cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

134
Views
0
Helpful
1
Replies
Highlighted
Beginner

Guest Self-registration to 802.1x/PEAP protected WLAN

I'm trying to figure if a particular guest workflow is possible and how to achieve it.

 

What we want is for guests to be able to self-register and have their accounts approved by a sponsor. The guest accounts should be ISE Internal users. The Guest WLAN should be an 802.1x/PEAP WLAN where guest users use their previously created Internal Credentials to authenticate and have their L2 session encrypted. The Internal Guest users accounts should have a limited lifetime etc in the same manner as a Web Guest Portal user.

 

I'm thinking the only way to do this is with 2 WLANs; An open 'registration' WLAN that guests associate to in order to get to the self-registration portal, as well as the actual Guest Service WLAN. Once registered, they'd have to disconnect and re-associate to the Guest Service WLAN with their PEAP credentials for Internet access.

 

Can someone give me some direction on if this is possible and how to achieve it?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Guest Self-registration to 802.1x/PEAP protected WLAN

Yes that sounds good.

Some other options
http://cs.co/ise-guest check for the kiosk option. Setup a machine for portal access
Create your own portal accessible to the internet for pre-registration – accessible outside via a DMZ PSN

Under your guest type you will need to allow user to bypass portal to allow them to use the guest accounts outside of a guest portal flow
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html

Keep in mind that user creds will be cached and if they expire the users supplicant will keep trying to connect to the network until it is forgotten, this will cause erroneous login failures
1 REPLY 1
Cisco Employee

Re: Guest Self-registration to 802.1x/PEAP protected WLAN

Yes that sounds good.

Some other options
http://cs.co/ise-guest check for the kiosk option. Setup a machine for portal access
Create your own portal accessible to the internet for pre-registration – accessible outside via a DMZ PSN

Under your guest type you will need to allow user to bypass portal to allow them to use the guest accounts outside of a guest portal flow
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html

Keep in mind that user creds will be cached and if they expire the users supplicant will keep trying to connect to the network until it is forgotten, this will cause erroneous login failures