Cisco ISE Part 9: Guest and web authentication

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 9: Guest and web authentication

Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS,  because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.

There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.

To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.

You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.


Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.

Edit the DefaultGuestPortal to your needs:

  • Password policies
  • Need of posture client
  • self service
  • device registration
  • DHCP settings
  • Policies
  • etc



Click Policy – Policy elements – Results – Authorization – Authorization Profiles and create a new profile with “web authentication” checked.

The mentioned ACL is not available in ISE, this ACL should be available in the switch. Choose “manual” as redirect option.


To configure web authentication as a fallback. Click Policy – Authentications and edit the needed rule. Select “Continue” in all three options:


Create a new rule for no matches in the identity groups, use webauth as authorization. Click Policy – Authorization and edit the needed rule. Select the guest portal as authorization option:


You can edit the DACL for company users after authorization.

Click Policy – Policy Elements – Results. Selecht Authorizations – Downloadable ACLS > Dot1x_Valid_Domain_User. Add a permit to the ISE policy node IP(s).

Make sure that the client can access the webauth portal before authentication (by a preauth ACL).

Enable CoA on the switch:

Switch(config)# aaa server radius dynamic-author
Switch(config-locsvr-da-radius)# client sever-key mykey
Switch(config)# ip http server
Switch(config)# ip http secure-server
Switch(config)# radius-server vsa send authentication
Switch(config)# radius-server vsa send accounting

Guest portal configuration

First, create a sponsor group. Click Administration – Identity management – groups, click Add and enter a name.

Next, configure the SMTP settings under administration – System – Settings. Select SMTP and enter the smtp server.

Click Administration – Guest management – Settings and click General – ports. Check and/or change the port numbers.

Create a user group in active directory for sponsor users. Add this group in ISE: click Administration – identity management – external identity sources. Select Active directory and click Groups. Add the sponsor group.

Click Administration – Guest management – Sponsor group policy. Change the identity groups field to Any. In the other conditions field, click the plus sign and select Create new Condition. In the expression field, select your domain. In the most right field, select the active directory sponsor group.

Do not forget to apply the correct authentication sequence to the sponsor portal. Click Administration – Guest management – Settings. Selecht Sponsor – Authentication source

In the WLC configure a ACL with only access to the ISE node and DNS lookups to your DNS server. Make sure you use the same ACL name as you use in the “Authorization profile”. In the WLC, click: Wireless – All AP’s, click a AP, click Flexconnect, External Webauthentication ACL.

Click Add under Webpolicies, to add the ACL.


Repeat these steps for every AP.

The authentication Rule looks like:


Authorization rules look like:


This is the basic configuration. All other settings are customizable.

Happy testing!

Next week the last part, part 10 of this blog post series: Profiling and posture