Skip to main content
All CollectionsSign In Solutions VMSIntegrations
How to Integrate With Cisco ISE
How to Integrate With Cisco ISE
Reg Gray avatar
Written by Reg Gray
Updated over a week ago

Settings on the CISCO side

  1. In Cisco ISE, you will need to enable the “ERS API service” setting.

    1. In Cisco ISE, login to your ISE PAN

    2. Go to Administration > System > Settings > ERS Settings

    3. Turn on ERS API by enabling ERS for Read/Write

    4. For some ISE versions, you may need to select Disable CSRF For ERS Request (compatible with ERS clients older than ISE 2.3)

    5. Save your changes

    6. You will now be able to use the local endpoint https:// ISE IP address>:9060/ers/”

  2. Create a Sponsor
    A sponsor is the user's proxy that does the provisioning of the new visitors

    1. In ISE, go to Administration > Identity Management > Identities.

    2. Select “Users” and click “Add”

      1. Give the sponsor a name (Something like “VisitorManagementSponsor”)

      2. Set Status to Enabled

      3. Set Password Type to “Internal Users”. Create a password (you will need this later in step 6)

      4. Assign User Groups. Best practice is “ALL_ACCOUNTS” unless you have a specific reason not to.

  3. Create a Guest Type
    The Guest Type will determine the permissions the visitor will have.

    1. Go to Work Centers > Guest Access > Portals and Components.

    2. Select “Guest Types” and click “Create”

      1. Name the Visitor type to whatever you wish (Something like “VisitorManagementVisitor”)

      2. Set the field “Account duration starts” to “From First Login”

      3. Set the “Maximum account Duration” to however long you want (recommended 1 day)

      4. Set the “Sponsor Groups” to the same group that you assigned to the sponsor in step 2. (Recommended “ALL_ACCOUNTS”)

    3. Go back to Work Centers > Guest Access > Portals and Components and select “Sponsor Groups” and select the group you are using. Make sure this group can create accounts using the Guest Type we just created.

image.png

4. Make sure to Enable Access Cisco ISE guest accounts using the programmatic interface
(Guest REST API)

image.png


4. Copy the Portal ID

  1. Go to Work Centers > Guest Access

  2. Select “Sponsor Portals” and choose the “Sponsor Portal (default)” unless you have a specific reason to use a custom portal.

  3. Right click on “Portal Test URL” and select “Copy Link Address” or click on the link to open the sponsor portal.
    Paste this link somewhere safe to reference later.

  4. In the URL will be the Portal Identifier number. It is an alphanumeric string at the end. For example. in a URL of https://{sponsor URL}/sponsorportal/PortalSetup.action?portal= 23k4jq52-34k4-3lkj-534lkj540012 the Portal ID would be “23k4jq52-34k4-3lkj-534lkj540012”.Paste this Portal ID string


5. Copy location name

  1. Go to Work Centers > Guest Access > Settings

  2. Select “Guest Locations and SSID”

  3. Choose your location and copy it and paste the name to same place you pasted the Portal ID.

6. Prep Authorization token

  1. Take the Sponsor Username and Password, format them as “username:password" (ex: rcanby:123abc)

  2. Encode in Base 64 (https://www.base64decode.org/)

  3. Copy the encoded result and paste into same place as Portal ID and location name




Setting up GuestConnect to hit Cisco ISE

  1. Push visitor data into Cisco ISE

    1. In the Experience Editor, add a Guest Connect action. Set as “Device” based instead of “Server”.

    2. Add input tokens for email, first name, last name, company, phone number. Map their respective values.

    3. Configure HTTP action, set to POST

    4. Enter URL “https://:9060/ers/config/guestuser/”

    5. Set Headers:

{
"Accept" : "application/vnd.com.cisco.ise.identity.guestuser.2.0+xml",
"Authorization": "Basic Encrypted Authorization Token from Step 6 above",
"Content-Type" : "application/xml"
}

2. Set Body type to XML and fill with:

identity.ers.ise.cisco.com">

Location that was copied in Step 5 above

1

Company Token

Email Token

true

First Name Token

Last Name Token

Phone Number Token

Use a unique identifier (email or phone tokens would work)/userName>

Guest Type from Step 3 above

Portal ID from Step 4 above

  1. Pull Password back from created Cisco Visitor

    1. After the first GuestConnect action, add another one. Set as “Device” action

    2. Configure HTTP action, set to GET

    3. Enter URL “https://:9060/ers/config/guestuser/name/”

    4. Set Headers:

{
"Accept" : "application/vnd.com.cisco.ise.identity.guestuser.2.0+xml",
"Authorization": "Basic Encrypted Authorization Token from Step 6 above",
"Content-Type" : "application/xml"|
}

  1. Add OutPut token:

    1. Parse LOCATION OF PASSWORD

2. Use a third Guest Connect Action to tokenize the WiFi password

    1. Add a third device based Guest Connect action, create input token

    2. Map out put from second action into input of third action

    3. Use the token in third action wherever you wish to use the WiFi password
      See badge example for printing the password

      To learn more about the badge editor, check out THIS article.

Related Articles
How Do I upload a Document for Signature (Guest Sign Page)?
GuestConnect Use Cases and Possibilities
How To Use the Guest Connect Action
How do I use the Workflow Triggers Feature?
How do I Generate an API Token for a 3rd Party Integration?
Did this answer your question?