cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

261
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

Guest portals on ISE in PCI zone

Team, 

 

I have a customer that has PCI restrictions around hosting ISE guest portals in their PCI Zone. What are the best ways to address this? I would love to hear real world experiences. 

 

Ideas I have are 1) Separate PSN in a non PCI zone for guest portals 2) Fully separate ISE deployment for guest wireless. 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Guest portals on ISE in PCI zone

Normally I'd expect to see PCI vs non-PCI zones segmented by firewall(s) and ISE hosted in a non-PCI zone. In any case, guest portal should not be hosted on ISE that is deployed in PCI zone. 

 

The customer I support also need to comply to PCI regulation. They have ISE hosted in DC in non-PCI zone. For guest zones, they have a dedicated PSN server in DMZ. All guest/IoT SSIDs from various locations are anchored to WLCs in DMZ and they are put in VLAN that get only Internet access. 

 

I don't see a necessity for completely separate ISE deployment only for guest network unless customer has reasons to do so. There are other customers that have separate guest ISE deployment.

1 REPLY 1
Cisco Employee

Re: Guest portals on ISE in PCI zone

Normally I'd expect to see PCI vs non-PCI zones segmented by firewall(s) and ISE hosted in a non-PCI zone. In any case, guest portal should not be hosted on ISE that is deployed in PCI zone. 

 

The customer I support also need to comply to PCI regulation. They have ISE hosted in DC in non-PCI zone. For guest zones, they have a dedicated PSN server in DMZ. All guest/IoT SSIDs from various locations are anchored to WLCs in DMZ and they are put in VLAN that get only Internet access. 

 

I don't see a necessity for completely separate ISE deployment only for guest network unless customer has reasons to do so. There are other customers that have separate guest ISE deployment.