Professional Documents
Culture Documents
Lab Overview
This lab is designed to help attendees understand how to deploy Cisco Identity Services Engine
(ISE) in a Guest environment. This lab will show you how to setup and configure Guest Access
Management with ISE. Cisco ISE Guest gives sponsors/employees/lobby ambassadors the ability
to create a guest account and send it to a guest. Guests can also create their own accounts and
the additional ability can be required for guests to get approval by a sponsor or person they are
visiting. There are three built-in types of guest portals: Hotspot, Self-Registered, and Sponsored.
We will be working with the first two use cases (hotspot and self-registered) in this lab. The selfregistered portal is essentially the same as sponsored (without the setting to allow self reg)
Lab participants should be able to complete the lab within the allotted time of 3 hours.
Lab Exercises
This lab guide includes the following exercises:
Lab Exercise 1: Configure Authorization Profiles for Guest Hotspot and Self Registration
Lab Exercise 2: Configure Authentication and Authorization Policies for Guest
Lab Exercise 3: Configure Hotspot with basic customization
Lab Exercise 4: Test the Hotspot Portal
Lab Exercise 5: Configure Settings for Self-Registered with Sponsor Approval
Lab Exercise 6: Test Self Registration Portal with Approval Flow
Lab Exercise 7: Configure Settings for Sponsored Access
Lab Exercise 8: Test Sponsored Guest Flow
Lab Exercise 9: Work with Guest reporting
ISE_21_Guest_Lab_Guide_2016-07-28
Page 1 of 38
Lab Topology
ISE_21_Guest_Lab_Guide_2016-07-28
Page 2 of 38
Name/Hostname
IP Address
3k-access.demo.local
10.1.100.1
wlc.demo.local
10.1.100.61
ap.demo.local
10.1.90.x/24 (DHCP)
ISE Appliance
ise-1.demo.local
10.1.100.21
AD (AD/CS/DNS/DHCP)
ad.demo.local
10.1.100.10
mail.demo.local
10.1.100.40
NTP
ntp.demo.local
128.107.212.175
Tools
tools.demo.local
128.107.210.137
LOB-web
lob-web.demo.local
10.1.129.12
portal.demo.local, updates.demo.local
10.1.129.8
business.demo.local
10.1.129.9
it.demo.local
10.1.129.10
records.demo.local
10.1.129.11
admin.demo.local
10.1.100.6
ftp.demo.local
VLAN Name
IP Subnet
Description
10
ACCESS
10.1.10.0/24
20
MACHINE
10.1.20.0/24
10.1.29.0/24
(29)
30
QUARANTINE
10.1.30.0/24
40
VOICE
10.1.40.0/24
Voice VLAN
50
GUEST
10.1.50.0/24
90
AP
10.1.90.0/24
Wireless AP VLAN
98
ISE.LOCAL
10.1.98.0/24
AD domain ise.local
99
LAB.LOCAL
10.1.99.0/24
100
Management
10.1.100.0/24
129
WEB
10.1.129.0/24
ISE_21_Guest_Lab_Guide_2016-07-28
Page 3 of 38
Account (username/password)
admin / ISEisC00L
admin / ISEisC00L
ISE Appliances
admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin / ISEisC00L
Web Servers
admin / ISEisC00L
admin / ISEisC00L
To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD
Step 1
Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as admin / ISEisC00L
Note: All lab configurations can be performed from the Admin client PC.
From the Admin client PC, click the [ ESXi-core ] icon on the desktop
Step 2
Step 3
ISE_21_Guest_Lab_Guide_2016-07-28
Page 4 of 38
Step 4
For this lab ensure that the following VMs are up and running:
p##_ad
p##_admin
p##_ise-1-base
p##_lob-web
p##_mail
p##_vWLC
(likely invisible)
## refers to the pod number that you are assigned to. E.g., For POD 2, p##_ad would be
p02_ad.
b. Select the device that youd like to log into and double click on it.
c.
If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 5 of 38
Step 2
Control-A to select all lines in the web page above and then Control-C to copy them.
Step 3
Step 4
Verify that ping succeeds for all devices tested and then [ File Exit ] the program or close the
window when completed.
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track
pad) Touch with two fingers on the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want to
input text, and click on it.
Note: When interacting with the iPad VNC session, US keyboard is preferred.
Note: US keyboard is needed for the RDP session too unless you have additional language packs installed to provide keyboard
mappings. This is only for the RDP sessions.
From the Admin PC, launch Firefox to go to https://wlc.demo.local and login as admin /
ISEisC00L
Step 2
In the MONITOR summary page, the Controller Summary section has a field Up Time showing
how long WLC has been up.
Step 3
If Up Time is more than 15 minutes, check the next section Access Point Summary to see if
zero or NO access point associated.
If Up Time is shorter and NO access point,
please wait longer before taking the next
action.
Step 4
ISE_21_Guest_Lab_Guide_2016-07-28
Page 6 of 38
An LAP should associate with WLC shortly after the WLC rebooted. If still no LAP after WLC
rebooted and up for more than 15 minutes, please report it to the lab proctor or open a ticket
with LabOps support.
Step 3
Access ISE Active Directory configuration page by navigating to Administration > Identity
Management > External Identity Sources and select Active Directory from the left-hand
pane.
Join ise-1 to demo.local (in a single-domain forest)
a. Click the hyperlink demoAD under the Joint Point Name column.
b. Tick the checkbox next to ISE node ise-1.demo.local and then click Join.
c.
The Connection tab shall show ad.demo.local as the domain controller and Default-FirstSite-Name as the site.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 7 of 38
Lab Exercise 1: Configure Authorization Profiles for Guest Hotspot and Self Registration
Exercise Objective
In this exercise, your goal is to complete the following task:
Step 1
Step 2
Go to Administration > Device Portal Management > Settings and set the Retry URL to
http://www.cisco.com and click Save. If guest sessions times out, this configured URL will be
used instead of 1.1.1.1, which is the default.
Step 3
Step 4
b. Click Submit
ISE_21_Guest_Lab_Guide_2016-07-28
Page 8 of 38
Lab Exercise 1: Configure Authorization Profiles for Guest Hotspot and Self Registration
Step 4
b. Click Save
Step 1
a. Click Add
* Name Guest Permit
Description Demo Profile to grant Internet Access for Guests
* Access Type ACCESS_ACCEPT
Common Tasks
Airespace ACL Name GUEST_ACL
Note: The ACL is case-sensitive and should match exactly as defined in WLC.
b. Click Submit
Note: You should have 3 Authorization profiles after completing this task: HotSpot Redirect, Guest Redirect and Guest Permit.
Authorization profiles for the basic portal setup has been completed. Lets now work with the Policy Rules
ISE_21_Guest_Lab_Guide_2016-07-28
Page 9 of 38
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
b. Select only [ Process Host Lookup ], uncheck all the remaining, and click on Submit.
Step 2
Go to Policy > Authentication and ensure that the authentication policy is configured as below:
a. Modify the rule MAB.
b. Under Allowed Protocols Select HostLookup
c.
MAB
Reject
If Wired_MAB OR Wireless_MAB Allow protocols HostLookup and use Internal Endpoints Continue
Drop
ISE_21_Guest_Lab_Guide_2016-07-28
Page 10 of 38
Step 4
Go to Policy > Authorization to add four Authorization Policy rules as shown below the Rule
Name Guest Internet Access, Guest Redirect, Hotspot Internet Access and Hotspot Redirect.
Also, disable the Basic_Authenticated_Access rule.
S
Rule Name
Identity Groups
Other Conditions
Permissions
...
