topic Re: ISE -WLC Guest Implementation in Network Access Control

ISE -WLC Guest Implementation

rajcisco — Tue, 23 Oct 2018 13:16:45 GMT

Hello All,

I am trying to implement guest network using ISE 2.2 & WLC (aireos), with flexconnect (central auth and local switch). I am using separate interface in ISE-PSN for guest, but using the same management interface in WLC where other enterprise traffic is terminated due to present architecture (all branch offices uses local switch, there is no central switching). I see ISE can provide initial ACL (redirect guest to psn for Authentication) and second ACL once authenticated (to access only Internet)

But Is there anything else to consider in security perspective, as i am using the WLC management interface of the controller for the Guest?

Note: Routing guest to internet using vrf/vlan over firewall to local internet link

Thanks for your time.

Re: ISE -WLC Guest Implementation

paul — Tue, 23 Oct 2018 13:53:18 GMT

This is a common setup, i.e. FlexConnect guests to a local VRF at the remote site and send them out to the Internet. The only issue you have to tackle is getting the guests back to the PSNs for the guest portal. I usually bring them in over the Internet. Use a second interface on the PSNs and put it in a DMZ and open up 8443 access from the Internet or put up dedicate guest PSNs in the DMZ. I like dedicated guests PSNs then I don't have a dual legged box sitting in the DMZ.

Re: ISE -WLC Guest Implementation

rajcisco — Tue, 23 Oct 2018 16:06:33 GMT

Thank you Paul for the reply

Actually my design flow is like something like below,

Guest-->SSID (AP)-->WLC-->PSN (first ACL)--->WLC--->Guest (Redirect Page) --> Passcode entered-->WLC --->PSN--->Authenticated (Second ACL)--WLC-->Guest-->local firewall--> Internet

First ACL - to provide only access to PSN

Second ACL- to provide only access to Internet

I am using PSN with two leg, but not in DMZ, second leg in separate guest vrf. WLC mgmt will communicate to PSN i/f(in guest vrf)over firewall just for control traffic

Re: ISE -WLC Guest Implementation

paul — Tue, 23 Oct 2018 16:26:25 GMT

So are you running the SSID in FlexConnect or not? If so then the WLC is not involved in anything except passing the RADIUS authentication. The traffic flow you need to make work is :

Guest->AP->PSN.

Re: ISE -WLC Guest Implementation

rajcisco — Tue, 23 Oct 2018 19:56:53 GMT

Yes I am running Flexconnect in SSID, using WLC is only to redirect RADIUS traffic to PSN and apply ACL to Flex Connect group based on ISE policy.

Sorry i didnt mention it, setup is working fine, back to my question, is there any security measures should be considered using same mgmt i/f in WLC for Enterprise and Guest RADIUS traffic

Re: ISE -WLC Guest Implementation

paul — Tue, 23 Oct 2018 20:00:25 GMT

None that I can think of. This is a common setup. There is no avenue for guests to actually use that channel to do anything. I have never separate authentication traffic from the WLC to ISE. Actually user traffic, yes, but not authentication traffic.

Re: ISE -WLC Guest Implementation

rajcisco — Tue, 23 Oct 2018 21:39:52 GMT

Thank you Paul for your time and information