Cisco ISE integration
Cisco Identity Services Engine (ISE) helps businesses control and monitor network access. It also allows companies to set up specific Wi-Fi rules for temporary users such as visitors or contractors.
How does this integration work?
When a visitor signs in using Visitors, they will be automatically created as a visitor in Cisco ISE as well. If the visitor provided an email address and/or phone number, they will receive an email and/or SMS that shares instructions on how to access your company’s guest Wi-Fi network.
Enabling the Envoy + Cisco ISE integration
Step 1: Setting up a sponsor
To provision Wi-Fi using Cisco ISE, every user must have a sponsor. In this step, you’ll create a new sponsor that will be the sponsor for every visitor that signs in with Envoy.
- Open your ISE instance and log in with an admin account.
- Go to Administration > Identity management > Identities.
- Select Users from the sidebar, and click “Add.”
- In the Name field, choose a name for your sponsor. You can use any name, but we recommend choosing something like Envoy_Sponsor.
- Under Status, choose “Enabled.”
- Under Password Type, choose “Internal users.” Then, create a password. Make a note of this password, since you’ll need it later.
- Under User Groups, choose your preferred user group. We recommend choosing ALL_ACCOUNTS unless you have already configured a special user group for Envoy visitors.
Step 2: Setting up a guest type
The Cisco ISE guest type will determine the level of access that users will have. In this step, you’ll create a guest type for visitors that sign in with Envoy.
- With Cisco ISE, go to Work Centers > Guest Access > Portals and Components.
- Select Guest Types from the sidebar, and click “Create.”
- In the Guest type name field, choose a name for your guest type. You can use any name, but we recommend using something like Envoy_Visitor.
- Under Maximum Access Time, find Account duration starts and select “From first login.”
- Login Options - The system administrator can allow guest types to bypass the Guest portal (if applicable). In this case, the guest accounts created using this guest type are enabled automatically, and their states display as Active, even if the guests have not yet logged into a Cisco ISE web portal. If this option is not configured, the accounts are not enabled until the guests actually log into a web portal and their initial states display as Created.
- Directly below, under Maximum account duration, select the number of days you’d like to allow Wi-Fi access to your visitors.
- Please note, the number of days designated here must be less than the number of days set in your general Password Lifetime. You can find Password Lifetime settings under Admin > Identity Management > Settings. In the sidebar, choose User Authentication Settings. Check your password lifetime under Password Lifetime.
- Under Account Expiration Notification, do not select email or SMS. Leave these boxes un-checked. Do not configure notifications within Cisco ISE, because all notifications are sent through Envoy.
- Under Sponsor Groups, select the user group you assigned to the sponsor you created above. We recommended using ALL_ACCOUNTS, but you may have configured a special user group for Envoy visitors.
- Ensure the sponsor group that your sponsor is in (likely ALL_ACCOUNTS) has ability to create accounts that include the Guest Type you created.
- To do so, go to Work Centers > Guest Access > Portals and Components. From the sidebar, choose Sponsor Groups and choose your sponsor group.
- Find “This sponsor group can create accounts using these guest types,” and ensure the guest type you just created (here, you’ll see Envoy_Visitor is in this list.)
- Ensure “Access CISCO ISE guest accounts using the programmatic interface (Guest REST API)” box is checked
Step 3: Find your Portal ID
- Within Cisco ISE, go to Work Centers > Guest Access.
- Select Sponsor Portals from the sidebar, then choose the portal you plan to use. You can use the default [called (Sponsor Portal (default)] or your own preferred portal.
- Find Portal Test URL. Right click on the text and choose “Copy link address.” This will copy the URL.
- Paste this URL into a note on your computer. You’ll need it later.
Step 4: Find your location name
- Within Cisco ISE, go to Work Centers > Guest Access > Settings.
- Select Guest Locations and SSID from the sidebar.
- Choose any location, and make a note of the exact spelling and capitalization of the location name. You’ll need this later.
Step 5: Whitelist IP addresses (if applicable)
If your Cisco ISE instance is behind a firewall, you’ll need to whitelist two IP addresses. If not, please skip to step 6.
220.127.116.11 (Envoy production)
18.104.22.168 (development & troubleshooting)
You will need to NAT your ISE Policy administration node on port 9060 to allow communication from the Envoy system at IP addresses.
Step 6: Enable ERS API service
In order to access Cisco ISE’s API, you’ll need to enable ERS API service. The ERS APIs are disabled by default for security so you must enable it.
- In Cisco ISE, login to your ISE PAN.
- Navigate to Administration > System > Settings and select ERS Settings from the left panel.
- Enable the ERS APIs by selecting Enable ERS for Read/Write.
- Select “Save” to save your changes.
- You may use the default admin account to view the ISE ERS Software Development Kit (SDK) at https://ise.domain.com:9060/ers/sdk
Step 7: Enable Cisco ISE integration in Envoy
- Go to Integrations > All integrations.
- Find Cisco ISE and click “Configure.”
- Reference the the notes you took earlier to fill in the fields on the Configure Server step.
- Enter your location name you noted in Step 4 above.
- Note: It must match exact spelling and capitalization shown in Cisco ISE.
- Enter your ISE IP or domain and your ISE port.
- Enter your location name you noted in Step 4 above.
- Enter your sponsor and guest type details in the Configure Sponsor step.
- Enter the sponsor name and password you created in Step 1 above.
- Enter your Guest Type you created in Step 2 above.
- Enter a comma separated list of visitor names, emails, or other keywords that you want to block from receiving credentials.
- Example keywords: “Friends & Family, Delivery, Shipping Dock Visitor”
- Optional: Enter a custom message and logo.