Day 126 – Cisco ISE Mastery Training: Cloud‑Based Guest Management Portal

[Day 126] Cisco ISE Mastery Training: Cloud‑Based Guest Management Portal


Table of Contents

Introduction

Imagine you’re at a large enterprise headquarters, or a university campus during orientation week. Thousands of visitors, contractors, or students are trying to get Wi-Fi access. Some are there for a single day, others for a semester. Marketing wants the login portal branded to the organization’s style, HR wants automated sponsor approval, IT security wants tight control of what VLAN/ACL a guest falls into, and the CIO asks, “Can we centralize the portal in the cloud so we don’t have to rebuild it on every ISE node?”

This is where Cisco ISE’s Cloud-Based Guest Management Portal becomes a game-changer.
Instead of serving static, limited HTML pages from ISE’s internal portal engine, you can host the entire guest experience in the cloud — AWS, Azure, GCP, or even your own Kubernetes cluster — and use ISE purely as the enforcement point. The portal in the cloud handles UX, branding, analytics, multi-language flows, SAML/OAuth integrations, and even custom logic. Meanwhile, ISE does what it does best: RADIUS, policy, CoA, VLAN assignment, redirect ACLs, and sponsor workflows.

This approach unlocks scalability, faster iteration, security, and global reach. You can run one portal for every branch worldwide, update branding instantly, and still maintain strict NAC enforcement on-prem via ISE.

In today’s Article, we’re going to build and validate this workflow step by step — from ISE ERS API setup, redirect policies on WLC/switches, to validating with GUI and CLI tools. You’ll see exactly how to wire the cloud app to ISE, and how to prove it works with logs, CoA events, and API calls.

By the end, you won’t just know how to deploy a Cloud Guest Portal — you’ll be able to teach it, troubleshoot it, and scale it.


Problem Statement

Real networks face these guest problems:

  • Multiple campuses / events require a single branded portal that’s identical worldwide, but ISE-hosted portals are harder to scale/iterate.
  • Event reservation systems or third-party visitor management (check-in kiosks) need to create guest accounts programmatically.
  • Rapid UI iteration (A/B testing, analytics, SSO) demands cloud hosting and modern CDNs.
  • Security/segmentation requires network enforcement (VLAN/ACL/CoA) that remains with on-prem policy engine (ISE).

Goal: Host the UX in cloud, but keep authorization, sponsor workflows, RADIUS & CoA with ISE. The cloud portal must securely call ISE ERS APIs to create/approve guest accounts, then ISE must apply authorization profiles to open the session.


Solution Overview (high-level mapping)

  1. End-user connects to SSID (open or MAB fallback). AP/WLC sends RADIUS Access-Request to ISE. If not valid, ISE returns an Access-Accept with URL redirect (Centralized Web Auth / Web-Redirect) and a redirect ACL. The client is intercepted and presented with the cloud portal URL. (Cisco)
  2. Cloud portal presents UI, then calls ISE ERS Guest API (/ers/config/guestuser) to create/approve the guest (POST). ERS calls require an ERS account and ERS must be enabled in ISE (Administration > Settings > API). ERS commonly runs on ports 9060 and 443. (Cisco, Cisco DevNet)
  3. Once guest info is created (and Sponsor approval flows as needed), cloud portal triggers ISE to send CoA (or the guest session is already in ISE DB and a CoA is issued) so ISE updates authorization (full access). ISE policy applies authorization profile (VLAN/ACL). (Cisco)

Sample Lab Topology

Topology summary (lab/PoC)

  • Virtualization: VMware ESXi cluster or EVE-NG host.
  • ISE cluster: PAN (1 VM) + PSNs (1-2 VMs) in same L2/L3 lab network. ISE GUI on ise-pan.lab.local (management IP 10.10.10.10) and PSN portal IPs 10.10.10.11/12.
  • WLC: Catalyst 9800 virtual (or physical) with management IP 10.10.20.10.
  • Core/Access switches: Catalyst 9300 (for dot1x / MAB wired guest tests).
  • APs: lab APs or virtual APs on WLC.
  • Endpoints: laptop, phone (client).
  • Cloud portal: AWS EC2 (Ubuntu) + NGINX + Flask or NodeJS app behind ALB, public FQDN guest.lab.example.com -> NAT/firewall -> route to ISE ERS via secure path (prefer VPN or private connectivity).
  • Optional: Site-to-Site VPN between on-prem firewall and cloud VPC for ERS traffic, or open only ISE ERS port 9060 (HTTPS) from cloud app to ISE public IP (less preferred).

