Language Disclaimer: I am a non native English speaker. Please apologize my vocabulary and grammar.

 

The Cisco Identity Service Engine starting with version 1.3 has a complete new guest access configuration, which is really great.

 

Sometimes i like it if a new installation is offering some default or pre-configuration. But often i try to delete this default configuration if i have understood the meaning. Unfortunately, it is sometimes not very easy to clean up some parts of it, if you do it in the wrong order. And sometimes there are elements you will never be able to delete.

 

This blog post explains, how to to clean up the Cisco ISE Guest Access default configuration, as much as we can. And additionally, if you like, optimize it a little bit. As far as i know, this is working for all versions, starting with 1.3, and including 2.0.

 

Technical Disclaimer: These configuration changes are intended after a fresh installation. It is for setups, where the guest access is still not configured or used. If you have already enabled guest access, BE CAREFUL. YOU WILL DO THIS ON YOUR OWN RISK.


To make it more clear: Do not do this in production environment. Do this at first in your lab. Do this only if you have fresh and clean installed Cisco ISE!

 

Administration > Identity Management > Groups > Endpoint Identity Groups. You can find a group named GuestEndpoints. Some configurations will point to this group. I personally create one guest endpoint identity group for each guest type. We need to prepare one endpoint group for a later configured guest type. Create a new group called GEG_Dummy (Guest Endpoint Group - Dummy).

 

Guest Access > Settings > Guest Locations and SSIDs. If your ISE deployment is not located in San Jose, you may have to create a new location. Because the guest user account lifetime is dependent on the timezone of its location. In my case i add the location name Germany with the timezone Europe/Berlin. You may have to add your timezone with an adequate name. At his point it is not possible to delete the location San Jose.

 

Guest Access > Configure > Guest Types. Create a new guest type named Guest_Dummy, with a maximum access time of 1 minute, endpoint identity group points to GEG_Dummy. All default sponsor groups have to be enabled to create this guest type. Do not enable other sponsor groups in your later configuration to create guests with this guest type. Unfortunately a sponsor group has to have access to at minimum one guest type. Unless we can not delete the default sponsor groups, this is the best option i have found.

 

Guest Access > Configure > Sponsor Groups.

  • Edit all default sponsor groups: ALL_ACCOUNTS (default), GROUP_ACCOUNT (default), OWN_ACCOUNTS (default).
  • Disable these sponsor groups. Within these default sponsor groups, you will have to change the following parameters:
    • This sponsor group can create accounts using these guest types: Guest_Dummy. Remove Contractor (default), Daily (default), Weekly (default).
    • Select the locations that guests will be visiting: optional: remove San Jose and add Germany or your configured timezone.

 

Policy/Policy Set > Authorization.

  • You will find a rule named Wi-Fi_Guest_Access. Have a look, this rule is disabled by default. You will have to delete this rule, because this rule is using the already configured default guest types. If you do not delete this rule and try to delete the default guest types, the corresponding user identity groups GuestType_{Daily|Weekly|Contractor} (default) will not be deleted and you will never be able to delete them.

  • There is an other rule named Wi-Fi_Redirect_to_Guest_Login. This rule is also disabled by default. You will have to delete this rule, because this rule is using the permission Cisco_WebAuth, which is doing a CWA to one of the pre-configured guest portals.


Policy > Policy Elements > Results > Authorization > Authorization Profiles. You will find a profile named Cisco_WebAuth, within a CWA to one of the guest portals is configured. You will have to delete this profile.

 

Guest Access > Configure > Guest Portals. None of all three pre-configured guest portals should have used by an authorization policy anymore. You can now delete all three default portals. Now you do not have any guest portals anymore.

 

Guest Access > Configure > Guest Types. If you like, do a double check on all default guest types. Edit them and make sure that no sponsor groups are able to create any of this guest types. If you have done that, you can delete all default guest types. Only the guest type Guest_Dummy should be visible anymore.

 

Guest Access > Configure > Sponsor Portals. You will find one sponsor portal named Sponsor Portal (default). You are not able to delete it. I then prefer to rename it and take it as my first sponsor portal. Due to the fact, that you have to define a FQDN within the sponsor portal, you may rename it to SP_FQDN (eg.. SP_sponsor.iseisebaby.com).

 

Guest Access > Settings > Guest Locations and SSIDs. At least, you are now able to delete the location San Jose, if you do not need it. There is a bug in earlier versions, which prevent you delete the location San Jose. I do not remember when this issue was fixed and i do not have access to this bug id (CSCup80462).

 

At this point, you are finished with cleaning up the guest access default configurations.

 

Now you can configure your guest access as you like (from scratch). Create at minimum one usable guest type and at minimum one guest portal. If you then configure a sponsor group, just take one of the default sponsor groups, rename and adapt it to your requirements. If you have at minimum three sponsor groups with one or more guest types enabled, you are at least able to delete the guest type Guest_Dummy and also the endpoint group GEG_Dummy.

 

Remark: Instead of creating Guest_Dummy and GEG_Dummy you can create an usable guest type (Guest_max_7_Days) and endpoint group (GEG_max_7_Days). This is maybe a little bit more comfortable.

 

Good Luck and have fun with Cisco ISE Guest Access.

Sven