ISE – GuestPolicy | Hotspot | Profiling

Guest Policy (using default portal settings)

1.     Guest Access>Configure>Guest Portals>Sponsor Guest Portal (Default)

2.     Uncheck the box for Allow Guests to create their own accounts – SPONSOR Only will be allowed

3.     Uncheck Allow Employees to use personal devices on the network since a BYOD policy is already built.

4.     Navigate to Guest Access>Configure>Sponsor Groups:

5.     edit the ALL_ACCOUNTS (Default) group

6.     Click on Members and remove the ALL_ACCOUNTS default and add the following AD group: Users (or whatever AD group can be a sponsor user)

7.     Guest Access>Configure>Sponsor Portals and edit the default sponsor portal.  Change the FQDN to be (need an A record for Sponsor pointing to the ISE server IP)

8.     Policy>Policy Elements>Results>Authorization>Authorization Profiles page. Create the following authorization profiles:

- Check VLAN and enter VLAN ID 70
- Check the box for Web Redirection, choose Centralized Web Auth, and type in ACL_WEBAUTH_REDIRECT for the ACL value, and choose Guest Portal from the drop-down

- Check DACL Name and choose GUEST from the drop-down
- Check VLAN and enter VLAN ID 70
- Check the box next to Airespace ACL Name and type in GUEST

11.  Policy>Policy Sets and create a new policy set above all others

12.  Name - Guest Wireless and give it the following top-level conditions:
DEVICE:Device Type EQUALS All Device Types#Wireless Controller
Radius:Called-Station-ID ENDS WITH GuestSSID

13.  In Authentication Policy on this policy set and create the following rule:

14.  Name: MAB
If: Wireless_MAB <- this is pre-created condition in ISE
Allowed Protocols: Default Network Access
Default: Internal Endpoints <- Under If user not found, choose Continue from the drop-down

15.  On the Default Rule of the Authentication Policy, just use the All_User_ID_Stores

16.  Under the Authorization Policy, Create the following rules:

17.  Name: Guest Access
If: GuestEndpoints <- Predefined ISE group
Conditon(s): <blank>

18.  Name: Guest Redirect
If: Any
Condition(s): Wireless_MAB <- Predefined ISE group

19.  Default rule to DenyAccess at the end:

20.  For Guest Access at the Wired Level, modify the existing WiredDot1x policy set

21.  Add two rules in the Authorization policy at the very end before the Default rule.

22.  Name: Guest Access
If: GuestEndpoints
Condition(s): <none>

23.  Name: CWA Redirect
If: <any>
Condition(s): Wired_MAB OR Wired_802.1x

24.  Always make sure to keep these two rules at the bottom of the Authorization rule set as a “catch-all”

ISE Configuration – Hotspot

1.     Guest  Access>Configure>Guest Portals and modify the Hotspot Guest (Default) portal

2.     Go to AUP settings and check Require an access code if needed.

3.     Policy>Policy Elements>Results>Authorization>Authorization Profiles and create the following profile

- Check the VLAN box and type in VLAN ID 70
- Check the box for Web Redirection, change it to HotSpot from the drop-down, type in ACL_WEBAUTH_REDIRECT for the ACL, and choose HotSpot Guest Portal from the drop-down

5.     Policy>Policy Sets and create a new policy set

6.     name it Hotspot Wireless with the following top-level conditions:
DEVICE:Device Type EQUALS All Device Types#Wireless Controller
Radius:Called-Station-ID ENDS WITH HotspotSSID

7.     Under the Authentication Policy, add the following rule:

8.     Name: MAB
If: Wireless_MAB
Allowed Protocols: Default Network Access
Use: Internal Endpoints (Also set if user not found to Continue in the drop-down)

9.     For the Default Rule, set the identity source sequence set to All_User_ID_Stores

10.  Under the Authorization Policy, create the following policy rules:

11.  Name: Hotspot Access
If: GuestEndpoints
Condition(s): <None>

12.  For the Default catch-all rule, change the following:
If no matches, then: HOTSPOT-REDIRECT


ISE Configuration – Profiling

1.     If a new security policy is needed for a device like an access point or printer, navigate to Policy>Policy Elements>Authorization>Downloadable ACLs and click Add

2.     Name: AP-ONLY
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “wlc ip”
deny ip any any

3.     Policy>Policy Elements>Authorization>Authorization Profiles and click Add

4.     Name: AP-ONLY
- Check DACL Name and choose AP-ONLY from the drop-down
- Check VLAN and type in VLAN ID 100

5.     Policy>Policy Sets and edit existing WiredDot1x

6.     Add the following rule on top of the other rules in the Authorization Policy:

7.     Name: CiscoAP
if: <any>
Condition(s): Endpoints:LogicalProfile EQUALS “profiled device”

8.     Name:CiscoIPPhones

if: Cisco-IP-Phone
Condition(s): blank
Then: Cisco_IP_Phones

AMP with ISE Integration

1.     Administration>Threat Centric NAC

2.     Click Add to add a new vendor instance. On this page, you are asked to select a vendor and give it a name. Choose AMP:THREAT and name it AMP. Click Save

3.     Ready to configure. Click on that next to the new instance

4.     Click Next.

5.     Drop-down to choose what AMP cloud for this ISE instance to reach out to. Choose the US Cloud and click Next

6.     Click on the link to take you to the AMP cloud.

7.     In the AMP Cloud, click Allow and you will be taken back to ISE.

8.     Back on ISE click Finished

9.     Back at the Vendor Instance page, check the box next to the instance and click Edit to see some of the types of events that ISE will be receiving reporting for

10.  navigate to Operations>Adaptive Network Control>Policy List

11.  Add three new policies

a.      Name- QUARANTINE

b.     Action- QUARANTINE

c.      Name – SHUTDOWN

d.     Action – SHUTDOWN

e.      Name – PORT-BOUNCE

f.       Action – PORT_BOUNCE

12.  Policy>Policy Sets>Global Exceptions and create the policy rules as such:

if Session:ANCPolicy Equals Quarantine then Quarantine (or whatever your authorization profile is for limited access)