Visibility and control into our network access from guests are very vital, specially on wireless network. We need to have a clear plan of how we want them to login to our network, what information we want to collect from them, how do we audit them over time, what resource we want to provide them and what level of security we want to enforce of them.
Cisco ISE (Identity Services Engine) provides multiple ways for guest to connect to wired or wireless network,for e.g.
- Using hotspot portal to connect to an open or password protected Wireless LAN
- Using self registered guest portal to generate their own temporary username/password
- Getting an approval from a Sponsor to get access to guest network
In this case we will look at a Sponsor approved access to wireless network hosted by Meraki Access Points. We will use EMAIL for communication between sponsor and guest, we could have also used SMS but it will be a separate blog. We will also use some additional restrictions like only internet access and max 1 Mbps bandwidth consumption.
Overall flow of events involve guest connecting to wireless network for the first time, since this is an open SSID guest will connect, get an IP and will be redirected to a guest portal, where guest can choose to use an existing credential or can request new credentials by providing information requested by Sponsor.
The information is sent by ISE to an administrator, also known as sponsor, via email. The sponsor approves the guest through their own sponsor sponsor portal on ISE which triggers an email back to the guest with username/password. This username/password can now be used by guest to connect to the wireless guest network. In the background guest’s device mac address is also populated in ISE database, so when guest login the second time, they don’t have to go through the same process again.
Sponsor can define how long guest can use their network, they can also define a standard purge timeline after which the guest have to go through the approval process again.
Configure an open SSID on Meraki dashboard, in this case we are using COG_GUEST
Define access policy for guest to limit access to internet only with 1Mbps max bandwidth. In example below I am denying RFP 1918 (private IPs) except ISE and DNS (DHCP is permitted by default) and limiting the bandwidth to 1Mbps.
Create an authorization profile on ISE, note that the Airespace ACL name on ISE is same as group policy name on Meraki, ISE itself does not enforce authorization, rather it return the group policy name as part of authorization result and Meraki AP enforces the policy locally.
Unlike Cisco “REDIRECT-ACL” do not have any significance here as Meraki will redirect any HTTP or HTTPS traffic automatically,the ACL value typically is “NULL”, i have mentioned “REDIRECT_ACL” just to show it does not matter. Static host mapping is optional, in case the guest do not have access to a DNS server that could resolve ISE FQDN like when you will use a public DNS for guest. “SponsorApprovedGuestPortal” is defined on ISE (shown later)
ISE IP 192.168.200.75 is defined under walled garden on Meraki, by doing to Meraki will allow access to ISE, so that clients can get to portal page from ISE.
Edit guest portal and sponsor portal as needed.
Customize portal setting in this case I have customized Portal theme, logo, banner image, banner title as an example, below you can see mobile and desktop view.
Create ISE policy for Guest.
With an assumption that, Meraki APs are added to ISE as network access devices, lets look at actual ISE policy.
After successful login guest device mac is stored in datastore “SponsorApprovedGuest”
User connects to an open guest SSID (COG_GUEST), open a web page and gets redirected to sponsored guest portal. Since the guest do not have an account, the Guest will click on don’t have an account.
User will be redirected to the next page and will be asked to enter personal information, here I have taken a random guest user named “Ho Ha”, note that I am giving my personal email address so that I can check the credentials received after sponsor approval.
The user account is created and an email is sent to the sponsor for approval.
An email is sent to sponsor. ISE server FQDN needs to be added to the email server outgoing list for this to work properly.
Sponsor will now login to sponsor portal and approve the guest request.
Guest will receive an email on the registered email with login credentials
Guest/Contractor can use these credentials to login
Verify on logs on ISE
Mac address of the guest/contractor is already populated in datastore
Next time the user logs in ISE just looks at datastore matches mac and permits internet access as per authorization policy.
Bandwidth test, as per authorization policy.
I hope you enjoyed reading it as much as I enjoyed writing it.