IP plan (example)

  • ISE PAN: 10.10.10.10 (DNS: ise-pan.lab.local)
  • ISE PSN: 10.10.10.11 (portal interface)
  • WLC: 10.10.20.10
  • Switch VLANs: Guest VLAN 110 (172.16.110.0/24), Corp VLAN 10 (10.0.10.0/24)
  • Cloud portal (public): 52.10.10.100, FQDN guest.lab.example.com → TLS cert from public CA.
  • ERS calls: cloud → 10.10.10.11:9060 (over VPN or secure firewall rules)

Diagram

Notes: For a lab use EVE-NG: create ISE VMs (ova), add a 9800 WLC VM, add Catalyst switch images; host cloud portal as additional VM reachable via NAT or host-only network (emulate VPN).


Step-by-Step GUI Configuration Guide

Phase A — ISE pre-reqs & hardening

A.1 — Apply system certs & DNS

  1. Create and upload system certificate (public CA or internal with public FQDN mapping for sponsor/portal).
    • GUI: Administration > System > Certificates > System Certificates > Add
    • [ISE System Certificates]
  1. Create DNS records pointing guest.lab.example.com → public IP (or internal mapping for lab).
    • Validate: nslookup guest.lab.example.com from cloud VM.

A.2 — SMTP & SMS gateway (for guest receipts)

  1. GUI: Administration > System > Settings > SMTP Server — configure SMTP server.
    • Test: Send test email from GUI. [ SMTP Test]
  1. GUI: Administration > System > Settings > SMS Gateway for SMS via email-to-SMS provider.
    • Validate: Send test SMS from Sponsor portal.

A.3 — Enable ERS and create ERS admin

  1. GUI: Administration > System > Settings > API Settings → toggle ERS (Read/Write) ON. (Required: ERS commonly runs on 9060). (Cisco)
    • [API Settings — Enable ERS]
  1. GUI: Administration > System > Admin Access > Administrators > Add → create user ers_admin and assign role ERS Admin.
    • Validate: From cloud app or Postman, confirm /ers/sdk reachable: https://10.10.10.11:9060/ers/sdk (use ERS creds). (Cisco, Cisco DevNet)

A.4 — Add WLC and switches as Network Devices

  1. GUI: Administration > Network Resources > Network Devices > Add → add WLC (IP 10.10.20.10) and switches (10.10.30.0/24) with correct RADIUS shared secret.
    • [Add Network Device]
    • Validate: On ISE Operations > RADIUS > Live Logs you should see the WLC RADIUS requests once you test connecting a client.

Phase B — Configure Guest Services & Portals in ISE

B.1 — Create Guest Type & Sponsor Group

  1. GUI: Work Centers > Guest Access > Configure > Portals & Components > Guest Type > Add → create Visitor_Web_Guest with desired validity, login options (Self-registered or Sponsored). [Guest Type]
  1. GUI: Work Centers > Guest Access > Configure > Portals & Components > Sponsor Groups → create HR_Sponsors, map an AD group (or create internal sponsor users). [Sponsor Group]
    • Validate: Try logging in as sponsor to Sponsor portal: https://<ise-psn-ip>:8443/sponsorportal (or the FQDN). See Sponsor Guide for details.

B.2 — Create Portal (External cloud portal pattern)
There are two patterns:

  • A) Use ISE portal pages hosted on ISE and redirect to them (standard).
  • B) Use an external cloud portal — recommended here.

To configure ISE to redirect to an external URL:

  1. Create the standard Guest Portal (self-registered) so ISE has a PortalID (works as a template). GUI: Work Centers > Guest Access > Portals & Components > Guest Portals > Add (Self-Registered) → configure pages, Guest Type mapping. [Create Self-Registered Portal]
  2. Create an Authorization Profile that includes Web Redirection → choose Centralized Web Auth or provide an explicit portal option pointing to the Guest Portal object you defined. (This maps redirect behavior to the portal resource). (Cisco)
    • GUI: Policy > Policy Elements > Results > Authorization > Authorization Profiles > Add → set Common Tasks > Web Redirection -> Centralized Web Auth and select the portal. [Authorization Profile Web Redirection]
  3. If you want to redirect clients directly to your cloud FQDN, set the Redirect URL value (via advanced attributes in the Authorization Profile) — or have your cloud portal register a PortalID in ISE and use that Portal object. (Many shops use ISE portal object but host pages externally and use a reverse proxy / redirect.) (Cisco)

Validation (quick)

  • Test portal URL in GUI: Work Centers > Guest Access > Portals & Components > Guest Portals → click Test Portal URL. Should open page or show redirect. [Test Portal URL]

Phase C — Configure Policy Set for Guest redirect (ISE GUI)

  1. GUI: Policy > Policy Sets → add new policy set Guest_CWA_SSID. Condition: Wireless SSID == Guest_SSID or NAS-Port-Type == Wireless.
  2. Authentication Policy: Add rule for MAB or EAP as required (use MAB continue to allow redirect). Configure fallback behavior CONTINUE. [Authentication Policy Set] (Cisco)
  3. Authorization Policy: Create a rule if SSID == Guest_SSID then Authorization Profile = Guest_Redirect_Profile (the profile created in B.2 with web redirection). [Authorization Policy]
  4. Save and apply.

Validation: Operations > Live Logs → connect a device to Guest_SSID; check Live Logs: you should see an Access-Accept with Redirect URL and the guest portal target.


Phase D — WLC (Catalyst 9800) configuration to support CWA (example GUI + CLI)

  1. GUI: Configuration > Security > AAA > RADIUS > Servers → add ISE server(s) with shared secret, enable CoA support (for CoA/Change of Authorization). (Cisco) [WLC RADIUS Server]
  2. Create WLAN (Guest_SSID) and set Security → Layer2/3: MAC Filtering or open + web auth. If you use CWA: configure AAA method list for web auth. (Cisco) [WLAN Security]
  3. Create Redirect ACL on WLC: Configuration > Security > ACL → create named ACL REDIRECT per guidance (deny to ISE IPs, deny DNS, permit tcp/80). See CWA doc for example ACL. (Cisco) [Redirect ACL]
  4. Link ACL name to ISE Authorization Profile in ISE (ACL name must match). [ISE Authorization Profile (ACL Name)]

WLC CLI validation examples

# show wlan summary
# show client detail <mac>
# show aaa servers

(Use the WLC diagnostic pages to see redirected clients.)


Phase E — Cloud portal (high-level deploy + ERS calls)

E.1 — Harden connectivity

  • Preferred: Site-to-site VPN between cloud VPC and on-prem firewall so ERS port 9060 is not open to public internet. If VPN not possible, allow only the cloud public IP to talk to ISE:9060 and use public TLS certs (mutual TLS optional). (Cisco)

E.2 — ERS API example (curl) — create a guest

Important: ISE ERS requires the sponsor be the caller; API caveats in docs: sponsor mapping, X-CSRF considerations — see DevNet Guest API. (Cisco DevNet)

Sample curl (JSON)

# Obtain X-CSRF token if required (some ISE instances require token)
curl -k -c cookies.txt -u ers_admin:ERS_PASS \
  -H "Accept: application/json" \
  "https://10.10.10.11:9060/ers/sdk" 

# Create Guest (POST)
curl -k -u ers_admin:ERS_PASS \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X POST https://10.10.10.11:9060/ers/config/guestuser \
  -d '{
    "GuestUser": {
      "name":"visitor_jdoe",
      "guestType":"Visitor_Web_Guest",
      "guestInfo": {
        "firstName":"John",
        "lastName":"Doe",
        "emailAddress":"jdoe@example.com",
        "userName":"jdoe.visit",
        "password":"Passw0rd!",
        "enabled":true
      },
      "guestAccessInfo": {
        "validDays":1,
        "ssid":"Guest_SSID",
        "location":"HeadOffice"
      }
    }
  }'
  • On success ISE returns 201 Created and a GuestUser object with id. Use that id for approve, sms, email, resetpassword endpoints. (See DevNet Guest User API for operations.) (Cisco DevNet)

E.3 — Cloud portal flow (sequence)

  1. User clicks Accept / fills form in browser on guest.lab.example.com.
  2. Cloud portal server calls ERS POST /ers/config/guestuser and optionally PUT /ers/config/guestuser/approve/{id} if sponsor auto-approves. See DevNet API for approve and sms endpoints. (Cisco DevNet)
  3. Cloud portal returns the credentials to guest or triggers email/SMS. The portal may also call PUT /ers/config/guestuser/resetpassword/{id} to get a generated password to display. (Cisco DevNet)
  4. ISE accepts the guest account and either automatically applies the authorization profile (via the preconfigured Policy) or cloud portal issues CoA if needed (e.g., for immediate session reauthorization).

