Cisco ISE Guest Portals with Ruckus SmartZone

Ruckus SmartZone 7.0 and later support a new RADIUS VSA (Vendor Specific Attribute) for dynamic URL redirection. This means that Cisco ISE can integrate with SmartZone Controllers just like Cisco WLCs and Meraki APs. 

The ISE built-in RuckusWireless NAD profile must be duplicated and modified to use Ruckus-External-Url VSA for the $URL variable. ISE will dynamically insert the PSN FQDN and portal port number during authorization. Ruckus also supports pushing an ACL name via RADIUS from the standard RADIUS Filter-ID attribute. SmartZone also now supports CoA for URL redirection once the client successfully logs into the ISE portal.

Ruckus-EXTERNAL-URL VSA


Filter-ID ACL

Once the NAD profile is modified and applied to the NAD definition for a Ruckus Controller, the ISE guest rules can be built out just like you normally would for any Cisco NAD. 

On the Ruckus SZ side, the ACL must be configured to allow DHCP, DNS, and access to the ISE nodes. An open/OWE SSID with MAC filtering should be configured with no captive portal, web-auth, or WISPr options. RADIUS responses will provide the portal URL. 

Map the ACL to a Firewall Profile and map the Firewall Profile to the WLAN. Create a User Traffic Profile Mapping and type the Group Attribute Value (GAV) to match exactly the filter-id attribute being sent from ISE in the authorization profile.


Comments

Post a Comment

Popular posts from this blog

Fix Cisco ISE Messaging Service

Cisco Identity Services Engine 2.6 introduced the concept of the ISE Messaging Service as an encrypted, lightweight protocol to replace syslog communication between the ISE nodes for logging purposes.  The ISE Messaging Services runs over TCP/8671.  In 2.6 Patch 2 and later, the Cisco ISE Messaging Service is enabled by default.   The overall implementation of the ISE Messaging Service has been buggy (but has gotten much better in recent versions) in both new ISE builds and upgrades.  One solution is simply to disable the ISE Messaging Service within Administration > System > Logging.  But then the ISE logging traffic isn't encrypted and the legacy syslog delivery method is not as efficient as the ISE Messaging Service so we will focus the rest of this article on how to identity and fix the ISE Messaging Service. Problem Identification Usually problems with the ISE Messaging Service involve a blank Live Logs page.  You know authentication is...
Read more

ClearPass MPSK per Device Type with Profiling

Image
Multiple Pre-Shared Key or MPSK helps solve for IOT or other endpoint device types that are not 802.1X capable.  The Aruba ClearPass default implementation of MPSK (the configuration created by the wizard) requires manually registering, enrolling, and managing individual PSK keys per endpoint using the ClearPass Guest dashboard.  While the most secure approach, excluding any sort of API based automation, this can obviously be a nightmare to manage and support due to the sheer number of PSKs.  This approach instead delivers a unique PSK per device type (printer, thermostat, etc.) so that each flavor of endpoint would have its own PSK.  If one PSK was compromised, then only those endpoints would need to be manually re-configured.  PSK rotation would also be limited to only those specific device types allowing rotation to take place slowly over several weeks rather than all devices at the same time on the SSID with a traditional single PSK; lessoning the burde...
Read more

Cisco Designated VIP 2024

I'm pleased  to announce that I have been recognized as a Cisco Community Designated VIP for 2024 for my assistance in the Cisco Secure Network Access Control community focusing on Identity Services Engine.  Be sure to check out all of the   Cisco Community Designated VIPs .
Read more