topic ISE - Restricting Employee assets from accessing Guest SSID in Network Access Control

ISE - Restricting Employee assets from accessing Guest SSID

nadeekha — Mon, 18 Jul 2016 02:31:03 GMT

Hi Experts,

My customer wants to know the following:

They currently have a Guest Wifi with an SSID in their environment for their guest users and access is separately anchored off at the DMZ.Guest access is purely WLC based and no NAC solution is in place for it.

Now we are in the process of setting up ISE Wireless /Wired 802.1x solution for the employee assets. The question is that with ISE deployed will we be able to restrict the employees from hoping on to the Guest network SSID from their laptops?

They dont want employees to be able to get on the Guest Wifi period.

Thy have no plans to have Guest Access a part of the ISE design.

Re: ISE - Restricting Employee assets from accessing Guest SSID

Jason Kunst — Mon, 18 Jul 2016 16:28:04 GMT

ISE has no visbility into the wireless guest network as its not managing it. That limits the options available. Might be best to reach out to wireless/prime team to validate some of these options.

Also see a similar thread Block Employee MAC's on guest SSID?

if you have a simple guest splash page from the controller then maybe the controller can query prime for mac addresses seen on internal network?

if they are requiring them to do LWA to the WLC guest portal then don't allow employees to create accounts

•Anyconnect Network Access Module (windows only), restrict their window machines from connecting to unsanctioned WLANs?

•Enterprise Connection Enforcement How-to guide Admin Guide

If integrating with ISE

•Only allow sponsors to create accounts for visitors

•restrict access to 1 device per credential

•Register Corp machines into special endpoint group

•If MAB and Corp ID Group then deny access or redirect to restricted message portal

•Profiling to differentiate access (requires plus license)

Use profiling to differentiate corp devices. You can use Windows GPO to write identifiable string in to the browser user agent or DHCP client ID field that ISE can use to differentiate the corp devices. (Need Plus License) once you have the endpoint group created and populated, you simply need to redirect to a different portal to notify the user is not allowed on the guest network.

•WPA2 Guest network (no open network, no portal)

•Corporate Devices using cert auth

•Guests use sponsored credentials with allow guest type to bypass portal

Re: ISE - Restricting Employee assets from accessing Guest SSID

vibobrov — Thu, 21 Jul 2016 01:55:05 GMT

There were a couple of other options discussed here: Re: Limiting corporate users from guest wireless SSID's - specific use case

Re: ISE - Restricting Employee assets from accessing Guest SSID

Oliver Laue — Thu, 21 Jul 2016 09:54:30 GMT

For Active Directory managed Clients you can enroll a GPO to deny Wireless Access to specific SSIDs.

How to use Group Policy to black/white list wireless networks in Vista & Windows 7