Cisco Identity Services Engine (ISE) helps businesses control and monitor network access. It also allows companies to set up specific Wi-Fi rules for temporary users such as visitors or contractors.
How does this application work?
When a visitor signs in using Visitors, they will be automatically created as a visitor in Cisco ISE as well. If the visitor provided an email address and/or phone number, they will receive an email and/or SMS that shares instructions on how to access your company’s guest Wi-Fi network.
PREREQUISITES
If your Cisco ISE instance is behind a firewall, you’ll need to whitelist two IP addresses for both inbound and outbound.
54.84.138.60
54.84.66.109
The following ports must be whitelisted for inbound and outbound communication:
9060
443 (if you plan to use HTTPS) - HTTPS requires an SSL Cert
You will need to NAT your ISE Policy administration node on port 9060 to allow communication from the Envoy system at IP addresses.
Require ERS Admin or Super Admin credentials to utilize ERS API
Enabling the Envoy + Cisco ISE application
ISE Configuration
Step 1: Setting up a sponsor
To provision Wi-Fi using Cisco ISE, every user must have a sponsor. In this step, you’ll create a new sponsor that will be the sponsor for every visitor that signs in with Envoy.
Open your ISE instance and log in with an admin account.
Go to Administration > Identity management > Identities.
Select Users from the sidebar, and click “Add.”
In the Name field, choose a name for your sponsor. You can use any name, but we recommend choosing something like Envoy_Sponsor. Under Status, choose “Enabled.” Under Password Type, choose “Internal users.”
Then, create a password.
Make a note of this password, since you’ll need it later. Under User Groups, choose your preferred user group. We recommend choosing ALL_ACCOUNTS unless you have already configured a special user group for Envoy visitors.
Step 2: Setting up a guest type
The Cisco ISE guest type will determine the level of access that users will have. In this step, you’ll create a guest type for visitors that sign in with Envoy.
With Cisco ISE, go to Work Centers > Guest Access > Portals and Components.
Select Guest Types from the sidebar, and click “Create.”
In the Guest type name field, choose a name for your guest type. You can use any name, but we recommend using something like Envoy_Visitor.
Under Maximum Access Time, find "Account duration starts" and select “From first login.”
Login Options -- The system administrator can allow guest types to bypass the Guest portal (if applicable). In this case, the guest accounts created using this guest type are enabled automatically, and their states display as Active, even if the guests have not yet logged into a Cisco ISE web portal.
If this option is not configured, the accounts are not enabled until the guests actually log into a web portal, and their initial states display as created.
Directly below, under Maximum account duration, select the number of days you’d like to allow Wi-Fi access to your visitors.
Please note, the number of days designated here must be less than the number of days set in your general Password Lifetime.
You can find Password Lifetime settings under Admin > Identity Management > Settings.
In the sidebar, choose User Authentication Settings.
Check your password lifetime under Password Lifetime.
Under Account Expiration Notification, do not select email or SMS. Leave these boxes unchecked.
Do not configure notifications within Cisco ISE, because all notifications are sent through Envoy.
Under Sponsor Groups, select the user group you assigned to the sponsor you created above.
We recommended using ALL_ACCOUNTS, but you may have configured a special user group for Envoy visitors.
Ensure the sponsor group that your sponsor is in (likely ALL_ACCOUNTS) has the ability to create accounts that include the Guest Type you created.
To do so, go to Work Centers > Guest Access > Portals and Components.
From the sidebar, choose Sponsor Groups and choose your sponsor group.
Find “This sponsor group can create accounts using these guest types,” and ensure the guest type you just created (here, you’ll see Envoy_Visitor is in this list).
Ensure “Access CISCO ISE guest accounts using the programmatic interface (Guest REST API)” box is checked.
Note: You do not need to give the sponsor user admin privileges to the ERS API; in fact, it will cause errors if you do so.
Step 3: Find your Portal ID
Within Cisco ISE, go to Work Centers > Guest Access.
Select Sponsor Portals from the sidebar, then choose the portal you plan to use.
You can use the default [called (Sponsor Portal (default)] or your own preferred portal.
Find Portal Test URL.
Right-click on the text and choose “Copy link address.” This will copy the URL.
Paste this URL into a note on your computer. You’ll need it later.
Step 4: Find your location name
Within Cisco ISE, go to Work Centers > Guest Access > Settings.
Select Guest Locations and SSID from the sidebar.
Choose any location, and make a note of the exact spelling and capitalization of the location name. You’ll need this later.
Step 5: Whitelist IP addresses (if applicable)
If your Cisco ISE instance is behind a firewall, you’ll need to whitelist two IP addresses. If not, please skip to step 6.
54.84.138.60
(Envoy production)54.84.66.109
(development & troubleshooting)
You will need to NAT your ISE Policy administration node on port 9060 to allow communication from the Envoy system at IP addresses.
Step 6: Enable ERS API service (ISE 2.2>)
In order to access Cisco ISE’s API, you’ll need to enable ERS API service. The ERS APIs are disabled by default for security so you must enable it.
In Cisco ISE, login to your ISE PAN.
Navigate to Administration > System > Settings and select ERS Settings from the left panel.
Enable the ERS APIs by selecting Enable ERS for Read/Write.
Click the Enable ERS for Read for All Other Nodes radio button if there are any secondary nodes in your deployment.
External RESTful Service requests of all types are valid only for primary Cisco ISE nodes.
Secondary nodes have read-access (GET requests).
Select “Save” to save your changes.
You may use the default admin account to view the ISE ERS Software Development Kit (SDK) at
https://ise.domain.com:9060/ers/sdk
You do not need to give the sponsor user admin privileges to the ERS API; in fact, it will cause errors if you do so.
Envoy Configuration
Go to Apps > All Apps.
Find Cisco ISE under the "Wi-Fi" category and click “Configure.”
Step 1: Sponser API Access
Reference the notes you took earlier to fill in the fields on the Configure Server step. Enter the location name you noted in Step 4 above.
Note: It must match the exact spelling and capitalization shown in Cisco ISE. Enter your ISE IP or domain and your ISE port.
Also, this app requires that the IP be public facing, not a private IP.
Under "Sponsor" enter your sponsor name and password created in Step 1 above.
Click Next Step
Step 2: ERS API Access
Enter your ERS API Access credentials (ISE 2.2>)
Step 3: Guest Type
Under "Guest Type" select or enter your Guest Type dependent on the ISE version deployed. Guest Type would have been created in Step 2 above.
Enter your Guest Type credential duration period in days, if using ISE 2.2 or greater we will inherit the default duration configured under the Guest Type.
Note: If your ISE version is v.2.1 or lower, you will need to manually enter your guest type name from your ISE instance (must match exactly) in the second field listed, and then in the third field you can input your desired duration for that guest type.
Enter a comma-separated list of visitor names, emails, or other keywords that you want to block from receiving credentials.
Example keywords: “Friends & Family, Delivery, Shipping Dock Visitor”
Step 4: Messaging
Optional: Enter a custom message and logo.
FAQ
When credential creation fails after successfully completing set up within Envoy, confirm the following ISE settings are updated: change the maximum account duration to at least 1 day and ensure that the account duration starts setting is checked for “From first login”.
Guest User emails cannot contain special characters such as "[email protected]". The "+" in the email will cause a failure in the Cisco ISE Guest Rest API. Please contact ISE as this is a known bug.