cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2936
Views
11
Helpful
11
Replies

BYOD using HotSpot Portal

xovercable
Level 1
Level 1

I have a customer with a unique requirement for BYOD.  Customer wants to limit the number of SSID they have to use. In this particular case customer wants only two SSIDs for the network.  Corporate and Guest.  For guest they want it to be an open SSID (HotSpot).  However, when an employee connects to the Guest SSID, they want a small link at the bottom of the Guest HotSpot page, something like "Employees Click Here".   When Employees click that link it will take them to the Central Web Authentication and then go through the entire BYOD process.


 

Employee—>GUEST SSID—>Link to CWA on the Guest HotSpot Page——>BYOD Process

Guest——>Guest SSID——>AUP——>Guest Access


 

I tried adding the Self Registration Portal Web on to the HotSpot portal page for employees to click.  It does take the employee to the page, however after the employee logs in, it gives an error stating that your device is not authorized for BYOD.   Is this a supported scenario?
 
  I can get it to work using two SSIDs provided I use the a Self Registration Portal.  However, customer do not want to guests to self register.  They only want it to be a HotSpot. 

1 Accepted Solution

Accepted Solutions

Correct.

Although not exactly the same, my idea was the following:

  1. Embed a hotspot button to use for quick Guest Access. Put messaging tell employees to login to the portal for BYOD and guest to click the button.
  2. Create a guest type of hotspot_guest
  3. Create an internal guest account (under admin - identities) and use this guest type
  4. When a user logs in with this account you will have the device be registered for a day and then purged, when they login with an employee account they will be direct to do onboarding
  5. in the guest portal make sure the option for allow self-provisioning (BYOD) is not checked as we will be directing them to the portal another way
  6. Setup an authorization rule for:
    1. if wireless_mab then redirect to guest portal
    2. if wireless_mab and guest endpoint then permit access
    3. if wireless_mab and employee then redirect to the NSP (BYOD portal)

This is still under draft but you get the major points.

ISE Guest Web Auth Portal with Get Quick Access (Hotspot) button

View solution in original post

11 Replies 11

Timothy Abbott
Cisco Employee
Cisco Employee

Rajesh,

Not sure if that is a supported flow.  Jason may have more insight or comments but there is another method the customer could try.  Instead of using the Guest SSID to onboard employee devices, why not use the Corporate SSID?  If the device connects and ISE detects the devices hasn't been registered, ISE can force the endpoint through the BYOD/NSP flow.

Regards,

-Tim

jim.thomas
Level 1
Level 1

I would suggest doing what Tim mentioned. If you try to do this the way you mentioned, you will have a problem passing the sessionID data to the other link for employees and really not worth the hassle of even trying.

Tim & Jim,

Thanks a lot for the response.

The users are very non-technical people (hospital) and they want onboarding to be as easy as possible. If I want them to connect to CORPORATE SSID, then the supplicant has to be enabled for MSCHAPV2.  Many of the supplicants may not be properly configured for MSCHAP and this results in tickets.  We are trying to cut down the amount of user involvement without compromising the security.  We are also trying to avoid creating another SSID for onboarding.

For now the options seems like a self-registered guest portal with a separate SSID.  The ideal situations would have been an option on the GUEST HotSpot with a link for employees to click and it will forward to the CWA along with the sessionID.

Thanks

Rajesh

I would definitely not do a 3rd SSID. When a  client (Apple, Windows, Android) connects to a secure wireless network, it will default to PEAP authentication. There should be no configuration required or helpdesk calls for that, unless you are not broadcasting the secure SSID.Once authenticated, they will go through that BYOD flow and the identity cert and sup settings provisioned. Where in this process are they failing ?

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674

vibobrov
Cisco Employee
Cisco Employee

This is possible with some java script code.

You would create two internal users, hotspot (group hotspot) and byod (group byod).

Create a standard sponsored guest portal where you point authentication sequence at internal users. The code has to be customized to hide the username and only present the hotspot password field. The hidden username field is pre-coded with the hotspot username from the internal directory.

A custom button is placed on the page which set the username to byod and the password to some hardcoded value.

We then create two additional portals. One for hotspot without any codes, just to register the MAC address. And another Client Provisioning Portal (Under Administration Menu).

In AuthZ policy, we have the following rules:

If group=hotspot then redirect to hotspot portal

If group=byod then redirect to client provisioning portal

Else redirect to sponsored guest portal

I have one customer who is using this successfully and can share code if you're interested in implementing this, just need to review it for customer data.

Thanks

Correct.

Although not exactly the same, my idea was the following:

  1. Embed a hotspot button to use for quick Guest Access. Put messaging tell employees to login to the portal for BYOD and guest to click the button.
  2. Create a guest type of hotspot_guest
  3. Create an internal guest account (under admin - identities) and use this guest type
  4. When a user logs in with this account you will have the device be registered for a day and then purged, when they login with an employee account they will be direct to do onboarding
  5. in the guest portal make sure the option for allow self-provisioning (BYOD) is not checked as we will be directing them to the portal another way
  6. Setup an authorization rule for:
    1. if wireless_mab then redirect to guest portal
    2. if wireless_mab and guest endpoint then permit access
    3. if wireless_mab and employee then redirect to the NSP (BYOD portal)

This is still under draft but you get the major points.

ISE Guest Web Auth Portal with Get Quick Access (Hotspot) button

Thank You Jason.   I am going to give this one a try as well.  Will update on which method worked best for customer.  The video certainly helped understand the flow.

Rajesh

Have to post a correction to my solution.

The static BYOD internal account needs to a guest portal that points to a sequence with the external ID source such as AD. That portal needs to have the checkbox enabled to allow employees to do BYOD onboarding.

The corrected AuthZ rules:

If group=hotspot then redirect to hotspot portal

If group=byod then redirect to byod guest portal

Else redirect to sponsored guest portal

Hi Viktor,

Thank you very much for sharing this.  Would you mind sharing the code.  I am certainly interested in taking this approach.

Rajesh

If viktor can make a write-up on the community separately to share with his approach similar to what I listed then I will be sure to share and post it as a link as well for others to have

Hi 

@Jason Kunst and @vibobrov - did Victor's write up make it to the Community Page?

 

I found this old thread toay after I got a customer request for exactly this requirement. But I have not started trying to lab it up.  I wanted to see first wether this is still the best way to do this using ISE 2.4

 

regards

Arne

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: