 
					
				
		
01-10-2019 05:57 PM - edited 03-11-2019 01:53 AM
Hey,
we have cisco ise 2.2, we have some critical devices in the network and we have profiled them. Everything is working fine. As the default nature for authentication on ise, if the end device cannot pass the authentication then it will go to the Guest VLAN. And in the Guest VLAN, the endpoint can go on the internet. But this is common for all unauthenticated end devices.
But I want to configure it little different way for the critical devices. If the critical devices fail to authenticate then it will go on Guest VLAN that's okay but the critical devices should not go on the internet. How can I block only a few unauthenticated devices to get internet access from Guest VLAN?
Thanks in Advance!
Solved! Go to Solution.
 
					
				
		
01-11-2019 09:09 AM
@Arne Bier why wouldn't a different ACL on MAC endpoint group work? Agree SGT is the way to go but if its only a small amount of users might not be worth the effort.VLAN change is crappy but there are already port macros..
 
					
				
		
01-10-2019 06:01 PM
01-10-2019 06:04 PM
I have already profiled them and it is working fine. But I do not know, how can I block it to get internet access from guest VLAN once the authentication failed for those endpoints.
01-10-2019 06:10 PM
I think this becomes a L3 issue and no longer authentication. If you had TrustSec then it might be trivial because you could assign an SGT to this class of user and enforce a separate ACL on the Firewall.
Perhaps the pragmatic approach is to put this class of user on a separate VLAN? At least then you have an IP source address range which you can use in your firewall/ACL rule set to block internet. It would be the only identifier of this class of user that you have.
A third technique could be to force users through a proxy and catch them there via another round of authentication. But that is another world of pain that I assume you want to avoid.
 
					
				
		
01-11-2019 09:09 AM
@Arne Bier why wouldn't a different ACL on MAC endpoint group work? Agree SGT is the way to go but if its only a small amount of users might not be worth the effort.VLAN change is crappy but there are already port macros..
01-11-2019 12:51 PM
Ah yes of course. You’re right @Jason Kunst a dynamic NAS ACL would take care of it. The client would have a default gateway, but the NAS ACL (e.g. WLC ACL ) acts as a L2 firewall and you could allow only RFC1918 subnets. That would effectively block internet
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide