Cisco ISE Guest Access Packet Flow

Guest-access authorization with ISE happens in two stages. The initial flow is a MAC authentication Bypass (MAB), where ISE authorizes the endpoint for URL redirect to itself. This results in the web traffic from the guest user’s device to be redirected to the ISE Guest portal. Note that at this stage, the network device (switch or WLC) and ISE will track the endpoint’s network connection with a common session ID. When a guest user logs in with

guest credentials, the guest user ID is merged with the existing MAB session. This part of the process is termed as Guest Flow, where an existing MAB session gets guest user context appended to it.

The Remember Me feature works by using the endpoint group to track users. Currently, there are caveats, with ISE granting access based on the endpoint group. This is because there is no user logging into the Guest portal. Instead, access is based on MAB, using the MAC address. It’s not secure.

The Remember me feature works as follow

1. User connects to the Guest network.

2. Device is redirected to the ISE guest login window.

3. User logs in.

4. Device MAC address is registered in Guest Endpoints group.

5. Device goes away and returns for new session.

6. Device is granted access based on its MAC address membership in the Guest Endpoints group.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s