2. The implementation within ISE for transmitting SMS messages using HTTPS has now been fixed

These fixes are available as part of these ISE releases and patches :

1.4 patch 8, 2.0 patch 3, 2.1 and above

  

ISE Configurations for Sending SMS Messages

 

Send SMS Using HTTP Or HTTPS POST Method

 

sms1.png 

 

Sample URLs:

HTTPS:

https://api.clickatell.com/rest/message?from=15556661212&x-version=1&mo=1&api_id=1234567

 

YOUR API ID 1234567

YOUR FROM #15556661212

 

Upload the Clickatell  certificates (from their website https://www.clickatell.com lock icon )  to the ISE certificate trust store

 

HTTP:

http://api.clickatell.com/rest/message?from=15556661212&x-version=1&mo=1&api_id=1234567

 

 

Note:

  1. The ISE admin has to login to the Clickatell SMS portal and set up a REST API, and the id of that API has to be used while sending the SMS messages over HTTP/S requests
  2. The values of mo=1 and x-version=1
  3. The “From” phone number is provided by the Clickatell SMS two way account ( this type of account and having a From number  is mandatory in the US region by law ). Even in regions such as India, with one way SMS a From number must be used ( which can be obtained from the Clickatell SMS portal or working with the Clickatell helpdesk ). The use of “From” number incurs additional cost compared to sending a one way SMS but is the recommended approach from a security and message credibility standpoint.
  4. The “From” phone number can be entered on an ISE   portal page either in a format (country-code) (phone number) for e.g. 15556661212   or in the E.164 format  +15556661212

                      

Send SMS Using HTTPS GET Method

The ISE application already supports sending SMS messages to the Clickatell SMS gateway

 Using the HTTP GET method. The below configuration is for HTTPS GET method where everything else remains same as for HTTP GET except:

  1. the Clickatell certificate has to be imported into the ISE certificate trust-store
  2. the URL starts with HTTPS 

While importing the certificates,

  1. We Need to ensure the Serial Number of Thawte Primary Root CA which we are having by default (in our trusted store) and api.clickatell.com’s Thawte Primary Root CA’s Serial number matches.
  2. Thawte Primary Root CA issued Certificates to Thawte SSL CA – G2 and also Thawte SSL CA – G3 (G2 to api.clickatell.com & G3 to Clickatell.com). If we import G3, things fail as Trust in cert chain breaks. It is mandatory to import G2 certificate.
  3. And finally, there is a wild card certificate issued to Clickatell (for all its services) than the regular certificate. Imported *.clickatell.com too in to the trusted chain of certificates.
  4. https://api.clickatell.com/rest/message?X-Version=1&from=91xxxxxxxxxx&api_id=1234567&mo=1 points us to Thawte – G2

 

sms2.pngsms3.png 

 

 

 

 

Sample testing using poster

 

sms8.png

 

  1. URL : https://api.clickatell.com/rest/message
  2. Content Type : application/json
  3. HTTP Custom Headers:

                           Authorization : <<Clickatell authorization key>>

                           x-version : 1

  1. Body of the Message:

 

{"text":"My message from Harish testing GUEST", "to":["15605365635"],  "from" : "17752874976", "mo":"1", "api_id" : "3591672" }

 

 

Comments
Rahul Govindan
VIP Alumni
VIP Alumni
‎03-02-2017 05:44 PM

Tested out Twilio and worked with ISE 2.1 p3. Trick is to not add anything in the Post Data section except the $message$. "To" field is automagically added by ISE to POST request before sending.

Jacob Snyder
Level 5
Level 5
‎03-03-2017 12:23 PM

Hmm, just tested in 2.1 P2 and no dice.  Anyone know of a way to debug the SMS component to see what's failing?

Jason Kunst
Cisco Employee
Cisco Employee
‎03-03-2017 12:30 PM

Rahul is working to clarify the document for twilio, otherwise contact tac

Rahul Govindan
VIP Alumni
VIP Alumni
‎03-06-2017 11:30 AM

Jacob, I just created a doc with the working settings in my lab. Cisco ISE Guest self-registration using Twilio SMS service. Could you check this and see if all your settings match?

Jacob Snyder
Level 5
Level 5
‎03-06-2017 11:35 AM

It's working... i was debugging with a proxy and forgot to turn it off. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents