10-21-2016 08:25 AM
Hi experts!
Here's the scenario: In Cisco ISE, normally when we configure guest access the client connects to an open SSID, right? ... and when they open a browser they are redirected to a captive portal asking for credentials. After that, they can navigate, but no encryption that I’m aware of. Can we provide a similar experience but encrypting the traffic? How would the flow be in this case? I was thinking about a mix between corporate access and guest access.
And since encryption it's a L2 thing.. from my point of view, would't be possible to have an open ssid to authenticate users using a captive portal and encrypt traffic after that. So, in a nutshell, my customer wants to know if we can provide with ISE a solution similar to a wireless guest access with captive portal but including encryption of the traffic.
Thanks in advance,
.:|:.:|:. Flavio Costa
CISCO Virtual Systems Engineer - Security
Sao Paulo, Brazil
Solved! Go to Solution.
10-21-2016 08:34 AM
you cannot encrypt on an open network.
You would have to setup a wpa-psk or WPA2 network and then redirect to the guest portal that way
recently WLC code has added WPA-PSK support for COA in 8.3 code, this way they can put in the PSK, redirect to ISE CWA that way
list of options
•WPA-PSK with CWA* (WLC 8.3+)
•WPA-PSK with LWA* (WLC <8.3)
•shared key + portal login
•CWA not supported
•Point to single PSN (HA requires LoadBalancer)
•WPA2 with CWA*
•shared user/pass + portal login (regular guest accounts)
•WPA2 without portal*
•sponsored credentials (guest type requires - Allow guest to bypass the Guest portal)
10-21-2016 08:31 AM
This sounds like Dual-SSID BYOD flow. You can initially connect to the open SSID, however, once on-boarded with (Cert of user/pass) then the device can be moved to secure SSID.
10-21-2016 08:34 AM
you cannot encrypt on an open network.
You would have to setup a wpa-psk or WPA2 network and then redirect to the guest portal that way
recently WLC code has added WPA-PSK support for COA in 8.3 code, this way they can put in the PSK, redirect to ISE CWA that way
list of options
•WPA-PSK with CWA* (WLC 8.3+)
•WPA-PSK with LWA* (WLC <8.3)
•shared key + portal login
•CWA not supported
•Point to single PSN (HA requires LoadBalancer)
•WPA2 with CWA*
•shared user/pass + portal login (regular guest accounts)
•WPA2 without portal*
•sponsored credentials (guest type requires - Allow guest to bypass the Guest portal)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide