https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168190#M1074878 <P>Of course this is possible and it is also a good practice.&nbsp; How are you currently classifying your company devices using dot1x and or MAB?</P> <P>If you have dot1x and MAB setup correctly, you only need to configure a catch all rule that sends a dACL that only allows internet access to the switch port</P> Fri, 16 Oct 2020 11:33:35 GMT Marius Gunnerud 2020-10-16T11:33:35Z https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168189#M1074877 <P>Hello all,</P><P>Im having a huge struggle to deploy the cenario i want in ISE.</P><P>&nbsp;</P><P>So i have dot1x and MAB working fine, the problem is when i want someone from outside the company plugs the cable (even if they don't belong to AD and not having the MAC associated with ISE) have access only to internet.</P><P>I'm not able to do this in ISE. Is it possible?</P><P>&nbsp;</P><P>PC(outside company) -----&gt; PLUGS CABLE -------&gt; ISE ------&gt; Give him VLAN (example 20) only internet access -----&gt; Happy PC</P><P>Is it possible?</P> Fri, 16 Oct 2020 11:31:06 GMT https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168189#M1074877 Kalimoz 2020-10-16T11:31:06Z https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168190#M1074878 <P>Of course this is possible and it is also a good practice.&nbsp; How are you currently classifying your company devices using dot1x and or MAB?</P> <P>If you have dot1x and MAB setup correctly, you only need to configure a catch all rule that sends a dACL that only allows internet access to the switch port</P> Fri, 16 Oct 2020 11:33:35 GMT https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168190#M1074878 Marius Gunnerud 2020-10-16T11:33:35Z https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168210#M1074883 <P>Hello Marius,</P><P>&nbsp;</P><P>Thank you for the reply.</P><P>The condition i have for the dot1x is based on Location and Equipment, this is the same for MAB</P><P>&nbsp;</P><P>For dot1x Pcs company need to validate de certificafe and user based on AD</P><P>For MAB is only based on MAC imported to the list (Like Printers / Cameras etc) each one with their respective profile.</P><P>&nbsp;</P><P>So what i can interper in what you say is like create an Authorization policy based on Location or Devices and use like VLAN 20 and dACL on it?</P> Fri, 16 Oct 2020 12:06:25 GMT https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168210#M1074883 Kalimoz 2020-10-16T12:06:25Z https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168211#M1074884 <P>Yes, or if you have an unused VLAN, remediation VLAN for example that only has access to internet, you could push the devices into that VLAN.&nbsp; If you do not have a remediation VLAN then a dACL will do the trick.&nbsp; I find that many do not have a VLAN for unauthorized devices already configured which is why I recommended the dACL approach.&nbsp;</P> Fri, 16 Oct 2020 12:10:43 GMT https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168211#M1074884 Marius Gunnerud 2020-10-16T12:10:43Z https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168233#M1074888 <P>Thank you Marius,</P><P>Will try that approach <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P> Fri, 16 Oct 2020 12:34:00 GMT https://community.cisco.com/t5/network-security/ise-deploy-internet-access-wired-guest/m-p/4168233#M1074888 Kalimoz 2020-10-16T12:34:00Z