Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5296
Views
1
Helpful
3
Replies

ISE - Restricting Employee assets from accessing Guest SSID

Go to solution
nadeekha
Level 1
Level 1

‎07-17-2016 07:31 PM

Hi Experts,

My customer wants to know the following:

They currently have a Guest Wifi with an SSID in their environment for their guest users and access is separately anchored off at the DMZ.Guest access is purely WLC based and no NAC solution is in place for it.

Now we are in the process of setting up ISE Wireless /Wired 802.1x solution for the employee assets. The question is that with ISE deployed will we be able to restrict the employees from hoping on to the Guest network  SSID from their laptops?

They dont want employees to be able to get on the Guest Wifi period.

Thy have no plans to have Guest Access a part of the ISE design.

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-18-2016 09:28 AM

ISE has no visbility into the wireless guest network as its not managing it. That limits the options available. Might be best to reach out to wireless/prime team to validate some of these options.


Also see a similar thread Block Employee MAC's on guest SSID?


if you have a simple guest splash page from the controller then maybe the controller can query prime for mac addresses seen on internal network?


if they are requiring them to do LWA to the WLC guest portal then don't allow employees to create accounts

Anyconnect Network Access Module (windows only), restrict their window machines from connecting to unsanctioned WLANs?

Enterprise Connection Enforcement How-to guide Admin Guide


If integrating with ISE

Only allow sponsors to create accounts for visitors

restrict access to 1 device per credential

Register Corp machines into special endpoint group

If MAB and Corp ID Group then deny access or redirect to restricted message portal

Profiling to differentiate access (requires plus license)

Use profiling to differentiate corp devices. You can use Windows GPO to write identifiable string in to the browser user agent or DHCP client ID field that ISE can use to differentiate the corp devices. (Need Plus License) once you have the endpoint group created and populated, you simply need to redirect to a different portal to notify the user is not allowed on the guest network.

WPA2 Guest network (no open network, no portal)

Corporate Devices using cert auth

Guests use sponsored credentials with allow guest type to bypass portal

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-18-2016 09:28 AM

ISE has no visbility into the wireless guest network as its not managing it. That limits the options available. Might be best to reach out to wireless/prime team to validate some of these options.


Also see a similar thread Block Employee MAC's on guest SSID?


if you have a simple guest splash page from the controller then maybe the controller can query prime for mac addresses seen on internal network?


if they are requiring them to do LWA to the WLC guest portal then don't allow employees to create accounts

Anyconnect Network Access Module (windows only), restrict their window machines from connecting to unsanctioned WLANs?

Enterprise Connection Enforcement How-to guide Admin Guide


If integrating with ISE

Only allow sponsors to create accounts for visitors

restrict access to 1 device per credential

Register Corp machines into special endpoint group

If MAB and Corp ID Group then deny access or redirect to restricted message portal

Profiling to differentiate access (requires plus license)

Use profiling to differentiate corp devices. You can use Windows GPO to write identifiable string in to the browser user agent or DHCP client ID field that ISE can use to differentiate the corp devices. (Need Plus License) once you have the endpoint group created and populated, you simply need to redirect to a different portal to notify the user is not allowed on the guest network.

WPA2 Guest network (no open network, no portal)

Corporate Devices using cert auth

Guests use sponsored credentials with allow guest type to bypass portal

0 Helpful

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎07-20-2016 06:55 PM

There were a couple of other options discussed here: Re: Limiting corporate users from guest wireless SSID's - specific use case

0 Helpful

Go to solution
Oliver Laue
Level 4
Level 4
In response to vibobrov

‎07-21-2016 02:54 AM

For Active Directory managed Clients you can enroll a GPO to deny Wireless Access to specific SSIDs.

How to use Group Policy to black/white list wireless networks in Vista & Windows 7

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents