August 12, 2014 at 02:57Wi-Fi passport? How to implement technically
On July 31, the Government of the Russian Federation approved the 758th Resolution “On Amending Certain Acts of the Government of the Russian Federation in Connection with the Adoption of the Federal Law“ On Amending the Federal Law “On Information, Information Technologies and the Protection of Information” and certain legislative acts Of the Russian Federation on streamlining the exchange of information using information and telecommunication networks ”, which experts and journalists very quickly dubbed“ the law on wi-fi on the passport ”. We will not interpret this regulatory act from the point of view, trying to find out whether it applies only to collective access points on the Russian Post or has wider application. Let lawyers do this. I would like to see its technical feasibility.
As it turned out, nothing is new under the moonlight and the idea of checking users before connecting to a resource arises quite often in real life. For example, if you visit the Cisco office and want to access the Internet, then you will be provided with guest access, for which you will need to indicate your login and password received at the reception or from the person you came to the meeting on a special Web page (and they, in turn, arrange this access on a special guest portal). We encounter a similar service in hotels or cafes, wanting to use paid or free access to the World Wide Web. In general, a large number of examples of guest Internet access, which requires the indication of any details, can be offered. So if you think about it and discard emotions,
Any of these scenarios can be implemented using the Cisco Identity Service Engine (ISE), which is a centralized control system for wired and wireless, external and internal access. There is a Cisco ISE and a guest access subsystem (Guest Access), which allows you to streamline and automate the guest connection process, which consists of 4 stages:
I will illustrate these steps with some screenshots that will best tell you what guest access is with Cisco ISE. Our first step is to determine how guest access is available. A guest account can be created by the so-called sponsor, a guest on their own, or access can be organized without creating an account at all. In the corporate environment, the first method is usually used, in public places the second or third. The 758th Government Decree speaks only of the second method of connection.
Our next step is to indicate the information that we want to receive from the user. In addition to the name and surname, we can request additional information. For example, an e-mail or a mobile phone number to send a login and password to an account. The 758th Resolution also requires the provision of information about an identity document, which can also be implemented using Cisco ISE.
For each account, you can specify various time limits (for example, the number of login attempts, account lifetime) and membership in a group, which can set additional restrictions on access to various external or internal (for example, printer) resources. All settings made are visualized in a clear block diagram.
If necessary, you can always check the created accounts and their status. For example, the status “AWAITING INITIAL LOGIN” can mean as well as the just created account, so the user who sent a request for guest access, but never used it.
After creating the account, the user should receive a username and password (if we turned on the access mode by login / password, and not access without registration). This can be done in different ways. It can be printed on a printer and brought to the guest along with the menu.
You can send it by e-mail (although the guest must have access to it):
Or you can do it as mentioned in the Ministry of Communications, send the access details via SMS.
Next, the user performs the access procedure, indicating the received username and password on the Web page in the browser. Such page may be displayed in different ways. For example, by default, the guest access page looks like this:
But this option is commonplace and few people are interested. Using Cisco ISE Template Builder, you can create your own guest portals (in different languages, including Russian, using your own style solution, your logo, optimization for mobile devices, etc.).
Very interesting is the possibility of mandatory agreement with the rules for providing guest access (the so-called acceptable use policy, AUP). Disagreement with it (for example, you can include consent to the transfer and other forms of personal data processing by the owner of the wireless access point and certain third parties), may lead to a denial of access to free Wi-Fi.
The requirement of the 758th Government Decree on the storage of information on the access of guests to the Internet can also be implemented. Cisco ISE can visualize both high-level statistics of guest access:
as well as detailed information about the resources visited. It is also possible to register and store device identifiers used for guest access.
On this, it would be possible to complete the story about the ways of implementing the Government Decree of July 31, 2014 No. 758, if not for one “but”. The question “How to check the authenticity of information about an identity document?” Remained unanswered. I must say right away that there is no such question in the Resolution itself. It requires only an indication of such information, but not their verification. However, I admit that such a question may still arise. Can I implement it using Cisco ISE? Yes you can.
We implemented a similar task in Turkey for one of the largest Turkish banks, which was faced with the task of providing secure access for customers to certain banking resources with the obligatory provision and verification of passport data. By the way, in Russia there is also a requirement of the Bank of Russia to verify the validity of passport data for bank customers on the basis of the Federal Migration Service (FMS). Can Cisco ISE solve this problem? Not on my own. Unfortunately, Cisco developers do not know how the work of the FMS or the traffic police is organized, through the databases of which some officials and deputies propose checking the authenticity of the identity document of a guest who wishes to access the Internet via free or paid Wi-Fi. However, there is a special ISE REST API in Cisco ISE for interfacing with external systems. It was with the help of this API that middleware was developed by one of our partners, which received access details (name, passport number, date of birth, mobile phone number) and sent them to the state database of Turkey for verification. In the case of a positive response, the same middleware created a guest account on ISE and then sent an SMS to the bank client with access details. After the set timeout, the same software deleted the temporary account. Considering the existence of automated passport validation services in Russia, I don’t see any big difficulties to “tie” them to Cisco ISE. mobile phone number) and sent them for verification to the state database of Turkey. In the case of a positive response, the same middleware created a guest account on ISE and then sent an SMS to the bank client with access details. After the set timeout, the same software deleted the temporary account. Considering the existence of automated passport validation services in Russia, I don’t see any big difficulties to “tie” them to Cisco ISE. mobile phone number) and sent them for verification to the state database of Turkey. In the case of a positive response, the same middleware created a guest account on ISE and then sent an SMS to the bank client with access details. After the set timeout, the same software deleted the temporary account. Considering the existence of automated passport validation services in Russia, I don’t see any big difficulties to “tie” them to Cisco ISE.
Summarizing, I want to note that the need for guest access has recently arisen quite regularly and with the help of the Cisco ISE access control system, even the most unconventional scenarios of such a connection can be implemented.
As it turned out, nothing is new under the moonlight and the idea of checking users before connecting to a resource arises quite often in real life. For example, if you visit the Cisco office and want to access the Internet, then you will be provided with guest access, for which you will need to indicate your login and password received at the reception or from the person you came to the meeting on a special Web page (and they, in turn, arrange this access on a special guest portal). We encounter a similar service in hotels or cafes, wanting to use paid or free access to the World Wide Web. In general, a large number of examples of guest Internet access, which requires the indication of any details, can be offered. So if you think about it and discard emotions,
Any of these scenarios can be implemented using the Cisco Identity Service Engine (ISE), which is a centralized control system for wired and wireless, external and internal access. There is a Cisco ISE and a guest access subsystem (Guest Access), which allows you to streamline and automate the guest connection process, which consists of 4 stages:
- provision of guest access and privilege checking
- guest notification of creating a guest account
- setting up the work of the guest portal and persons entitled to provide guest access
- reporting.
I will illustrate these steps with some screenshots that will best tell you what guest access is with Cisco ISE. Our first step is to determine how guest access is available. A guest account can be created by the so-called sponsor, a guest on their own, or access can be organized without creating an account at all. In the corporate environment, the first method is usually used, in public places the second or third. The 758th Government Decree speaks only of the second method of connection.
Our next step is to indicate the information that we want to receive from the user. In addition to the name and surname, we can request additional information. For example, an e-mail or a mobile phone number to send a login and password to an account. The 758th Resolution also requires the provision of information about an identity document, which can also be implemented using Cisco ISE.
For each account, you can specify various time limits (for example, the number of login attempts, account lifetime) and membership in a group, which can set additional restrictions on access to various external or internal (for example, printer) resources. All settings made are visualized in a clear block diagram.
If necessary, you can always check the created accounts and their status. For example, the status “AWAITING INITIAL LOGIN” can mean as well as the just created account, so the user who sent a request for guest access, but never used it.
After creating the account, the user should receive a username and password (if we turned on the access mode by login / password, and not access without registration). This can be done in different ways. It can be printed on a printer and brought to the guest along with the menu.
You can send it by e-mail (although the guest must have access to it):
Or you can do it as mentioned in the Ministry of Communications, send the access details via SMS.
Next, the user performs the access procedure, indicating the received username and password on the Web page in the browser. Such page may be displayed in different ways. For example, by default, the guest access page looks like this:
But this option is commonplace and few people are interested. Using Cisco ISE Template Builder, you can create your own guest portals (in different languages, including Russian, using your own style solution, your logo, optimization for mobile devices, etc.).
Very interesting is the possibility of mandatory agreement with the rules for providing guest access (the so-called acceptable use policy, AUP). Disagreement with it (for example, you can include consent to the transfer and other forms of personal data processing by the owner of the wireless access point and certain third parties), may lead to a denial of access to free Wi-Fi.
The requirement of the 758th Government Decree on the storage of information on the access of guests to the Internet can also be implemented. Cisco ISE can visualize both high-level statistics of guest access:
as well as detailed information about the resources visited. It is also possible to register and store device identifiers used for guest access.
On this, it would be possible to complete the story about the ways of implementing the Government Decree of July 31, 2014 No. 758, if not for one “but”. The question “How to check the authenticity of information about an identity document?” Remained unanswered. I must say right away that there is no such question in the Resolution itself. It requires only an indication of such information, but not their verification. However, I admit that such a question may still arise. Can I implement it using Cisco ISE? Yes you can.
We implemented a similar task in Turkey for one of the largest Turkish banks, which was faced with the task of providing secure access for customers to certain banking resources with the obligatory provision and verification of passport data. By the way, in Russia there is also a requirement of the Bank of Russia to verify the validity of passport data for bank customers on the basis of the Federal Migration Service (FMS). Can Cisco ISE solve this problem? Not on my own. Unfortunately, Cisco developers do not know how the work of the FMS or the traffic police is organized, through the databases of which some officials and deputies propose checking the authenticity of the identity document of a guest who wishes to access the Internet via free or paid Wi-Fi. However, there is a special ISE REST API in Cisco ISE for interfacing with external systems. It was with the help of this API that middleware was developed by one of our partners, which received access details (name, passport number, date of birth, mobile phone number) and sent them to the state database of Turkey for verification. In the case of a positive response, the same middleware created a guest account on ISE and then sent an SMS to the bank client with access details. After the set timeout, the same software deleted the temporary account. Considering the existence of automated passport validation services in Russia, I don’t see any big difficulties to “tie” them to Cisco ISE. mobile phone number) and sent them for verification to the state database of Turkey. In the case of a positive response, the same middleware created a guest account on ISE and then sent an SMS to the bank client with access details. After the set timeout, the same software deleted the temporary account. Considering the existence of automated passport validation services in Russia, I don’t see any big difficulties to “tie” them to Cisco ISE. mobile phone number) and sent them for verification to the state database of Turkey. In the case of a positive response, the same middleware created a guest account on ISE and then sent an SMS to the bank client with access details. After the set timeout, the same software deleted the temporary account. Considering the existence of automated passport validation services in Russia, I don’t see any big difficulties to “tie” them to Cisco ISE.
Summarizing, I want to note that the need for guest access has recently arisen quite regularly and with the help of the Cisco ISE access control system, even the most unconventional scenarios of such a connection can be implemented.