Sample minimal Flask snippet (conceptual)

# PSEUDO (do not run until you secure creds)
import requests
from requests.auth import HTTPBasicAuth
ERS_URL = "https://10.10.10.11:9060/ers/config/guestuser"
auth = HTTPBasicAuth("ers_admin","ERS_PASS")
headers = {"Content-Type":"application/json","Accept":"application/json"}
payload = { "GuestUser": { "name":"visitor_jdoe", ... } }
r = requests.post(ERS_URL, json=payload, auth=auth, verify=False)

Production: use secure secret store, mutual TLS or IP-restrictions, CSRF token handling per ISE settings. (Cisco, Cisco DevNet)


Phase F — Validation & Troubleshooting (GUI + CLI checks)

ISE GUI checks

  • Operations > Live Logs — track Access-Request/Accept events and portal redirect attributes. (Look for redirect URL and Cisco:WebAuth type). (Cisco)
  • Work Centers > Guest Access > Monitor — view guest sessions and status; check sponsor approvals.

WLC / AP checks

  • CLI / GUI: show client detail <mac> — confirm redirect / association. On 9800: show wireless client mac <mac> or use GUI Clients view. (Cisco)

Switch checks (wired MAB)

  • CLI: show authentication sessions interface GigabitEthernet1/0/2 details — confirm MAB session status (Authorized / domain / username). (Cisco)

API checks

  • Use Postman to exercise /ers/config/guestuser and confirm 201. Use GET /ers/config/guestuser/name/{name} to fetch created guest. (Cisco DevNet)

Common troubleshooting tips

  • If redirect not seen: verify WLC redirect ACL matches ISE Authorization Profile’s ACL name. (Cisco)
  • If ERS returns 401: ensure ERS is enabled, ERS admin exists and port 9060 is reachable. (Cisco, Cisco DevNet)
  • If sponsor emails/SMS fail: check SMTP/SMS gateway config in ISE. (Cisco)

Expert Level Use Cases (step-by-step mapping + validation)

Use Case 1 — High-volume event venue (stadium)

  • Goal: Hundreds of guests register quickly; branding + sponsor kiosks used.
  • Approach: Cloud portal scales (ALB + autoscale). Use ERS batch API to create guest accounts from bulk CSV (DevNet supports bulk create). Use CoA to flip sessions to guest VLAN. Validate with load test: simulate 1k ERS POSTs and measure ISE PSN CPU, Live Logs. (Cisco DevNet)

Use Case 2 — Multi-tenant building (separate sponsorship / billing)

  • Goal: Each tenant gets their own branded portal and reporting.
  • Approach: The cloud portal supports multiple tenancy layers (tenant fragment in payload). In ISE, create Guest Types per tenant and Sponsor Groups mapped to AD groups. Use custom fields in ERS payload (guest.customFields) to tag tenant and use reporting filters. Validate: query GET /ers/config/guestuser/?filter=.... (Cisco DevNet, Cisco)

Use Case 3 — Contractor & short-lived accounts (time-limited VLAN)

  • Goal: Contractors get 8-hour access with automatic expiry.
  • Approach: Cloud portal sets guestAccessInfo.validDays or toDate via ERS create call. ISE purge policy removes expired accounts automatically or use scheduled purge. Validate: Check Work Centers > Guest Access > Monitor for status; ensure VLAN reversion via CoA after expiry. (Cisco DevNet, Cisco)

Use Case 4 — Visitor + BYOD onboarding combined

  • Goal: Guest device optionally registers for future BYOD onboarding.
  • Approach: Enable Guest Device Registration in portal settings so when guest logs in, device is registered as an endpoint (ISE internal endpoint DB) and can be migrated to BYOD flows. Validate: Work Centers > Guest Access > Portals & Components > Guest Device Registration Settings. (Cisco)

Use Case 5 — Secure kiosk interop (SSO with 3rd party)

  • Goal: Kiosk authenticates via SAML to corporate IdP, then portal creates guest in ISE.
  • Approach: Cloud portal performs SAML with IdP, then ERS call to create guest. Validate: SAML logs + ISE guest entries.

Deliverables

ISE ERS guest create (curl)

(Already shown in Phase E; use that.)

WLC redirect ACL example (text)

ip access-list extended REDIRECT
 deny ip any host 10.10.10.11      ! deny ISE PSN to avoid redirect loop
 deny udp any any eq domain
 permit tcp any any eq 80
 permit udp any any eq 67
 permit udp any any eq 68

(Adjust addresses; see Catalyst 9800 CWA doc for recommended ACL placement.) (Cisco)


FAQs

1. Why move the Guest Portal to the cloud when ISE already has a built-in guest portal?

  • ISE’s native portals are functional but limited in customization and scale.
  • Cloud hosting enables enterprise branding, analytics (Google Analytics, Hotjar), SSO integration, and centralized management across geographies.
  • It decouples the UX layer from the policy engine, letting you iterate faster.

2. Which ISE components remain on-prem when using a cloud portal?

  • On-prem (ISE PSN): RADIUS authentication, authorization policies, redirect decisions, CoA/VLAN enforcement, Sponsor Groups, Guest DB.
  • Cloud portal: Web UI/UX, REST calls to ISE ERS, branding, integrations (HR, visitor mgmt).

3. How does the redirect to a cloud portal actually happen?

  • User connects → WLC/switch sends RADIUS request → ISE responds with Access-Accept + Redirect URL + ACL.
  • The endpoint is intercepted and sent to https://guest.company.com (cloud portal).
  • The cloud portal calls ISE ERS API to create/approve the guest, then ISE issues CoA to change authorization.

4. Do I need to expose ISE to the internet for ERS API calls from the cloud?

  • Best practice: No. Use a site-to-site VPN or ExpressRoute/DirectConnect to let the cloud portal reach ISE’s PSN over TCP/9060 securely.
  • If unavoidable, restrict via firewall to only your cloud portal IPs, use HTTPS/TLS certs, and dedicated ERS service accounts.

5. What authentication methods are supported for guest users with a cloud portal?

  • Self-registration (cloud portal form → ERS create guest)
  • Sponsored access (cloud portal calls ERS, sponsor approves via ISE Sponsor Portal)
  • Social login / SSO (portal does OAuth/SAML with Google, Microsoft, etc. → then uses ERS to create an ISE guest account in the background).

6. How do we validate the redirect and authorization from the CLI?

  • On WLC (9800):
    • show wireless client mac <mac> → check redirect URL and ACL applied.
    • show aaa servers → confirm RADIUS status.
  • On switch (wired):
    • show authentication sessions interface g1/0/x details → look for Redirect URL and session state.
  • On ISE:
    • Operations > Live Logs → confirm Access-Accept with WebAuth attributes.

7. What are common pitfalls in cloud guest deployments?

  • Redirect ACL misconfiguration (clients can’t reach DNS or cloud FQDN).
  • ERS API not enabled (default off in ISE).
  • Certificates mismatch (client doesn’t trust cloud portal cert).
  • CoA not enabled on WLC/switch → guest never transitions to “Authorized.”
  • Sponsor approval delays if SMTP/SMS not tested.

8. How do I handle guest account expiry and auto-purging?

  • In the ERS API payload, set guestAccessInfo.validDays or explicit expiry.
  • ISE has built-in purge policies (Administration > Identity Management > Settings > Guest Purge).
  • Expired accounts are removed automatically, or can be bulk deleted via ERS API.

9. Can one cloud portal serve multiple ISE clusters worldwide?

  • Yes — as long as the portal knows which ISE PSN/cluster to talk to.
  • Common design: Cloud portal looks up guest’s location/site, then calls the nearest ISE PSN (through VPN tunnels).
  • You can also deploy regional portals (multi-tenant setup).

10. How do I troubleshoot ERS API calls when they fail?

  • 401 Unauthorized: Wrong ERS creds or ERS disabled.
  • 404 Not Found: Wrong endpoint (/ers/config/guestuser).
  • 500 Internal Error: Often payload JSON malformed.
  • Use Postman with Basic Auth to test manually.
  • On ISE, enable API debug logs (ise-psc/admin# application configure ise api debug).

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes (key takeaways)

  • The pattern “cloud portal + ISE policy engine” gives the best of both worlds: modern UX & scale in the cloud and enterprise grade policy + enforcement on-prem.
  • Always secure ERS (use VPN or narrow firewall rules), use dedicated ERS admin accounts, and enable CSRF token handling if ISE requires it. (Cisco, Cisco DevNet)
  • Validate every step using ISE Live Logs, WLC client logs, and switch show authentication sessions for wired. Test sponsor workflows using the sponsor portal UI before automating with ERS. (Cisco)

Fast-Track to Cisco ISE Mastery Pro

For deeper Cisco ISE Mastery, subscribe to Network Journey on YouTube and join the instructor-led classes. I run a focused 4-month instructor-led CCIE/ISE track — the course funnel and outline are at: https://course.networkjourney.com/ccie-security/.

Enroll to get lab topologies, step-by-step video walkthroughs, and the POC scripts used in this masterclass.

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088