All Cisco SISE 300-715 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the 300-715 Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

Web Auth and Guest Services

1. Introducing Web Access with Cisco ISE

The Cisco Identity Services engine supports Web authentication, or WEBAUTH, to provide secure guest web access utilising the CiscoIce Guest and Web Authentication services. This can be configured for both wired and wireless network access. WEBAUTH is used to grant access to the guest network via HTTP or HTTPS. Users are automatically redirected to an authentication web page, where they must provide credentials to gain access. The IE 802 onex protocol is the most secure form of access and is recommended. However, web authentication can be used as a last resort in case the 802.1X server is not available on the client. This could be because it's not installed, not working properly, or misconfigured.

Another possibility is that the guest user is not defined in the proper identity database. Regardless of the reason for using Web Office, there are three options available: central Web authentication, local Web authentication, and device registration. Web Authentication: Let's examine these three in more detail. First, Central Web Authentication, or CWA, is the recommended web app solution, which utilises a centralised Cisco Ice web portal and references the installed Radius server for authentication of the users. CWA is supported on both wired and wireless network access devices, or NAS. when users attempt to connect to the network.

The NAD, which can be a switch or wireless LAN controller, redirects the HTTP traffic to the Cisco Ice portal. Once a user successfully logs into the guest portal, Cisco Ice returns a change of authorization (COA) back to the Ned. Be aware that if you have multiple browser tabs open, Cisco Ice will redirect each one, causing authentication issues. To get around this, only one tab should be open on the browser. When a login attempt is made, a stable connection must also be maintained between an ad and a Cisco I server for CWA to succeed. Next, with Local Web Authentication, or LWA, the authentication web page is actually hosted locally by the NAB, which could be either the switch or wireless LAN controller. This means the authentication is performed closer to the user by utilising a local or external database.

However, with LWA, the Web portal must be configured on every NAN, which can be a difficult task. Plus, there is no centralised audit trail available. Also, change of authorization, or COA, is not available, which means there's no posture assessment and no policy enforcement based on profiling services. Finally, with device registration, Web authentication, or DRW, a hotspot guest portal is used to allow guest service connectivity to a private network without entering a username or password. Based on the portal configuration and settings, guests are granted access to the network if certain conditions are met. Cisco Ice is required and provides a default guest identity group called Guest Endpoint, which enables the ability to cohesively track the guest devices. Sometimes guests may be required to login with an access code, and typically this code is locally provided to the guests who are physically present on the company's premises.

2. Introducing Web Access with Cisco ISE 2

Let's explore Central Web Authentication, or CWA, in more detail. If you're going to use WebAuth, CWA is the preferred method because the web portal is hosted centrally on the Cisco I server.

This makes it much easier to maintain the same level of functionality for all of the NANDs in the network, which includes both switches and wireless land controllers. It's a far superior solution to localweb ops scenarios in which web portals must be configured on each and every NAD. With CWA, it's easy to provide visitors with a centralised guest portal if they need to access the Internet using the organization's network. Cisco Ice offers a wide range of different portals. For example, a hotspot guest portal could be used when network access is granted without requiring any credentials. Usually, an acceptance of the user policy, or AUP, must be accepted before network access is granted.

A sponsored guest portal could be used for network access to be granted by a sponsor, who creates accounts for the users and provides the guest with the login credentials. Let's review a step-by-step example of the Central Web authentication process, where a guest wants to use the company's network to access the Internet. A client connects to the NAD, and it does not have an IAA-2-1X applicant. The NAD will initiate a Mac authentication bypassor map request for the endpoint and send it to the Cisco Ice server. The policy service node, or PSN, on Cisco Iceworks processes the request but does not find a client. As a result, an appropriate authorization rule is configured with a restricted network profile. Cisco Ice then sends an access-accept message back to the NAB and includes a URL redirection to the CWA service running on the PSN.

The client then initiates an HTTP request to a website on the Internet using a browser. The NAD responds with an HTTP redirect message back to the client. This redirection forwards the client's browser session to the PSN guest portal login page. on Cisco ice. The guest service prompts the client to authenticate with a username and password. When the client responds, the PSN on Cisco IceDM authenticates the user against the configured identity stores. If the authentication is successful, Cisco Ice sends the authorization profile that is associated with the authenticated user in the form of a change of authorization, or COA. The Nat applies the received authorization settings and returns a COA acknowledgment to the PSN and Cisco Ice. The client now has access to the network and is free to browse the Internet.

3. Lab Demo Configure Guest Settings

We'll start with the Work Centers menu, where we can see where we can quickly access major configuration areas. OnSe focused on guest access and settings. That takes us to our first settings area, the Guest Account Purge Policy.

These are the default settings that we're seeing here. The accounts within the Ise internal database that are expired are purged from the database after 15 days. These guest accounts would be both the Mac address-based ones for hotspot guest access that are created as well as self-registered and sponsored user accounts. One thing to consider here would be the time reference. If you recall, our ISE installation is operating in the UTC time zone, and if we're trying to have this activity occur in concert with other activities, we may want to consider the local time reference. And if we set it to 9:00 a.m., that would be 1:00 a.m. Pacific time. Notice that this perched policy also governs inactive Active Directory user accounts as they are applied within the portal access and unused guest accounts where they were never activated to begin with. The next settings area is for custom fields for guest services.

We will have self-registered and sponsored users create guest accounts, and within those areas where we're asking for information, we can include some custom-built fields within the portals themselves. We can configure those fields to be required or not. In this case, we'll provide a little sample field here. Notice we can modify the string type so it will conform to a particular format. And now that we're building a portal, we can select this field to be actually added to that portal and/or make it required if needed.

The next thing we'll look at is the guest email. In response to a self-registered account or a sponsored user account, we'll send those user credentials to the described email address. That's how they'll receive their credentials. An alternative would be through SMS messaging. In the case of the sent email, we'll want this to be coming from a valid sender with respect to email. It could be a "do not reply" type address, as we see an example here, or something that's more valid with respect to a user, or perhaps a distribution list that you'd like to be responsible for that. In this case, we can achieve some consistency in terms of the received email for self-registered users and sponsor-created accounts.

And then within that sponsor group, we can make determinations about whether or not we want that sponsor to be able to modify this address and include their own. For example, notice that we also have a quicklink to be able to configure an SMTP server. We're going to send an email. We need to tell ISC where to forward the email and have that email forwarded to consent from. So we'll take advantage of the link and replace it with a valid email FQDN in our environment. So we've moved into the administration area. We'll go back to settings, and next we'll modify the guest username policy. We can see that we can specify a minimum user length for self-created, self-registered guest accounts and that we can base criteria on first and last name or email address. We can also modify character sets. These are the defaults that we're seeing here on ISE. These custom character sets remove possible ambiguous characters. You'll notice that the upper case and the numeric zero are removed from the character sets for our lab purposes.

We'll change these settings to make it easier to create accounts by increasing the minimum alphabetic to four and the minimum numeric to zero. Next up is the guest password policy. And again, we can create a minimum password length, modify character sets, and automatically generate a minimum number of characters per user ID in a similar fashion. The automatically generated accounts are typically something that a sponsor would be doing, creating batches of multiple user accounts concurrently. And these would be automatically generated with these variations.

Set this to a minimum of four for uppercase and a minimum of one for numeric. Then finally, a note about password expiration. This would be generic password exploration. We can further modify actual account expiry based on guest types, which we'll set up in a future session. Okay, in a quick fashion, we modified some general settings for guest services. Some will have an impact on portal operations, others will modify and affect self-created user accounts, and still others will be generated automatically. And we also specified how we want email forwarding to work for guest user account information.

4. Lab Demo Configure Guest Location

Again, we'll utilise the Work Centers menu, and this is one of the guest access settings, and we can see the guest locations and SSIDs that we can create. According to them, the primary determinant of the guest time zone is the guest's location. This will be extremely helpful in a broader deployment. As guest accounts are created with self-registered users, the time zone is automatically defined for them. They usually don't select that, and then for sponsors, depending on the access that a particular sponsor group has, they're allowed to select from one or more of these time zones. after we create them. We'll have a label for the selectable time zone, and then the name of the time zone itself here helps us apply the correct names for these time zones. And we'll throw a few in here for variety.

And then we'll also add an SSID for the sponsor user to be able to assign to a guest account as the guest accounts are created. Again, SSIDs will be primarily focused on guest access services, but a different SSID name may be required depending on the location where the SSID that will be placed in her must be accurate in terms of case and values represented within the environment itself.

So let's validate against our W land controller, and we've got the W Lands tab already opened here, and we can see the SSIDs as they're being set out. We'll go ahead and just copy this value while we're here. And now, as sent to and provided for, a guest user account will have an accurate representation, and a sponsor can select this SSID if we allow them to be within their sponsor group, and we assign them the privileges to be able to sign SSIDs, and then we'll save this set of settings. And again, we can always add two locations and/or SSIDs for future access for self-registered and/or sponsored-created user accounts.

5. Lab Demo Configure Guest Access with Hotspot Portal 1

Okay, we'll start out with our work centre menu system. Look at the overview for guest access. Again, this is a great place to get started. We'll walk through the basic steps for preparation, much of which we've done in previous sessions, and in this case, we're down to the point of actually needing to define the portal itself. We'll take advantage of that link. Notice we're under "portals and components" within the GuestServices Guest Access menu system, and we see the default portals that have been provided by Cisco. The portals represent the web portals themselves, as well as an effective representation of the flow through in terms of what users will encounter first, second, and so on.

In this case, we will be creating a new portal, and we're given the possibility of selecting one of the three types. For this. We'll select Hotspot Guest Portal, and we have some minimum requirements for the portal name itself. And then, as we review the portal building itself, notice there are two sections we're operating with—Portal Flow and Behavior—in this session, and let's review some of the portal settings as deployed in a broader distributed IC deployment. The portal itself is being represented by a PSN mode, and that policy service node will have a variety of interfaces on it. We can select other interfaces that have been provisioned, and it also supports interface bonding. And then we're also selecting the individual ID certificate that we want to have this portal represent itself with.

And again, this group tag was added in an earlier session where we added an identity search for IS itself as part of the deployment and then provided this group tag to uniquely identify the search among any others that may be in place. Notice that guest accounts, as they're created with this Hotspot portal, will be added to this Endpoint Identity group. We could select others if they were created. This is appropriate for endpoints or Mac addresses that will be added to this endpoint identity store as long as they supply the correct hotspot code. Notice we can modify COA types, and we can also modify browser locale. Many languages are supported. We're simply specifying English as a fallback and back of English. Moving on to our next drawer, we have acceptable use page settings here. We are wanting to require our guest users to provide a hotspot code. And notice we can modify options that require scrolling before acceptance if we wish.

We'll leave that at its default. Notice some of the other settings that we can provide in a post-access banner. We can also force a VLAN DHCP release so that as users are reauthenticated, they're requesting a new IP DHCP lease. In this case, yes, we do want to provide an authentication success page. We will craft the verbiage that's on this success page in the next session, and then we can also include a support information page and craft that and determine what components we want to provide within that success information page. It will automatically be listed for a guest user. They can see these values before they contact the help desk or support person to identify and help with problems. And we can change the language with respect to what's actually on that support page as well.

Notice we have a very simple flow representing what we've provided within the drawers. We've provided support information as kind of a tangent to the flow. We are enticing users to accept an A up and enter a hot spot code in order to receive a success page, and we will save that portal. At this point, we get a notification that all the portals that may be utilising port 8443 are now going to be using a new ID certificate. There is no particular conflict with the TCP port value itself outside of the presentation of the ID certificate that will be represented upon access at this point. So we're modifiying that 18443 port. Now it's going to be utilising this brand new ID certificate. There it is, our pop-up.

Okay, in review, we've just done the first part of creating our Hotspot portal. We've changed the portal's behaviour and flow settings, as well as which interface we want to use on our PSN to represent it. This provides some architectural capabilities. The only thing that would be a requirement is that the Gig Zero interface listed here needs to be the interface that you use to communicate with the rest of the Ise deployment. The Pan in MNT, in particular, is aware that Gzero is required for this. So if we want our web page to be represented on a separate interface, we could create a little bit of isolation, say with a guest network, and then do that by selecting an alternate interface. We also modified the ID certificate that will be utilised for port 8443. We can create a separate portal, a separate port number, and utilise a separate ID certificate where we want a unique ID certificate to represent a unique portal. That can easily be done.

The only requirement is that each ID certificate be tied to a unique HTTP port value. As Hotspot users authenticate by providing the Hotspot code, the Mac addresses will be automatically added to guest endpoints. And based on some default timers for Hotspot access, which would be approximately 24 hours of access, we could add a separate identity group for this, and we could do that based on per-portal type access as well. A change of authorization will occur after they provide the hotspot code. Then they'll be provided with a new authorization profile, allowing them to gain access to the Internet. The initial authorization profile will redirect them to this portal so we can have them accept the ADP and provide the hot spot code.

Cisco SISE 300-715 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass 300-715 Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) certification exam dumps & practice test questions and answers are to help students.