Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4003
Views
13
Helpful
2
Replies

Cisco ISE - Can Wireless Guest Access be encrypted??

Go to solution
Flavio Costa
Cisco Employee
Cisco Employee

‎10-21-2016 08:25 AM

Hi experts!

  Here's the scenario: In Cisco ISE, normally when we configure guest access the client connects to an open SSID, right? ... and when they open a browser they are redirected to a captive portal asking for credentials. After that, they can navigate, but no encryption that I’m aware of. Can we provide a similar experience but encrypting the traffic? How would the flow be in this case? I was thinking about a mix between corporate access and guest access.

  And since encryption it's a L2 thing.. from my point of view, would't be possible to have an open ssid to authenticate users using a captive portal and encrypt traffic after that. So, in a nutshell, my customer wants to know if we can provide with ISE a solution similar to a wireless guest access with captive portal but including encryption of the traffic.

Thanks in advance,

.:|:.:|:.  Flavio Costa

CISCO  Virtual Systems Engineer - Security

Sao Paulo, Brazil

flavicor@cisco.com

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-21-2016 08:34 AM

you cannot encrypt on an open network.

You would have to setup a wpa-psk or WPA2 network and then redirect to the guest portal that way

recently WLC code has added WPA-PSK support for COA in 8.3 code, this way they can put in the PSK, redirect to ISE CWA that way

list of options

WPA-PSK with CWA* (WLC 8.3+)

WPA-PSK with LWA* (WLC <8.3)

shared key + portal login

CWA not supported

Point to single PSN (HA requires LoadBalancer)

WPA2 with CWA*

shared user/pass + portal login (regular guest accounts)

WPA2 without portal*

sponsored credentials (guest type requires - Allow guest to bypass the Guest portal)

View solution in original post

2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-21-2016 08:31 AM

This sounds like Dual-SSID BYOD flow. You can initially connect to the open SSID, however, once on-boarded with (Cert of user/pass) then the device can be moved to secure SSID.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-21-2016 08:34 AM

you cannot encrypt on an open network.

You would have to setup a wpa-psk or WPA2 network and then redirect to the guest portal that way

recently WLC code has added WPA-PSK support for COA in 8.3 code, this way they can put in the PSK, redirect to ISE CWA that way

list of options

WPA-PSK with CWA* (WLC 8.3+)

WPA-PSK with LWA* (WLC <8.3)

shared key + portal login

CWA not supported

Point to single PSN (HA requires LoadBalancer)

WPA2 with CWA*

shared user/pass + portal login (regular guest accounts)

WPA2 without portal*

sponsored credentials (guest type requires - Allow guest to bypass the Guest portal)

Customers Also Viewed These Support Documents