topic Re: Keeping Generic accounts from connecting to Guest network in Wireless

Keeping Generic accounts from connecting to Guest network

CGidcumb1002 — Tue, 10 Aug 2021 16:21:03 GMT

Is there an easy way from keeping generic accounts from connecting to our Guest network? Right now if a user has an AD account, they connect their personal devices to the Guest network and it authenticates against AD. The problem is that the generic accounts also reside in AD and anyone who knows the passwords for these generic accounts can use them to access the guest network. So I guess the question is, is there a way to exclude certain AD accounts in Cisco ISE from being able to connect to an SSID?

Re: Keeping Generic accounts from connecting to Guest network

Arshad Safrulla — Thu, 12 Aug 2021 13:07:42 GMT

Easily guessable Generic Account passwords?????? This itself is a big problem.

Regarding your question this has to be done on ISE, you need to edit the Authentication and Authorization policies to allow only the preferred group from AD. WLC cannot influence the Authentication here, I would recommend you open a discussion on ISE community.

Re: Keeping Generic accounts from connecting to Guest network

CGidcumb1002 — Thu, 12 Aug 2021 13:59:17 GMT

Ok, thanks for the info. We are new to ISE and was trying to setup some new policies that we haven't had in place and working through the flows. I didn't know if ISE had the ability to restrict individual usernames or not.