Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4708
Views
6
Helpful
6
Replies

Is it Possible to have a Single SSID for Guests, Contractors, Vendors and BYOD..

Aaron Woland
Cisco Employee
Cisco Employee

‎06-30-2016 08:38 PM

I received this question in email.  Answering here for public consumption, etc.

-----  Original Question -----

I have a customer looking to implement a Base ISE solution with an opportunity to grow to Advanced ISE.

One of their requirement is Single Sign on SSID.

We’re in the middle of a POC and one of the questions that came up today is that the partner stated if the customer wants to use Single Sign on SSID they will lose the benefit of a Captive Portal page for Guest BYOD.

The ideal scenario is:

Corporate Employees connect and are pushed  to VLAN 57 and move through the provisioning process with corporate owned devices.

Guest, Contractors, Vendors, or employee personal devices  connect and are pushed to VLAN 21 and then connect to a Captive Portal Page with the Terms and Conditions.

Do we support captive portal with Single Sign On SSID?

------   Answer   -----

This is one of those cases where different technologies & use cases seem to be getting mixed up in translation.

1.  Single Sign on SSID:  So this term in and of itself seems to be a mixture of terminology/technology.  I assume we are talking about Single-SSID Onboarding.  This is the process of using a secured WLAN (i.e.: WPA/WPA2) that prompts an employee for authentication credentials (i.e.: using 802.1X authentication) & automatically runs the user through the Native Supplicant provisioning (aka: onboarding) process; leveraging those credentials that were used to authenticate to the secure WLAN.  When it is all said and done, the endpoint is going to authenticate to the network automatically from now on using the certificate that ISE issued it & EAP-TLS..

Note: this is a secured WLAN, meaning you must already have credentials, or you cannot associate to the wireless access-point.  It's a fundamental principal of wireless networks that a WLAN can either be open or secured with a keying technology (i.e.: WPA).  A single WLAN (SSID) cannot be both OPEN and Encrypted at the same time - it's not possible at all with 802.11 (Wireless), even though wired networks provide more flexibility.

Note: even with closed/WPA2 protected WLANs, you can always redirect to a portal and get another set of credentials.  There is no restriction there.  In fact, we have an entire solution that use EAP-TLS for the first auth & a Centralized Web Auth (CWA) for the 2nd Auth to provide a dual-auth scenario for customers.  So there are no technical limitations from ISE to prevent this, but it still doesn't meet your use-case of Guests/Contractors.

2.  Guest, Contractors would not typically have credentials already to enter into the network manager/supplicant.  I.e.: when you connect to the corporate network at work, it prompts for credentials to use in the 802.1X authentication & uses WPA2 for encryption..  There is no way to join that network without inputting credentials (see #1 above).  SO:  How would a Guest or Contractor use the 802.1X secure network?  They would need to have their credentials already given to them on a printed paper or SMS or email, etc. & then use those credentials when prompted for a username/password.  They Cannot Join the WPA2 protected SSID without credentials & be redirected to a WebPage for authentication, because the wireless would never even allow them to associate.

This is why most Guest / Contractor type access is handled with Open SSID's - ones that don't require credentials before associating over the radio frequencies..  Instead you connect to the OPEN network & are redirected to the WebAuth portal for your credentials, which authorize you for that guest networking experience; or even to request credentials right from that WebAuth portal, etc. etc. etc.

Note: Now with the WLC version 8.3, we can even use WPA2/PreSharedKey type networks instead of just OPEN.  But you would still need to provide a pre-shared key / passphrase before association to the wireless AP.  Both the Open & the pre-shared key type WLANs would allow the centralized portal for authentication.

-- Short Answer --

This is not an ISE limitation, you are asking to do something that standard 802.11 wireless networks cannot do: be both Open & Closed at the same time.

6 Replies 6

Ping Zhou
Level 8
Level 8

‎07-01-2016 11:25 AM

So I see, we just simply can't do MAB over 802.11 wireless LAN. ah~~

0 Helpful

Zubair Amini
Level 1
Level 1
In response to Ping Zhou

‎03-12-2018 03:54 PM

I disagree with the above answer!

Cisco could have created a simple portal page that could have had three buttons when connecting to an open SSID such as guest, for example 1. Accept, 2. Decline and 3. Employee. If clicked on Accept it would allow guest access and if clicked on Employee it would take you to the BYOD page for authentication and registration of your device.

I have experience building Cisco ISE and Aruba Clearpass, both works different, with Cisco you have to have Guest open SSID, BYOD SSID, and Employee SSID. On the other hand Clearpass you only setup two SSIDs Guest and Employee.

Cheers...

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to Zubair Amini

‎03-12-2018 04:13 PM

With ise you can have one SSID if you like

You can set portal settings to have a guest type for employees and register their endpoints under another group

There are many ways to skin the ISE cat so let us know the flow you would like and will come up with a solution

For example

authorization rules

If guest flow and employee then redirect to BYOD portal

If guest endpoint then guest permit

If mab then redirect to guest portal

There is also customizations Under guest and web auth page to have a button for guest hotspot and otherwise login

https://communities.cisco.com/docs/DOC-64018?mobileredirect=true#jive_content_id_Special_Flows

0 Helpful

Zubair Amini
Level 1
Level 1
In response to Jason Kunst

‎03-12-2018 04:49 PM

Thank you for the comments, I understand your point, the question is if you can consolidate SSIDs and have one open SSID for guest and BYOD registration and one for BYOD/Employee secured access.

Most of the organizations drop their guest traffic in a DMZ zone and ISE cannot switch vlans in an anchor and foreign wireless controller environment. On the other hand if you configure single SSID for BYOD flow Android devices present the user with an authentication that is impossible for an end user to complete the process, the user has to choose certificate, type of authentication, etc.. For a dual SSID in a BYOD flow you can have an open SSID and a secure access which is not possible using guest open SSID.  So you have to have an open Guest SSID, an open BYOD-Onboarding SSID, and a secured BYOD/ Employee access SSID.

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to Zubair Amini

‎03-12-2018 05:15 PM

It all depends what you want to do and how you want to accomplish it

Here you’re mixing many options and saying ise is a problem where it’s not. Also not sure exactly what you’re trying to accomplish here since you might be using the term BYOD for just providing internet access or doing

On an open ssid we can be flexible depending on how you want your flows

Ise can change vlans but on an open ssid there is no supplicant to handle the IP change. You may want to set a low dhcp timer in originating vlan

You can also provide different flow acl

If guest then permit internet

If BYOD employee and android allow internet redirect on internal to go through BYOD flow

Would recommend you also look at the BYOD how to, this shows an example of how separation is done

0 Helpful

Oliver Laue
Level 4
Level 4
In response to Zubair Amini

‎03-13-2018 06:45 AM

You can create a guest flow for this on the open ssid with integrated byod registration including NSP which can also publish certificates to the client and configure the supplicant for the user. But then you are facing the problem the Guest WiFi profile still exists on the device and has to be manually deleted by the user. The current problems are the mixture of devices and with android its getting worse due to the segmentation of the vendors. A NSP flow on a Samsung Android might work but not on an LG and for the Samsung only if the device is not older than 2 years because the OS isn't getting any updates.

the scenario you are describing could be achived with 2 SSID's

1 open Guest/BYOD Provisioning SSID

  • Guest User: Internet Access
  • Empleyee: choose between Internet Access Only or BYOD Registration and Provisioning

1 Corporate Secured SSID

  • BYOD device limited corp access
  • MDM device mobile corp access
  • Corporate owned and managed device full corp access

but as jakunst wrote there are mutliple options to achieve this task with a ISE based on the customer requirements.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents