You are on page 1of 38

Lab Overview

Cisco ISE Guest Lab Guide


Developers and Lab Proctors
This lab was created by Policy and Access Technical Marketing, Security Business Group, Cisco.

Lab Overview
This lab is designed to help attendees understand how to deploy Cisco Identity Services Engine
(ISE) in a Guest environment. This lab will show you how to setup and configure Guest Access
Management with ISE. Cisco ISE Guest gives sponsors/employees/lobby ambassadors the ability
to create a guest account and send it to a guest. Guests can also create their own accounts and
the additional ability can be required for guests to get approval by a sponsor or person they are
visiting. There are three built-in types of guest portals: Hotspot, Self-Registered, and Sponsored.
We will be working with the first two use cases (hotspot and self-registered) in this lab. The selfregistered portal is essentially the same as sponsored (without the setting to allow self reg)
Lab participants should be able to complete the lab within the allotted time of 3 hours.

Lab Exercises
This lab guide includes the following exercises:

Lab Exercise 1: Configure Authorization Profiles for Guest Hotspot and Self Registration
Lab Exercise 2: Configure Authentication and Authorization Policies for Guest
Lab Exercise 3: Configure Hotspot with basic customization
Lab Exercise 4: Test the Hotspot Portal
Lab Exercise 5: Configure Settings for Self-Registered with Sponsor Approval
Lab Exercise 6: Test Self Registration Portal with Approval Flow
Lab Exercise 7: Configure Settings for Sponsored Access
Lab Exercise 8: Test Sponsored Guest Flow
Lab Exercise 9: Work with Guest reporting

ISE_21_Guest_Lab_Guide_2016-07-28

Page 1 of 38

Product Overview: ISE

Product Overview: ISE


Cisco Identity Service Engine (ISE) is a context aware identity-based platform that gathers real-time
information from the network, users, and devices. ISE then uses this information to make proactive
governance decisions by enforcing policy across the network infrastructure utilizing built in standard
based controls. Cisco ISE offers:
Security: Secures your network by providing real-time visibility into and control over the users and
devices on your network.
Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-intensive
tasks and streamlining service delivery.
Enablement: Allows IT to support a range of new business initiatives, such as bring your own device
(BYOD), through policy-enabled services.

Lab Topology

ISE_21_Guest_Lab_Guide_2016-07-28

Page 2 of 38

Lab IP and VLANs

Lab IP and VLANs


Internal IP Addresses
Device

Name/Hostname

IP Address

Access Switch (3650)

3k-access.demo.local

10.1.100.1

Wireless LAN Controller (virtual)

wlc.demo.local

10.1.100.61

Wireless Access Point (varied)

ap.demo.local

10.1.90.x/24 (DHCP)

ISE Appliance

ise-1.demo.local

10.1.100.21

AD (AD/CS/DNS/DHCP)

ad.demo.local

10.1.100.10

Mail

mail.demo.local

10.1.100.40

NTP

ntp.demo.local

128.107.212.175

Tools

tools.demo.local

128.107.210.137

LOB-web

lob-web.demo.local

10.1.129.12

portal.demo.local, updates.demo.local

10.1.129.8

business.demo.local

10.1.129.9

it.demo.local

10.1.129.10

records.demo.local

10.1.129.11

Admin (Management) Client

admin.demo.local

10.1.100.6

(also FTP Server)

ftp.demo.local

Internal VLANs and IP Subnets


VLAN

VLAN Name

IP Subnet

Description

10

ACCESS

10.1.10.0/24

Authenticated users or access network using ACLs

20

MACHINE

10.1.20.0/24

Microsoft machine-authenticated devices (L3 segmentation)

10.1.29.0/24

Interconnect subnet between ASA and Access switch

(29)
30

QUARANTINE

10.1.30.0/24

Unauthenticated or non-compliant devices (L3 segmentation)

40

VOICE

10.1.40.0/24

Voice VLAN

50

GUEST

10.1.50.0/24

Network for authenticated and compliant guest users

90

AP

10.1.90.0/24

Wireless AP VLAN

98

ISE.LOCAL

10.1.98.0/24

AD domain ise.local

99

LAB.LOCAL

10.1.99.0/24

AD domains lab.local and sam.lab.local

100

Management

10.1.100.0/24

Network services (AAA, AD, DNS, DHCP, etc.)

129

WEB

10.1.129.0/24

Line-of-business Web servers

ISE_21_Guest_Lab_Guide_2016-07-28

Page 3 of 38

Connecting to Lab Devices

Accounts and Passwords


Access To

Account (username/password)

Access Switch (3650)

admin / ISEisC00L

Wireless LAN Controller (virtual)

admin / ISEisC00L

ISE Appliances

admin / ISEisC00L

AD (CS/DNS/DHCP/DHCP)

admin / ISEisC00L

Web Servers

admin / ISEisC00L

Admin (Management) Client

admin / ISEisC00L

Connecting to Lab Devices


Note:
Note:

To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer

Connect to a POD
Step 1

Launch the Remote Desktop application on your system.


a. In the LabOps student portal, click on the Topology tab
b. Click on the Admin PC, and then click on the RDP Client option that appears.
c.

Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as admin / ISEisC00L

Note: All lab configurations can be performed from the Admin client PC.

Connect to ESX Server Virtual Machines


During the lab exercises, you may need to access and manage the computers running as virtual
machines.
Step 1

From the Admin client PC, click the [ ESXi-core ] icon on the desktop

Step 2

Click OK when the VMware vSphere Client starts.

Step 3

You have the ability to power on, power off, or


open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the
left-hand pane and right-click to select one of
these options:
a. To access the VM console, select Open
Console from the drop-down.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 4 of 38

Connecting to Lab Devices


b. To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console
menu:

Step 4

For this lab ensure that the following VMs are up and running:
p##_ad
p##_admin
p##_ise-1-base
p##_lob-web
p##_mail
p##_vWLC

(likely invisible)

## refers to the pod number that you are assigned to. E.g., For POD 2, p##_ad would be
p02_ad.

Connect to Lab Device Command-Line Terminal


Step 1

To access the lab switches and ISE servers using SSH:


a. From the Admin client PC, locate the PUTTY shortcut on the taskbar. Click on the PuTTY
shortcut and it shows a list of devices and ISE servers.

b. Select the device that youd like to log into and double click on it.
c.

If prompted, click Yes to cache the server host key and to continue login.

d. Login using the credentials listed in the Accounts and Passwords table.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 5 of 38

Pre-Lab Setup Instructions

Pre-Lab Setup Instructions


Basic Connectivity Test
Step 1

From the admin PC desktop, launch Firefox and browse to http://tools.demo.local/ping/guest.txt.

Step 2

Control-A to select all lines in the web page above and then Control-C to copy them.

Step 3

Launch PingInfoView by double-clicking its shortcut on the desktop.


Control-V to paste the copied text into the box for [ Addresses list to ping: ], and
click [ OK ].

Step 4

Verify that ping succeeds for all devices tested and then [ File Exit ] the program or close the
window when completed.

Controlling iPad via VNC Client


Below are some tips for controlling the iPad UI via VNC client which will be useful for the entire lab:

Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track
pad) Touch with two fingers on the Track Pad If Secondary Click is configured.

Mouse: Mouse pointer mimics touching the iPad screen with one finger.

Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll

Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.

Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want to
input text, and click on it.
Note: When interacting with the iPad VNC session, US keyboard is preferred.
Note: US keyboard is needed for the RDP session too unless you have additional language packs installed to provide keyboard
mappings. This is only for the RDP sessions.

Lightweight Access Point (LAP) Associated to Wireless LAN


Controller (WLC)
This lab uses an LAP which needs to be joined to and associated with the WLC in the pod. Due to a Lab
automation limitation, this might not have happened correctly so we need to verify and remedy it
manually.
Step 1

From the Admin PC, launch Firefox to go to https://wlc.demo.local and login as admin /
ISEisC00L

Step 2

In the MONITOR summary page, the Controller Summary section has a field Up Time showing
how long WLC has been up.

Step 3

If Up Time is more than 15 minutes, check the next section Access Point Summary to see if
zero or NO access point associated.
If Up Time is shorter and NO access point,
please wait longer before taking the next
action.

Step 4

If NO access point associated, then reboot the


WLC by navigating to COMMANDS Reboot
and choosing [ Reboot without Save ]. Click OK when prompted.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 6 of 38

Pre-Lab Setup Instructions


Step 5

An LAP should associate with WLC shortly after the WLC rebooted. If still no LAP after WLC
rebooted and up for more than 15 minutes, please report it to the lab proctor or open a ticket
with LabOps support.

Basic ISE Configuration


Step 1

Access the ISE administrative web interface.


a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/

Note: Accept/Confirm any browser certificate warnings if present.

Login with username admin and password ISEisC00L


Step 2

Step 3

Access ISE Active Directory configuration page by navigating to Administration > Identity
Management > External Identity Sources and select Active Directory from the left-hand
pane.
Join ise-1 to demo.local (in a single-domain forest)
a. Click the hyperlink demoAD under the Joint Point Name column.
b. Tick the checkbox next to ISE node ise-1.demo.local and then click Join.
c.

In Join Domain pop-up window, fill in


* AD User Name admin
* Password ISEisC00L

d. Click OK to start the join operation.


e. A window Join Operation Status will pop up. Wait until the node status turns
Completed, and then click Close.
f.

The Connection tab shall show ad.demo.local as the domain controller and Default-FirstSite-Name as the site.

g. Click on the Groups tab to view the pre-defined groups.


Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp
service is working. The ntp service may be corrected by a reboot of ise-1 or a reset the VM.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 7 of 38

Lab Exercise 1: Configure Authorization Profiles for Guest Hotspot and Self Registration

Lab Exercise 1: Configure Authorization


Profiles for Guest Hotspot and Self Registration
Exercise Description
In this Exercise you will setup the needed authorization profiles required for a hotspot and selfregistration portals

Exercise Objective
In this exercise, your goal is to complete the following task:

Configure Authorization Profiles for Hotspot & Self-Registration policies

Step 1

Go to the ISE administrative web portal and login if needed

Step 2

Go to Administration > Device Portal Management > Settings and set the Retry URL to
http://www.cisco.com and click Save. If guest sessions times out, this configured URL will be
used instead of 1.1.1.1, which is the default.

Step 3

Configure Authorization Profiles for Hotspot Redirect


a. Navigate to Policy Policy Elements Results
b. Expand Authorization
c.

Step 4

Click Authorization Profiles

Configure Authorization Profile for Hotspot Redirect


a. Click Add

* Name HotSpot Redirect


Description Redirect unknown/guest devices to ISE for hotspot
* Access Type ACCESS_ACCEPT
Common Tasks
Web Redirection Hot Spot
(CWA )
ACL: ACL-WEBAUTH-REDIRECT Value: Hotspot Guest Portal (default)
Note: The ACL is case-sensitive and
should match exactly as
defined in WLC.

b. Click Submit

ISE_21_Guest_Lab_Guide_2016-07-28

Page 8 of 38

Lab Exercise 1: Configure Authorization Profiles for Guest Hotspot and Self Registration
Step 4

Update Authorization Profile for Guest Redirect


a. Click Add

* Name Guest Redirect


Description Demo Profile used to redirect users to the CWA portal.
* Access Type ACCESS_ACCEPT
Common Tasks
Web Redirection Centralized Web Auth
(CWA )
ACL: ACL-WEBAUTH-REDIRECT Value: Self-Registered Guest Portal (default)
Note: The ACL is case-sensitive and should match exactly as defined in WLC.

b. Click Save
Step 1

Configure Authorization Profile for Guest Wireless Access

a. Click Add
* Name Guest Permit
Description Demo Profile to grant Internet Access for Guests
* Access Type ACCESS_ACCEPT
Common Tasks
Airespace ACL Name GUEST_ACL
Note: The ACL is case-sensitive and should match exactly as defined in WLC.

b. Click Submit
Note: You should have 3 Authorization profiles after completing this task: HotSpot Redirect, Guest Redirect and Guest Permit.
Authorization profiles for the basic portal setup has been completed. Lets now work with the Policy Rules

End of Exercise: You have successfully completed this exercise.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 9 of 38

Lab Exercise 2: Configure Authentication and Authorization Policies for Guest

Lab Exercise 2: Configure Authentication and


Authorization Policies for Guest
Exercise Description
In this exercise you will setup the authentication and authorization profiles and policies to work
with the hotspot and self-registration portals

Exercise Objective
In this exercise, your goal is to complete the following tasks:

Step 1

Configure Authentication Rules for Wireless_MAB

Configure Authorization Rules for Hotspot and Self Register Portal


On the ISE GUI, go to Policy > Policy Elements > Results > Authentication > Allowed
Protocols. Click Add to create a new Allowed Protocol called HostLookup.
a. Define the HostLookup as shown below

b. Select only [ Process Host Lookup ], uncheck all the remaining, and click on Submit.
Step 2

Go to Policy > Authentication and ensure that the authentication policy is configured as below:
a. Modify the rule MAB.
b. Under Allowed Protocols Select HostLookup
c.

Select Identity Source Internal Endpoints

d. Select Continue for If user not found


e. Click Done
Step 3

The update policy should look like below:

MAB

Reject
If Wired_MAB OR Wireless_MAB Allow protocols HostLookup and use Internal Endpoints Continue
Drop

ISE_21_Guest_Lab_Guide_2016-07-28

Page 10 of 38

Lab Exercise 2: Configure Authentication and Authorization Policies for Guest


Info for saving time: The following table and screenshot are how we are setting up the authorization policy for HotSpot and Guest
Access. If you would like to attempt this without following the steps, then please do, or continue on with the steps below the
screenshot. Remember after you enter your first rule above default you can use Duplicate above instead to save time. Dont forget
to click Save, and then continue with the next lab exercise.

Step 4

Go to Policy > Authorization to add four Authorization Policy rules as shown below the Rule

Name Guest Internet Access, Guest Redirect, Hotspot Internet Access and Hotspot Redirect.
Also, disable the Basic_Authenticated_Access rule.
S

Rule Name

Identity Groups

Other Conditions

Permissions

...
Basic_Authenticated_Access

Guest Internet Access

PermitAccess
Guest Permit

Guest Redirect

Any

NormalizedRadius:SSID ENDS_WITH guest


AND
NetworkAccess:UseCase EQUALS Guest Flow
NormalizedRadius:SSID ENDS_WITH guest

Hotspot Internet Access

GuestEndpoints

NormalizedRadius:SSID ENDS_WITH hotspot

Guest Permit

Hotspot Redirect

Any

NormalizedRadius:SSID ENDS_WITH hotspot

HotSpot Redirect

Default

Any

DenyAccess

Step 5

Any

Network_Access_Authentication_Passed

Guest Redirect

Configure Authorization Policy for Hotspot Redirection


a. Click arrow to the right of Edit of Default Rule and insert a new rule above

b. Enter Rule Name as Hotspot Redirect


c. Click the + next to Condition
d. Choose Condition Create new Condition
e. Select attribute NormalizedRadius SSID Ends With hotspot

ISE_21_Guest_Lab_Guide_2016-07-28

Page 11 of 38

Lab Exercise 2: Configure Authentication and Authorization Policies for Guest

f.

Under Permissions click + Select an item Standard Hotspot Redirect

g. Click Done
Step 4

Configure Authorization Policy for Hotspot Internet Access


a. Click arrow to the right of Edit of Hotspot Redirect and duplicate above, change the
values to the following

Info for saving time: Remember to use Duplicate above and then change what is needed instead of inserting new fresh policies

Rule Name
Identity Group
Conditions
Permissions

Hotspot Internet Access

Endpoint Identity Group GuestEndpoints


Create New Condition Select Attribute
NormalizedRadius SSID Ends with hotspot
Guest Wireless Internet

b. Click Done
Step 5

Configure Authorization Policy for Guest Redirect


a. Click arrow to the right of Edit of HotSpotInternetAccess and duplicate above
Rule Name
Identity Group
Conditions
Permissions

Guest Redirect

Any
Create New Condition Select Attribute
NormalizedRadius SSID Ends with guest
Standard Cisco_WebAuth

b. Click Done
Step 6

Configure Authorization Policy for Guest Permit


a. Click arrow to the right of Edit of GuestRedirect and duplicate above
Rule Name
Identity Group

Guest Internet Access

Any
Create New Condition Select Attribute
NormalizedRadius SSID Ends with guest

Conditions

Permissions

Add another attribute/value


NetworkAccess UseCase EQUALS Guest Flow
Standard Guest Wireless Internet

b. Click Done
Dont Forget to Click Submit
Hotspot and Guest Authentication/Authorization Setup has been completed. Lets now look at the Default Hotspot Portal.
The default settings are a good start. We will also go over some of the cool extras to go along with it.

End of Exercise: You have successfully completed this exercise.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 12 of 38

Lab Exercise 3: Configure Hotspot with basic customization

Lab Exercise 3: Configure Hotspot with basic


customization
Exercise Description
In this Exercise you will configure the minimal settings plus a few minor customizations setting up
the hotspot portal. There are many options, features and functions for setting up and customizing
guest to play with later on your own

Exercise Objective
In this exercise, your goal is to complete the following tasks:

Configure Hotspot Settings

Work with basic customization

Step 1 Click Work Centers Guest Access

Configure Guest Portals

Notice how the defaults portals indicate they


have been configured in an authorization policy.
It also explains what each of the portals is used
for. This makes it easier to setup and
troubleshoot.

Step 2 Click on the Hotspot Guest Portal (default) and click Edit

Lets highlight some of the new settings that make hotspot operational. Note this is also known as DRW
(Device Registration Web Auth) and it is meant for simple registration of a device MAC address with a
splash page, optional AUP and other options.
Step 3 Navigate to the section under Portal Settings that shows the Endpoint Identity Groups and

Purging.

Step 4 Look at the following settings, Guest Endpoint and Purging, leave these default.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 13 of 38

Lab Exercise 3: Configure Hotspot with basic customization


GuestEndpoints:
This Hotspot configuration by default will automatically take the MAC address from the MAB (MAC
authentication bypass) and place it into GuestEndpoints group. Remember in our authorization policy
that we based GuestInternet Access off GuestEndpoints as an identifier. This group could be changed so
that you have different Endpoint groups for different portals or types of access. Its also available in the
self registered and sponsor portal types. Dont change this group.
Purging:
Follow the link Administration > Identity Management > Settings > Endpoint to open a new tab to ISE
Endpoint Purge policy rules. The rule for GuestEndPointsPurgeRule will remove the guest device after 30
days. The purge runs once a day.
Step 5 Go back to the tab for Hotspot. Click on the little arrow next to Portal Settings to collapse this

section.
Step 6 Under the Acceptable Use Policy (AUP) Page Settings notice Include an AUP is already

enabled.
Step 7 Check the box to enter an access code of iseiscool An access code is used to protect the open

SSID from those outside of your business from getting Internet access. This can also be
configured for self registration and sponsor approval flows

Step 8 Notice on the right side of the screen the flow chart in real-time, if you change/add/remove a

component you see the changes immediately. Try toggling the checkbox Include An AUP off
and on and notice the difference
To send the user to a welcome page upon a success login, configure the success page to go to a static
URL
Step 9 Scroll down to the section Authentication Success Settings
Step 10 Enter URL: http://www.cisco.com

Step 11 Scroll to the top of the page and click Save


Step 12 Click on the Page Customization section at the top of the page

ISE_21_Guest_Lab_Guide_2016-07-28

Page 14 of 38

Lab Exercise 3: Configure Hotspot with basic customization

ISE gives you basic customization built right into the product. It also makes it easier to see
what changes you are making in real-time. We wont go into detail of all of these but to start
you notice at the top of the page you can change things like the logos, banner and main text
elements. You can also choose from some built in color themes.

Step 13 Lets start by messing with the portal theme. Click on the pull down and pick the High Contrast

Theme. Notice how the Preview window in the bottom right of the screen shows the changes.
Step 14 Now click on the Tweaks button to see how you change the

colors a little more. Feel free to play around a little, click on


the Page Background Color. When done, click OK. To
tweak the button color equires advanced customization
using CSS and themes (e.g. jQuery Theme Roller, not
covered in this class). Now that you have played around with the tweaks go back to the Portal
Theme and change it back to the Default Blue Theme
Step 15 Lets upload a logo and a banner
Step 16 On the workstation using Firefox and in a new tab, click on the bookmark for tools/guest.
Step 17 Click on the link for

iseiscool-images.zip

Step 18 Check Save File and Click OK the file will be saved to C:\Users\admin\Downloads

ISE_21_Guest_Lab_Guide_2016-07-28

Page 15 of 38

Lab Exercise 3: Configure Hotspot with basic customization


Step 19 Click on the download arrow in the upper right of firefox,

right-click on the downloaded file and select Open


containing folder to open the location it downloaded

Step 20 Right click on the package and choose the option to Extract All
Step 21 Use the default location C:\Users\admin\Downloads\iseiscool-images
Step 22 Click Next and OK to close window, close all tabs and explorer windows for the download

process
Step 23 Go back to ISE tab in Firefox
Step 24 Upload the banner and logo for mobile (iseiscool_logo_hotspot.png & iseiscool-banner.png) from

the location C:\Users\admin\Downloads\iseiscool-images


Note: Use the same logo for both mobile and desktop

Step 25 Remove the text for Banner title as it Is part of the logo (you may need to click in another place on

the page for the mobile preview to refresh)

Step 26 Below this main section where you can tweak the overall look and feel, you can also go into each

of the pages. Depending on your portal settings and portal type you will see different options on
the left hand side of the page. You can also tweak the text in the different areas on the page.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 16 of 38

Lab Exercise 3: Configure Hotspot with basic customization


Step 27 After some basic customization is done check out the desktop preview (same as the portal test

URL at the top of the page) by clicking on the option in the bottom right of the mini preview.
Note:

You can test full flow without using a real client.

Step 28 Close the desktop preview


Step 29 Click Save at the top of the page

You have now completed setup of the Hotspot Portal. Next step is to try it out.

End of Exercise: You have successfully completed this exercise.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 17 of 38

Lab Exercise 4: Test the Hotspot Portal

Lab Exercise 4: Test the Hotspot Portal


Exercise Description
In this Exercise you will work with the hotspot portal you configured

Exercise Objective
In this exercise, your goal is to complete the following task(s):

Step 1

Test the hotspot Portal

Enable SSIDs hotspot and guest in WLC


a. Login to wlc web portal @ https://wlc.demo.local as admin / ISEisC00L
b. Menu WLANs
c.

Step 2

Select WLAN ID 2 ##-hotspot, Enable Selected from the drop-down next to Go, and hit Go.

From the workstation double click on the icon VNC-to-iPad on the desktop and press any key
to continue. The VNC will launch and show the iPad screen.

Step 3

If not already on the home screen, right click on the screen

Step 4

Go to settings Wi-Fi

Step 5

If Wi-Fi is disabled then turn it on and skip past the clean up steps

Here are the steps to start with new session (clean-up)


a. On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: You might not see the Profiles menu option, when no profile installed on the iPad.

b. Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies
and Data.
c. Forget any networks the device is automatically connecting to
d. Disable the Wi-Fi
e. On the Windows workstation, navigate to Admin Identity Management Identities
Endpoints and delete the iPad, you can delete anything in the list as there should only be
your iPad connected
f. Launch Firefox, go to wlc, and login.
g. On the wlc click on Monitor then Clients on the left side bar
h. Find your wireless session (there should only be one), click on the MAC address and then
click Remove in the upper right of the window
i. Go back to the iPad and enable the Wi-Fi
Step 6

On the iPad from the list of wireless networks find the one that shows ##-hotspot, click to
connect to it.

Step 7

Once youre connected to the hotspot (shows in the upper left of the iPad screen). Right click on
the iPad screen to show the home screen and then launch Safari.

Step 8

Using safari enter a site to visit, cisco.com, you will be redirected to the hotspot portal

ISE_21_Guest_Lab_Guide_2016-07-28

Page 18 of 38

Lab Exercise 4: Test the Hotspot Portal


Step 9

Enter the passcode iseiscool and click Accept

Step 10

You are redirected to www.cisco.com page. This was configured in Step 10 of Lab Exercise 3.

Step 11

Enter cisco.com

Step 12

Navigate to Operation RADIUS Live Logs and look at the events that came through.

a. When first come in MAB from hotspot SSID, the iPad redirects to hotspot
b. After AUP acceptance, the device is authorized by GuestEndpoints Group on a separate
line.
Step 13 Cleanup the iPad connection before continuing on with self-registration
a. Close the browser tab on the iPad
b. Right click to go to home screen
c. Forget the hotspot network on the iPad, make sure its not connecting to another network,
if it is also forget such network.
d. Turn Wi-Fi off
e. Navigate to Context Visibility Endpoints Endpoint Classification and delete the
iPad, you can delete anything in the list as there should only be your iPad connected

HOTSPOT COMPLETE! You have now completed setup and testing of the Hotspot Portal.
Next lets look into Self-Registration with Sponsor Approval

End of Exercise: You have successfully completed this exercise.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 19 of 38

Lab Exercise 5: Configure Settings for Self-Registration with sponsor approval flow

Lab Exercise 5: Configure Settings for SelfRegistration with sponsor approval flow
Exercise Description
In this Exercise you will configure the minimum settings to exercise the self-registered flow with
sponsor approval

Exercise Objective
In this exercise, your goal is to complete the following tasks:

Configure Guest Settings


Configure Sponsor Groups
Configure Self Registration Portal

Step 1 Setup Guest settings to work for Self Registration

a.
b.
c.
d.
e.
f.
g.
h.
i.

Navigate to Work Centers Guest Access Settings


Click Guest Email Settings
Click on link to configure SMTP server mail.demo.local
Close the external page
Verify Enable email notifications to guests
Verify sponsor@demo.local as the Default From email address
Verify selecting Send notifications from sponsors email address (if sponsored)
Click Save
Click Guest Locations and SSIDs

Important Info: This setting is needed as the default comes as San Jose, the workstation is using time zone as UTC so we need to
add in a location of UTC for it to create an account with a valid start time. This is instead of having to choose from a LONG list of
time zones as in prior ISE releases

j.
k.
l.

Note:

Enter a Location Name as UTC


and Time zone as UTC
Click Add
Click Save

If you see a UI WAP Error please refresh the page or logoff and back in.

Step 2 Setup AD sponsor group in All_Accounts

a. Navigate to Work Centers Guest Access Configure Sponsor Groups


b. Click on ALL_ACCOUNTS Edit
c. Click the Members button and move Domain Users over to the Selected User Groups

ISE_21_Guest_Lab_Guide_2016-07-28

Page 20 of 38

Lab Exercise 5: Configure Settings for Self-Registration with sponsor approval flow

d. Click OK
Step 3 Configure Guest Locations for this sponsor

a. Under Select the locations that guests will be visiting Choose UTC
Critical Info: It is important to setup the location where your user(s) are located, otherwise when the account is created it will be
using San Jose by default but the browser of the sponsor (workstation) is set to use UTC time. The account wont be active until
many hours later since it was created using SJC time. This is critical when setting up guest to create the locations your sponsors
will be using for visiting guests. Our admin machine is in UTC time so the guest accounts needs to be created per UTC time in order
for the account to be active
If you have trouble viewing this try setting it using Internet Explorer or log-out and then log back in.

Step 4 Allow the Sponsor to send SMS (text messages) for notifying guest of their credentials

a. Scroll down to the section that says Sponsor Can


b. Check the box that says Send SMS notifications with guests credentials
Step 5 Now scroll to the top of the page and click Save
Step 6 Click Close
Step 7 Configure Self Registration Portal
Step 8 Click on Guest Portals Self-Registered Guest Portal (default)
Step 9 Click Edit
Step 10 Expand Self-Registration Page Settings

ISE_21_Guest_Lab_Guide_2016-07-28

Page 21 of 38

Lab Exercise 5: Configure Settings for Self-Registration with sponsor approval flow
Step 11 Under Guests can choose from these locations to set their time zone: Pick UTC time.

Critical Note: This was discussed before


Take a quick note of the SMS Service Provider, information
Note we are using a global provider to cover any mobile number since the lab participants could be from anywhere in the world. We
are using click-a-tell as the provider and their account covers lots of countries and service providers:
https://www.clickatell.com/pricing-and-coverage/standard-coverage/
Like the locations if you only have 1 choice it wont be displayed. There are other built in providers, these are examples of free
providers in the U.S. you can configure other providers if needed. Free providers would be listed for a guest to choose from so that
the site being visited doesnt have to pay for the texting. A global default would be used as a paid server to choose in case their
provider is not in the list. There are also new options to use SMTP and HTTP API SMS providers which open up ISE capabilities to
be able to work with many more providers. ISE 1.2 was restricted to SMTP based and was severely limited in its customization so
could only work with a select few. Read more in the admin guide.

Step 12 Check the box to the right of Person being visited so that the field is required when doing self-

registration. This will require a guest to enter an email address of employee they are visiting.
Info only: There is currently no way in ISE to verify the person being visited email or name. This could be done with advanced
customization by integrating with an external LDAP for the lookups.

Require self-registered guests to be approved


a. Email approval request to: person being visited

Step 13 Check the box to

Info only: If choosing sponsor email addresses listed below, it could be the email of a sponsor or a group of sponsors

ISE_21_Guest_Lab_Guide_2016-07-28

Page 22 of 38

Lab Exercise 5: Configure Settings for Self-Registration with sponsor approval flow
Step 14 After registration submission, direct guest to - Login page with instructions about how to

obtain login credentials

Step 15 Check both Email and SMS notifications are checked under Send credential notification upon

approval using:
Important Info: This could also be the email of a sponsor or a group of sponsors. System behavior for email and SMS notifications:
There is no way to currently give a guest the ability to choose email or SMS as an option to choose for notification. If you check both
then they will both be required. If you choose Email then the guest will be required to enter an email address and only email
notification will work (even though the user enters their phone number). The same will hold true if you check SMS, they must enter a
phone number and email notification wont work even though they entered an email. For this demo we are showcasing both.

Step 16 Scroll to the top of the page and click Save


Step 17 Now access Portal Page Customization
Step 18 Click on Self-Registration

Step 19 Scroll to the section: Login page message

Change the text from:


An email or an SMS message has been sent to you containing your sign on credentials.
To:
After the person you are visiting approves your account, you will be notified by email or text the
credentials needed to login

Step 20 Click Save and Close.

You have now completed setup of Self-registration with sponsor approval setup

End of Exercise: You have successfully completed this exercise.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 23 of 38

Lab Exercise 6: Test the self-registration with approval flow

Lab Exercise 6: Test the self-registration with


approval flow
Exercise Description
In this Exercise you will test the steps needed to do self registration with sponsor approval

Exercise Objective
In this exercise, your goal is to complete the following tasks:

Step 1

Access the guest portal


Create an account
Sponsor approves the account
Guest receives notifications
Guest access portal and gets access
Enable SSID guest in WLC
a. Login to wlc web portal @ https://wlc.demo.local as admin / ISEisC00L
b. Menu WLANs
c.

Select WLAN ID 2 ##-hotspot, Disable Selected from the drop-down next to Go, and hit
Go.

d. Select WLAN ID 3 ##-guest, Enable Selected from the drop-down next to Go, and hit
Go.
Step 2

From the workstation double click on the icon VNC-to-iPad on the desktop and press any key
to continue. The IPad screen will launch

Step 3

If not already on the home screen, right click on the screen

Step 4

Go to Settings Wi-Fi

Step 5

If Wi-Fi is disabled then turn it on and skip past the clean-up steps below
Here are the steps to start with new session on iPad (clean-up)
a. On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.

Note: You might not see the Profiles menu option, when no profile installed on the iPad.

b. Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear
Cookies and Data.
c. Forget any networks the device is automatically connecting to
d. Disable the Wi-Fi
e. On the Windows workstation, navigate to Admin Identity Management Identities
Endpoints and delete the iPad, you can delete anything in the list as there should only be
your iPad connected
f. Launch Firefox, go to wlc, and login.
g. On the wlc click on Monitor then Clients on the left side bar
h. Find your wireless session (there should only be one), click on the MAC address and
then click Remove in the upper right of the window
i. Go back to the iPad and enable the Wi-Fi
Step 6

On the iPad from the list of wireless networks find the one that shows ##-guest, click to
connect.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 24 of 38

Lab Exercise 6: Test the self-registration with approval flow


Step 7

Once youre connected (shows in the upper left of the iPad screen). Right click on the iPad
screen to show the home screen and then launch Safari.

Step 8

Using safari enter a site to visit, cisco.com, you will be


redirected to the guest portal.
Click on Dont have an account

Step 9

Step 10

Create a guest account using the following info (at a


minimum these are basic to show the flow):

Attribute
Username

Value
iseiscool

Description
This could be anything the user chooses.
To receive email notification of credentials once
account is approved, this must be entered as it is.

Email address*

guest@demo.local

Phone number*

12025550133

Location*

UTC

Person being
visited(email)*

sponsor@demo.local allow an employee to receive an email where they

Enter your phone number with country code, e.g.


US is 1. If you dont want to receive a text then
enter a bogus number, 12025550133
In this chosen time zone to express from and to
time of the guest account validity.
This is a new field will work in the approval flow to
can go and approve their visiting guest.

Click Register

Defect Note: A message will be shown: Youre notified you will be


sent the credentials via email and text. There is a bug currently that
says instead you have been sent credentials when youre waiting for
credentials

ISE_21_Guest_Lab_Guide_2016-07-28

Page 25 of 38

Lab Exercise 6: Test the self-registration with approval flow


Step 11

You are redirected to the login page with instructions on how to connect. This message as
customized says once approved you will be sent the credentials.

Step 12

Approve the account.

Step 13

From the admin-PCs Firefox, click the bookmark mail.

Step 14

Login to squirrel mail using sponsor/ISEisC00L

Info only: The email says there is a guest approval request. This can be customized (changing logo, text, color, font with HTML).
You can also add a message that will link directly to the sponsor portal for easy access to the person approving the request.

Note:

Due to CSCuz51077 in ISE 2.1 FCS, the email format will show incorrectly.

Step 15

Sign-out of the webmail client, you will need to later login as another user.

Step 16

In absence of a hyperlink to the sponsor portal, on the Firefox browser, click on the sponsor
shortcut to sponsor.demo.local

Step 17

Login to the sponsor portal as sponsor/ISEisC00L

Step 18

Navigate to Pending
accounts

Step 19

Select the user and Click


Approve

Step 20

Enter the email address of the sponsor


here as sponsor@demo.local

Info only: This is the only way to set the sponsors email
address in the system. This email is used to receive a copy of
the requests when notifying a user of their credentials. It will be
saved the first time its entered. The employee (person visiting)
would enter their email address here.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 26 of 38

Lab Exercise 6: Test the self-registration with approval flow


Step 21

Get your credentials and login

Step 22

Open up web browser to mail.demo.local and login as guest/ISEisC00L

Step 23

Click on the email or SMS and take down the username and password

Step 24

Return to the iPad VNC safari screen

Step 25

Login with the credentials iseiscool/xxxxx

Step 26

Click through AUP and success screens

Step 27

On final page type in your original URL again

Step 28

Navigate to Operation RADIUS Live Logs and look at the sessions that came through.

a. When you first come in MAB with SSID of guest is redirected to self registration portal
b. After login you are authorized on Guest Flow to Permit Access
Warning: If you see a message, Maximum Devices Reached, then please follow the steps below to clean up the iPad connection,
this was caused because the endpoint is already in the store after BYOD and you didnt delete it after you ran through the hotspot.

Step 29

Now clean up your endpoint and connection


a. Close the tab on the browser
b. Right click on the screen
c. Go to settings Wi-Fi
d. Forget the guest network
e. Disable Wi-Fi
f. Navigate to Context Visibility Endpoints Endpoint Classification and delete the
iPad, you can delete anything in the list as there should only be your iPad connected
g. Remove the wireless session from the controller Monitor Clients

Note: If you ran through the cleanup after getting the Maximum device limit reached then you can do the following to try it again.
1. Enable WIFI
2. Open Safari and try to get to cnn.com
3. Enter the necessary credentials to login again

You have now completed setup of Self-registration with sponsor approval flow

End of Exercise: You have successfully completed this exercise.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 27 of 38

Lab Exercise 7: Configure Settings for Sponsored Access

Lab Exercise 7: Configure Settings for


Sponsored Access
Exercise Description
In this Exercise you will go through the steps needed to setup a portal to manage accounts as a
Sponsor for Guests and a portal for these guests to access the network

Exercise Objective
In this exercise, your goal is to complete the following tasks:

Configure additional Guest Settings


Setup Sponsored Guest Portal
Work with guest types
Update Sponsor Group settings
Configure the default sponsor portal

Configure additional Guest Settings


Step 1 Using Firefox, Login to ISE @ https://ise-1.demo.local/admin/ (or use bookmark) with username

admin and password ISEisC00L


Step 2 Navigate to Work Centers Guest Access Settings Custom Fields
Step 3 Setup some custom fields to be used for your contractors that Sponsors can use when

creating an account:

Enter the following information per table clicking Add after each entry:
Custom Field Name Data type Tip text
Badge No.
Number
Enter Badge Number
Manager
String
Enter Manager

Dont forget to Click Save.

Step 4 Setup a Guest SSID variable used for information purposes when notifying guests on what

network they should be connecting to

Click on Guest Locations and SSIDs

Under Guest SSIDs add in ##-guest where ## is your pod #.


Example: pod2 would be entered as 02-guest

Dont forget to Click Save.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 28 of 38

Lab Exercise 7: Configure Settings for Sponsored Access

Setup Sponsored Guest Portal


Step 5 Navigate to Work Centers Guest Access Configure Guest Portals
Step 6 Edit the Sponsored Guest portal (default)
Step 7 Under Portal Settings

Employees using this portal as guests inherit login options from: We will use the default,
Contractor

Step 8 Collapse all setting areas under you get to Post-Login Banner page
Step 9 Under Post-login banner page settings uncheck Include a Post-Login Banner page.

Notice how the flow chart changed on the right

Note: This will remove one of the pages that the user is required to click
through, it could be used to post coupons, advertisements,
announcements, etc so that there is a screen available before
redirecting to an Original URL or static page, otherwise this can be
done on the success page
Step 10 Click Save at the top of the page
Note: There really isnt much to a Sponsored Guest portal, thats it, with a tweak to make the flow shorter. You can
customize this portal just like any other Guest Portal with same customization and branding.

Work with Guest Types


Step 11 Navigate to Work Centers Guest Access Configure Guest Types
Note:

Guest Types are used with the credentialed guest portals such as Self-Registration and Sponsored. Under
self-registration with sponsor approval we used the default Contractor type that allows access for 90 days by
default. For Self-Registration without approval a nice default is Daily guest type as it only has 1-day access.
For sponsored we will look at the Contractor type options.

Step 12 Select Contractor and then Edit


Step 13 Select Custom Fields

Choose the upper left checkbox to select them all

ISE_21_Guest_Lab_Guide_2016-07-28

Page 29 of 38

Lab Exercise 7: Configure Settings for Sponsored Access

Click OK
Set all of these to be required, we will use them later when creating an account and
see how they are reported

Step 14 Navigate to Login Options section and look at some of these settings:

Max simultaneous logins This is a configurable option for each guest type.

Store device information in endpoint identity group For hotspot this is

configured in the portal settings, for credentialed portals its set per GuestType, this
can also be used to separate your endpoint group purge policies, hotspot might
require acceptance of the AUP daily, self registered users could be required to login
1x a week, and sponsored guests (like contractors) might only need to login and
accept an AUP every month.
Allow Guests to bypass the Guest Portal Prior to 1.3 this was known as
ActivatedGuest, when using this option the guest is not required to be redirect to a
login or AUP portal and can be used with more secure options (802.1X and VPN
access)

Step 15 Lastly lets look at Sponsor Groups. This is basic but a new way of working with groups, if

you are a sponsor and part of any of these groups then you can use this Guest Type

Step 16 At the top of the Contractor Guest Type Page, click Save and Close

Setup the default Sponsor Portal


Step 17 Navigate to Sponsor Portals Sponsor Portal (default) and click Edit

ISE_21_Guest_Lab_Guide_2016-07-28

Page 30 of 38

Lab Exercise 7: Configure Settings for Sponsored Access


Note:

Up until this point you have been working with the Guest Portals. The Sponsor Portals are configurable the
same way. Settings and Customization are the same and allow for a consistent experience. Here to save
time and since you already went through basic customization we will setup only what is needed (and a few
nice options) to make this flow work

Step 18 Under portal settings lets look at a few options

Each portal can have its own certificate, the certificate is tied to specific combination of
Allowed interface and https port, product documentation has a paragraph explain this
and some examples on combinations.

SSIDs available to sponsors: This gives


the sponsor the ability to choose from a list
of guest networks a user would connect to.
This field is used in notifications to those
guests when notified via email/sms/print.
Will show this used later on. Choose the
SSID you configured before; e.g., 02-guest

Step 19 Click Save at the top of the page


Step 20 Now access Portal Page Customization

Step 21 Collapse Portal Access


Step 22 Under Create Accounts, Click on Create Account for Known Guest

ISE_21_Guest_Lab_Guide_2016-07-28

Page 31 of 38

Lab Exercise 7: Configure Settings for Sponsored Access

Click on settings above the preview pane


Uncheck the following options:
o
o
o

Note:

Company
Person Being Visited
Reason for Visit

THE CUSTOM FIELDS ALREADY ASSOCIATED WITH THIS GUEST TYPE . P LEASE
DO NOT SELECT AGAIN HERE .

Step 23 Collapse Create Accounts


Step 24 Under Notify Guests, click on Email Notification

Modify the template to include the SSID

Note:

variable
In the email introduction text editor insert text on the second line:
Welcome to the ISE training lab, the wireless network you will connect to is:
$ui_ssid$
Click on insert variable Guest - SSID

THE VARIABLE ICON X COULD BE BLOCKED BY THE PREVIEW PANE IF YOUR BROWSER SCREEN IS NOT WIDE ENOUGH .
Step 25 Click on SMS notification

Put in the following message: Please connect to the network: $ui_ssid$

Step 26 At the top of the page, Click Save

You have now completed setup of the Sponsored Guest Flow.

End of Exercise: You have successfully completed this exercise.


ISE_21_Guest_Lab_Guide_2016-07-28

Page 32 of 38

Lab Exercise 8: Test Sponsored Guest Flow

Lab Exercise 8: Test Sponsored Guest Flow


Exercise Description
In this Exercise you will go through the Sponsored Guest Flow first as an administrator creating
an account and then as a guest using those credentials to access the network.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

Preview the Managed Accounts option

Create a Known Guest Account using the Sponsor Portal

Receive customized notifications via email and SMS

Preview the Managed Accounts Option


Step 1 Navigate to Work Centers Guest Access Manage Accounts
Step 2 At the top of the page click on Managed Accounts

T HE MANAGED ACCOUNT OPTION IS A QUICK EASY WAY TO SEE ALL THE ACCOUNTS AND PERFORM
SPONSOR ACTIONS . T HE ADMIN ACCOUNT IS AUTO- AUTHENTICATED AND NOT PART OF ANY
SPONSOR GROUP . IT HAS PERMISSIONS TO DO EVERYTHING AND SEE EVERYTHING , ACCEPT IF THE
GUEST CHANGES THEIR PASSWORD THEY WON T BE ABLE TO SEE IT ( JUST LIKE ANY OTHER
SPONSOR ). IF THE SPONSOR PORTAL SESSION TERMINATES FOR ANY REASON , THE ADMIN WILL
HAVE TO GO BACK TO THE ADMIN UI TO GET BACK IN OR LOGIN WITH A VALID SPONSOR ACCOUNT.
T HEIR ADMIN CREDS WILL NOT GET THEM BACK IN UNLESS IT IS PART OF A SPONSOR GROUP. T HIS
WAS JUST A PREVIEW AND WE WILL BE USING THE SPONSOR PORTAL TO DO OUR WORK .

Create a Known Account using the Sponsor Portal


Step 3 Click on the Firefox bookmark to access the sponsor portal, here

you are using the FQDN to access this portal

Step 4 Login as sponsor / ISEisC00L


Step 5 Create a Known Account using the info from the table below

Attribute
First Name &
Last Name

Value
Your first and last
name

ISE_21_Guest_Lab_Guide_2016-07-28

Description
Please enter your first and last name

Page 33 of 38

Lab Exercise 8: Test Sponsored Guest Flow


Attribute
Email address

Phone number

Value
guest@demo.local

12025550133

Description
Mandatory: To receive email notification of
credentials, guest@demo.local

Mandatory: Enter your phone number with


country code, e.g. US is 1. If you dont want to
receive a text then enter a bogus number,
12025550133

Badge #
Manager

A badge number like:


123
Enter a manager
name: Mickey Mouse

Group tag

EBC

Location

UTC

Mandatory: This is to show using custom fields,


will be also showcased later using Guest Reporting
Mandatory: This is to show using custom fields,
will be also showcased later using Guest Reporting
Mandatory: This is for a sponsor to group guest
accounts for a specific function. Lets say the EBC
(Executive Briefing Center) at Cisco tags with EBC,
this way they can later sort on EBC Guests for
reporting purposes

Step 6 Click Create


Step 7 At the bottom of the Account Information screen,

click notify

Step 8 Select both SMS and Email options (optionally you

can copy yourself as the sponsor using Copy ME


checkbox)
Step 9 Enter the email address of the sponsor,

sponsor@demo.local
Note:

THIS IS THE ONLY WAY A SPONSOR CAN ADD OR CHANGE THEIR


EMAIL ADDRESS TO RECEIVE NOTIFICATIONS FOR SPONSOR APPROVAL
OR TO BE COPIED ON A GUEST S CREDENTIALS WHEN BEING CREATED

Step 10 Click OK to send the notifications

ISE_21_Guest_Lab_Guide_2016-07-28

Page 34 of 38

Lab Exercise 8: Test Sponsored Guest Flow


Step 11 After the account is created and the user notified you can search on the group tag, Type EBC in

the search window

Receive customized notifications via email and SMS


Step 12 Check out the notifications you received
a.

SMS receipt: If you put in your cell phone number you should see a text with all the info
(including the SSID to connect to)

b.

Email receipt:
i. In Firefox open a new
browser tab and click on the
mail bookmark
ii. Login as guest / ISEisC00L
iii. Notice the customized test
also shown here for the SSID
variable

Note:
Note:

Due to CSCuz51077 in ISE 2.1 FCS, the email format will show incorrectly.
We wont be logging into the portal you created, as you are familiar with how this works after using the Self
Registration Portal Flow. The only difference with this flow is that youre using credentials created by a
Sponsor. This lab was to show you the needed pieces to get this particular flow configured and working.

You have now completed test of the Sponsored Guest Flow.

End of Exercise: You have successfully completed this exercise.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 35 of 38

Lab Exercise 9: Work with Guest Reporting

Lab Exercise 9: Work with Guest Reporting


Exercise Description
In this Exercise you will go through the new Guest Reports available. ISE 1.3 introduces fixes and
new reports to cover all the needed options for guest reporting including custom fields and guest
activity reporting.

Exercise Objective
In this exercise, your goal is to complete the following tasks:

Familiarize ISE Guest reports.

Step 1 Navigate to Operations Reports


Step 2 Expand ISE Reports Guest

There are several options for reports, click through each of them to understand what they are used for
and run the report to see the results if you like:

AUP Acceptance Status shows you information on what devices and/or users accepted AUPs
on what portals, this is an AUP for all guest portals (including Sponsor)

Sponsor Login and Audit shows sponsor activity such as logins and anything the added or
modified for guest accounts

Step 3 Click on Sponsor Login and Audit

Lets modify the columns seen so that we can work with the Optional
Data Field:
Step 4 Setup per the screenshot below:
a.

Unchecking MAC & IP Address, Operation

b.

Checking Optional Data

c.

Once complete, click Close

d.

Now click on the optional data and see it expanded in a larger box

ISE_21_Guest_Lab_Guide_2016-07-28

Page 36 of 38

Lab Exercise 9: Work with Guest Reporting


e.

Next try setting up a filter on this information:


i. Click Filters
ii. Select Optional Data
iii. Click OK

iv. Type in Mickey Mouse to find all


guests (contractors) with that hiring
manager.
v. Click Run

f.

I messed with the account a few times so there are multiple entries shown in my
example:

My Devices Login and Audit for BYOD devices shows user activity in the My Devices
portal

Master Guest Report - The Master Guest report combines data from various Guest Access
reports into a single view enabling you to export data from different reporting sources. This
report collects all guest activity and provides details about the web sites that guest users visit.
In this setup we dont track what sites the user is going to however here is a sample. There
are requirements for the firewall to send syslog information to ISE M&T node for inclusion in
this report, please refer to the product documentation for more information.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 37 of 38

Lab Exercise 9: Work with Guest Reporting

Guest Accounting - The Guest Accounting report is a subset of the RADIUS Accounting
report. All users assigned to Guest identity groups appear in this report

End of Exercise: You have successfully completed this exercise.

End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.

ISE_21_Guest_Lab_Guide_2016-07-28

Page 38 of 38

You might also like