Cisco ISE and Location-based Web Authentication Portals

The default portal is typically adequate for customers who need a single portal for all web-authenticated users, regardless of location. However, some customers may need a custom web portal with unique pages and language tailored to user location. Since the initial login page appears before user identity validation, ISE must use additional details from the authentication and authorization phases to determine the user's location.

Location can be associated with various RADIUS attributes communicated to ISE when a user connects to the network. One approach to defining location is by matching the network access device (NAD) to which a user connects, such as the Device IP-Address or the NAS-IP-Address. Look at the following examples:

It's also possible to match specific wired switch ports using the NAS-Port-Id attribute. While this may be necessary in some cases, the most common method to define network location is by grouping multiple network devices into Network Device Groups (NDGs) based on their location. See the following figure for a sample of Network Device Groups based on location:

The following figure illustrates an example condition that matches NDG Location. You can use EQUALS or CONTAINS operators to match a specific child location.

In mobile environments, numerous wireless access points often connect to a single, centrally-located controller. In this setup, the network access device is typically the wireless controller. However, since the controller's location may not offer precise information about where a user is connecting, it might be necessary to determine location based on the specific access point or wireless LAN (WLAN) to which the user is connected. The following figure displays example policy rules demonstrating how to match either a specific WLAN (SSID) or Access Point:

An alternative to matching the SSID name is to use the Airespace-Wlan-Id attribute. This attribute corresponds to the specific ID assigned to the WLAN on the WLC. However, one drawback of this approach is that the WLAN ID may vary across different controllers if not explicitly mapped to be consistent across them.

In order to match specific conditions based on the AP's MAC address (as shown in the figure above), the WLC must be configured to include the AP's MAC address in the Called-Station-ID attribute of the RADIUS request. On the WLC, you can configure the format of this attribute under the Security > RADIUS > Authentication section of the web administration interface as shown below:

The specific attribute values available will depend on the controller software version. For example, the "AP MAC Address:SSID" first introduced in AireOS-based WLCs from version 7.2.

For wireless manageability and to help scale ISE authorization policy rules, it is recommended to group multiple APs and WLANs into groups and configure policies based on these groupings. Example groupings include AP Groups, Flex Groups, and AP Location.

Example Configuration #1: Location-Based Web Portals using NDGs

Since the ultimate objective is to provide a unique web portal based on location, it's essential to develop custom web portals for each location. For example, in the following scenario, I want to create a Sponsor Guest Portal with "Japanese" language support and then assign it to a specific Authorization Profile:

After configuring Authorization Profiles, map each one to device locations under separate Authorization Policy rules. Each site should have a rule that redirects users to a location-based web portal.

When a guest attempts to access the network from a location in Japan, they are presented with a web portal welcoming them to the Asia Pacific Japan Division.

Example Configuration #2: Location-Based Web Portals using AP Location

Set the Location attribute for the wireless access points:

Set the Called-Station-ID attribute for the WLC to AP Location:

This is a global configuration setting, so be sure the value is compatible with other operations that may be impacted by a change in the Called-Station-ID attribute.

Create Authorization Profiles that return unique custom portals based on location. Then, create Authorization Policy rules that match use case (WLAN = Employee or Guest) and on location (Called-Station-ID set to AP location attribute).

"AP Location" first introduced in AireOS-based WLCs from version 7.4.