Basic_Authenticated_Access
PermitAccess
Guest Permit
Guest Redirect
Any
GuestEndpoints
Guest Permit
Hotspot Redirect
Any
HotSpot Redirect
Default
Any
DenyAccess
Step 5
Any
Network_Access_Authentication_Passed
Guest Redirect
ISE_21_Guest_Lab_Guide_2016-07-28
Page 11 of 38
f.
g. Click Done
Step 4
Info for saving time: Remember to use Duplicate above and then change what is needed instead of inserting new fresh policies
Rule Name
Identity Group
Conditions
Permissions
b. Click Done
Step 5
Guest Redirect
Any
Create New Condition Select Attribute
NormalizedRadius SSID Ends with guest
Standard Cisco_WebAuth
b. Click Done
Step 6
Any
Create New Condition Select Attribute
NormalizedRadius SSID Ends with guest
Conditions
Permissions
b. Click Done
Dont Forget to Click Submit
Hotspot and Guest Authentication/Authorization Setup has been completed. Lets now look at the Default Hotspot Portal.
The default settings are a good start. We will also go over some of the cool extras to go along with it.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 12 of 38
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 2 Click on the Hotspot Guest Portal (default) and click Edit
Lets highlight some of the new settings that make hotspot operational. Note this is also known as DRW
(Device Registration Web Auth) and it is meant for simple registration of a device MAC address with a
splash page, optional AUP and other options.
Step 3 Navigate to the section under Portal Settings that shows the Endpoint Identity Groups and
Purging.
Step 4 Look at the following settings, Guest Endpoint and Purging, leave these default.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 13 of 38
section.
Step 6 Under the Acceptable Use Policy (AUP) Page Settings notice Include an AUP is already
enabled.
Step 7 Check the box to enter an access code of iseiscool An access code is used to protect the open
SSID from those outside of your business from getting Internet access. This can also be
configured for self registration and sponsor approval flows
Step 8 Notice on the right side of the screen the flow chart in real-time, if you change/add/remove a
component you see the changes immediately. Try toggling the checkbox Include An AUP off
and on and notice the difference
To send the user to a welcome page upon a success login, configure the success page to go to a static
URL
Step 9 Scroll down to the section Authentication Success Settings
Step 10 Enter URL: http://www.cisco.com
ISE_21_Guest_Lab_Guide_2016-07-28
Page 14 of 38
ISE gives you basic customization built right into the product. It also makes it easier to see
what changes you are making in real-time. We wont go into detail of all of these but to start
you notice at the top of the page you can change things like the logos, banner and main text
elements. You can also choose from some built in color themes.
Step 13 Lets start by messing with the portal theme. Click on the pull down and pick the High Contrast
Theme. Notice how the Preview window in the bottom right of the screen shows the changes.
Step 14 Now click on the Tweaks button to see how you change the
iseiscool-images.zip
Step 18 Check Save File and Click OK the file will be saved to C:\Users\admin\Downloads
ISE_21_Guest_Lab_Guide_2016-07-28
Page 15 of 38
Step 20 Right click on the package and choose the option to Extract All
Step 21 Use the default location C:\Users\admin\Downloads\iseiscool-images
Step 22 Click Next and OK to close window, close all tabs and explorer windows for the download
process
Step 23 Go back to ISE tab in Firefox
Step 24 Upload the banner and logo for mobile (iseiscool_logo_hotspot.png & iseiscool-banner.png) from
Step 25 Remove the text for Banner title as it Is part of the logo (you may need to click in another place on
Step 26 Below this main section where you can tweak the overall look and feel, you can also go into each
of the pages. Depending on your portal settings and portal type you will see different options on
the left hand side of the page. You can also tweak the text in the different areas on the page.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 16 of 38
URL at the top of the page) by clicking on the option in the bottom right of the mini preview.
Note:
You have now completed setup of the Hotspot Portal. Next step is to try it out.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 17 of 38
Exercise Objective
In this exercise, your goal is to complete the following task(s):
Step 1
Step 2
Select WLAN ID 2 ##-hotspot, Enable Selected from the drop-down next to Go, and hit Go.
From the workstation double click on the icon VNC-to-iPad on the desktop and press any key
to continue. The VNC will launch and show the iPad screen.
Step 3
Step 4
Go to settings Wi-Fi
Step 5
If Wi-Fi is disabled then turn it on and skip past the clean up steps
b. Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies
and Data.
c. Forget any networks the device is automatically connecting to
d. Disable the Wi-Fi
e. On the Windows workstation, navigate to Admin Identity Management Identities
Endpoints and delete the iPad, you can delete anything in the list as there should only be
your iPad connected
f. Launch Firefox, go to wlc, and login.
g. On the wlc click on Monitor then Clients on the left side bar
h. Find your wireless session (there should only be one), click on the MAC address and then
click Remove in the upper right of the window
i. Go back to the iPad and enable the Wi-Fi
Step 6
On the iPad from the list of wireless networks find the one that shows ##-hotspot, click to
connect to it.
Step 7
Once youre connected to the hotspot (shows in the upper left of the iPad screen). Right click on
the iPad screen to show the home screen and then launch Safari.
Step 8
Using safari enter a site to visit, cisco.com, you will be redirected to the hotspot portal
ISE_21_Guest_Lab_Guide_2016-07-28
Page 18 of 38
Step 10
You are redirected to www.cisco.com page. This was configured in Step 10 of Lab Exercise 3.
Step 11
Enter cisco.com
Step 12
Navigate to Operation RADIUS Live Logs and look at the events that came through.
a. When first come in MAB from hotspot SSID, the iPad redirects to hotspot
b. After AUP acceptance, the device is authorized by GuestEndpoints Group on a separate
line.
Step 13 Cleanup the iPad connection before continuing on with self-registration
a. Close the browser tab on the iPad
b. Right click to go to home screen
c. Forget the hotspot network on the iPad, make sure its not connecting to another network,
if it is also forget such network.
d. Turn Wi-Fi off
e. Navigate to Context Visibility Endpoints Endpoint Classification and delete the
iPad, you can delete anything in the list as there should only be your iPad connected
HOTSPOT COMPLETE! You have now completed setup and testing of the Hotspot Portal.
Next lets look into Self-Registration with Sponsor Approval
ISE_21_Guest_Lab_Guide_2016-07-28
Page 19 of 38
Lab Exercise 5: Configure Settings for Self-Registration with sponsor approval flow
Lab Exercise 5: Configure Settings for SelfRegistration with sponsor approval flow
Exercise Description
In this Exercise you will configure the minimum settings to exercise the self-registered flow with
sponsor approval
Exercise Objective
In this exercise, your goal is to complete the following tasks:
a.
b.
c.
d.
e.
f.
g.
h.
i.
Important Info: This setting is needed as the default comes as San Jose, the workstation is using time zone as UTC so we need to
add in a location of UTC for it to create an account with a valid start time. This is instead of having to choose from a LONG list of
time zones as in prior ISE releases
j.
k.
l.
Note:
If you see a UI WAP Error please refresh the page or logoff and back in.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 20 of 38
Lab Exercise 5: Configure Settings for Self-Registration with sponsor approval flow
d. Click OK
Step 3 Configure Guest Locations for this sponsor
a. Under Select the locations that guests will be visiting Choose UTC
Critical Info: It is important to setup the location where your user(s) are located, otherwise when the account is created it will be
using San Jose by default but the browser of the sponsor (workstation) is set to use UTC time. The account wont be active until
many hours later since it was created using SJC time. This is critical when setting up guest to create the locations your sponsors
will be using for visiting guests. Our admin machine is in UTC time so the guest accounts needs to be created per UTC time in order
for the account to be active
If you have trouble viewing this try setting it using Internet Explorer or log-out and then log back in.
Step 4 Allow the Sponsor to send SMS (text messages) for notifying guest of their credentials
ISE_21_Guest_Lab_Guide_2016-07-28
Page 21 of 38
Lab Exercise 5: Configure Settings for Self-Registration with sponsor approval flow
Step 11 Under Guests can choose from these locations to set their time zone: Pick UTC time.
Step 12 Check the box to the right of Person being visited so that the field is required when doing self-
registration. This will require a guest to enter an email address of employee they are visiting.
Info only: There is currently no way in ISE to verify the person being visited email or name. This could be done with advanced
customization by integrating with an external LDAP for the lookups.
Info only: If choosing sponsor email addresses listed below, it could be the email of a sponsor or a group of sponsors
ISE_21_Guest_Lab_Guide_2016-07-28
Page 22 of 38
Lab Exercise 5: Configure Settings for Self-Registration with sponsor approval flow
Step 14 After registration submission, direct guest to - Login page with instructions about how to
Step 15 Check both Email and SMS notifications are checked under Send credential notification upon
approval using:
Important Info: This could also be the email of a sponsor or a group of sponsors. System behavior for email and SMS notifications:
There is no way to currently give a guest the ability to choose email or SMS as an option to choose for notification. If you check both
then they will both be required. If you choose Email then the guest will be required to enter an email address and only email
notification will work (even though the user enters their phone number). The same will hold true if you check SMS, they must enter a
phone number and email notification wont work even though they entered an email. For this demo we are showcasing both.
You have now completed setup of Self-registration with sponsor approval setup
ISE_21_Guest_Lab_Guide_2016-07-28
Page 23 of 38
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
Select WLAN ID 2 ##-hotspot, Disable Selected from the drop-down next to Go, and hit
Go.
d. Select WLAN ID 3 ##-guest, Enable Selected from the drop-down next to Go, and hit
Go.
Step 2
From the workstation double click on the icon VNC-to-iPad on the desktop and press any key
to continue. The IPad screen will launch
Step 3
Step 4
Go to Settings Wi-Fi
Step 5
If Wi-Fi is disabled then turn it on and skip past the clean-up steps below
Here are the steps to start with new session on iPad (clean-up)
a. On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: You might not see the Profiles menu option, when no profile installed on the iPad.
b. Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear
Cookies and Data.
c. Forget any networks the device is automatically connecting to
d. Disable the Wi-Fi
e. On the Windows workstation, navigate to Admin Identity Management Identities
Endpoints and delete the iPad, you can delete anything in the list as there should only be
your iPad connected
f. Launch Firefox, go to wlc, and login.
g. On the wlc click on Monitor then Clients on the left side bar
h. Find your wireless session (there should only be one), click on the MAC address and
then click Remove in the upper right of the window
i. Go back to the iPad and enable the Wi-Fi
Step 6
On the iPad from the list of wireless networks find the one that shows ##-guest, click to
connect.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 24 of 38
Once youre connected (shows in the upper left of the iPad screen). Right click on the iPad
screen to show the home screen and then launch Safari.
Step 8
Step 9
Step 10
Attribute
Username
Value
iseiscool
Description
This could be anything the user chooses.
To receive email notification of credentials once
account is approved, this must be entered as it is.
Email address*
guest@demo.local
Phone number*
12025550133
Location*
UTC
Person being
visited(email)*
Click Register
ISE_21_Guest_Lab_Guide_2016-07-28
Page 25 of 38
You are redirected to the login page with instructions on how to connect. This message as
customized says once approved you will be sent the credentials.
Step 12
Step 13
Step 14
Info only: The email says there is a guest approval request. This can be customized (changing logo, text, color, font with HTML).
You can also add a message that will link directly to the sponsor portal for easy access to the person approving the request.
Note:
Due to CSCuz51077 in ISE 2.1 FCS, the email format will show incorrectly.
Step 15
Sign-out of the webmail client, you will need to later login as another user.
Step 16
In absence of a hyperlink to the sponsor portal, on the Firefox browser, click on the sponsor
shortcut to sponsor.demo.local
Step 17
Step 18
Navigate to Pending
accounts
Step 19
Step 20
Info only: This is the only way to set the sponsors email
address in the system. This email is used to receive a copy of
the requests when notifying a user of their credentials. It will be
saved the first time its entered. The employee (person visiting)
would enter their email address here.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 26 of 38
Step 22
Step 23
Click on the email or SMS and take down the username and password
Step 24
Step 25
Step 26
Step 27
Step 28
Navigate to Operation RADIUS Live Logs and look at the sessions that came through.
a. When you first come in MAB with SSID of guest is redirected to self registration portal
b. After login you are authorized on Guest Flow to Permit Access
Warning: If you see a message, Maximum Devices Reached, then please follow the steps below to clean up the iPad connection,
this was caused because the endpoint is already in the store after BYOD and you didnt delete it after you ran through the hotspot.
Step 29
Note: If you ran through the cleanup after getting the Maximum device limit reached then you can do the following to try it again.
1. Enable WIFI
2. Open Safari and try to get to cnn.com
3. Enter the necessary credentials to login again
You have now completed setup of Self-registration with sponsor approval flow
ISE_21_Guest_Lab_Guide_2016-07-28
Page 27 of 38
Exercise Objective
In this exercise, your goal is to complete the following tasks:
creating an account:
Enter the following information per table clicking Add after each entry:
Custom Field Name Data type Tip text
Badge No.
Number
Enter Badge Number
Manager
String
Enter Manager
Step 4 Setup a Guest SSID variable used for information purposes when notifying guests on what
ISE_21_Guest_Lab_Guide_2016-07-28
Page 28 of 38
Employees using this portal as guests inherit login options from: We will use the default,
Contractor
Step 8 Collapse all setting areas under you get to Post-Login Banner page
Step 9 Under Post-login banner page settings uncheck Include a Post-Login Banner page.
Note: This will remove one of the pages that the user is required to click
through, it could be used to post coupons, advertisements,
announcements, etc so that there is a screen available before
redirecting to an Original URL or static page, otherwise this can be
done on the success page
Step 10 Click Save at the top of the page
Note: There really isnt much to a Sponsored Guest portal, thats it, with a tweak to make the flow shorter. You can
customize this portal just like any other Guest Portal with same customization and branding.
Guest Types are used with the credentialed guest portals such as Self-Registration and Sponsored. Under
self-registration with sponsor approval we used the default Contractor type that allows access for 90 days by
default. For Self-Registration without approval a nice default is Daily guest type as it only has 1-day access.
For sponsored we will look at the Contractor type options.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 29 of 38
Click OK
Set all of these to be required, we will use them later when creating an account and
see how they are reported
Step 14 Navigate to Login Options section and look at some of these settings:
Max simultaneous logins This is a configurable option for each guest type.
configured in the portal settings, for credentialed portals its set per GuestType, this
can also be used to separate your endpoint group purge policies, hotspot might
require acceptance of the AUP daily, self registered users could be required to login
1x a week, and sponsored guests (like contractors) might only need to login and
accept an AUP every month.
Allow Guests to bypass the Guest Portal Prior to 1.3 this was known as
ActivatedGuest, when using this option the guest is not required to be redirect to a
login or AUP portal and can be used with more secure options (802.1X and VPN
access)
Step 15 Lastly lets look at Sponsor Groups. This is basic but a new way of working with groups, if
you are a sponsor and part of any of these groups then you can use this Guest Type
Step 16 At the top of the Contractor Guest Type Page, click Save and Close
ISE_21_Guest_Lab_Guide_2016-07-28
Page 30 of 38
Up until this point you have been working with the Guest Portals. The Sponsor Portals are configurable the
same way. Settings and Customization are the same and allow for a consistent experience. Here to save
time and since you already went through basic customization we will setup only what is needed (and a few
nice options) to make this flow work
Each portal can have its own certificate, the certificate is tied to specific combination of
Allowed interface and https port, product documentation has a paragraph explain this
and some examples on combinations.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 31 of 38
Note:
Company
Person Being Visited
Reason for Visit
THE CUSTOM FIELDS ALREADY ASSOCIATED WITH THIS GUEST TYPE . P LEASE
DO NOT SELECT AGAIN HERE .
Note:
variable
In the email introduction text editor insert text on the second line:
Welcome to the ISE training lab, the wireless network you will connect to is:
$ui_ssid$
Click on insert variable Guest - SSID
THE VARIABLE ICON X COULD BE BLOCKED BY THE PREVIEW PANE IF YOUR BROWSER SCREEN IS NOT WIDE ENOUGH .
Step 25 Click on SMS notification
Page 32 of 38
Exercise Objective
In this exercise, your goal is to complete the following tasks:
T HE MANAGED ACCOUNT OPTION IS A QUICK EASY WAY TO SEE ALL THE ACCOUNTS AND PERFORM
SPONSOR ACTIONS . T HE ADMIN ACCOUNT IS AUTO- AUTHENTICATED AND NOT PART OF ANY
SPONSOR GROUP . IT HAS PERMISSIONS TO DO EVERYTHING AND SEE EVERYTHING , ACCEPT IF THE
GUEST CHANGES THEIR PASSWORD THEY WON T BE ABLE TO SEE IT ( JUST LIKE ANY OTHER
SPONSOR ). IF THE SPONSOR PORTAL SESSION TERMINATES FOR ANY REASON , THE ADMIN WILL
HAVE TO GO BACK TO THE ADMIN UI TO GET BACK IN OR LOGIN WITH A VALID SPONSOR ACCOUNT.
T HEIR ADMIN CREDS WILL NOT GET THEM BACK IN UNLESS IT IS PART OF A SPONSOR GROUP. T HIS
WAS JUST A PREVIEW AND WE WILL BE USING THE SPONSOR PORTAL TO DO OUR WORK .
Attribute
First Name &
Last Name
Value
Your first and last
name
ISE_21_Guest_Lab_Guide_2016-07-28
Description
Please enter your first and last name
Page 33 of 38
Phone number
Value
guest@demo.local
12025550133
Description
Mandatory: To receive email notification of
credentials, guest@demo.local
Badge #
Manager
Group tag
EBC
Location
UTC
click notify
sponsor@demo.local
Note:
ISE_21_Guest_Lab_Guide_2016-07-28
Page 34 of 38
SMS receipt: If you put in your cell phone number you should see a text with all the info
(including the SSID to connect to)
b.
Email receipt:
i. In Firefox open a new
browser tab and click on the
mail bookmark
ii. Login as guest / ISEisC00L
iii. Notice the customized test
also shown here for the SSID
variable
Note:
Note:
Due to CSCuz51077 in ISE 2.1 FCS, the email format will show incorrectly.
We wont be logging into the portal you created, as you are familiar with how this works after using the Self
Registration Portal Flow. The only difference with this flow is that youre using credentials created by a
Sponsor. This lab was to show you the needed pieces to get this particular flow configured and working.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 35 of 38
Exercise Objective
In this exercise, your goal is to complete the following tasks:
There are several options for reports, click through each of them to understand what they are used for
and run the report to see the results if you like:
AUP Acceptance Status shows you information on what devices and/or users accepted AUPs
on what portals, this is an AUP for all guest portals (including Sponsor)
Sponsor Login and Audit shows sponsor activity such as logins and anything the added or
modified for guest accounts
Lets modify the columns seen so that we can work with the Optional
Data Field:
Step 4 Setup per the screenshot below:
a.
b.
c.
d.
Now click on the optional data and see it expanded in a larger box
ISE_21_Guest_Lab_Guide_2016-07-28
Page 36 of 38
f.
I messed with the account a few times so there are multiple entries shown in my
example:
My Devices Login and Audit for BYOD devices shows user activity in the My Devices
portal
Master Guest Report - The Master Guest report combines data from various Guest Access
reports into a single view enabling you to export data from different reporting sources. This
report collects all guest activity and provides details about the web sites that guest users visit.
In this setup we dont track what sites the user is going to however here is a sample. There
are requirements for the firewall to send syslog information to ISE M&T node for inclusion in
this report, please refer to the product documentation for more information.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 37 of 38
Guest Accounting - The Guest Accounting report is a subset of the RADIUS Accounting
report. All users assigned to Guest identity groups appear in this report
End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
ISE_21_Guest_Lab_Guide_2016-07-28
Page 38 of 38