01-06-2015 12:42 AM - edited 03-10-2019 10:19 PM
hi,
I have configured ise and redirection is working fine but I an having a challenge separating guest traffic from corporate traffic.
I have attached a summary of my scenerio.
01-06-2015 07:41 PM
Hi there, please see my comments below:
Here are my questions
• Can I restrict guests from accessing my corporate network via an access-list?
Yes, however, the WLCs do not support DACLs (Downloadable ACLs). As a result, you will have to configure the ACL locally on the WLC and then you can reference that ACL in the "Authorization Profile" in ISE
• Do I need to change the native vlan
You will need to elaborate more on this question as it is not clear in what context your are asking the question. However, just to note, the native VLAN must match on both sides of a trunk.
• Or what can I do to make this scenario work in such a way that the internal wlan is authenticated by the AD and the guest vlan is authenticated by ISE and restrict guests from accessing internal network
I am not sure why your redirection is not working. You can try leaving the guests on the same VLAN as the rest of your machines/users but then restrict access via ACL. In addition, you can override the VLAN after the authorization happens in ISE. You would do this again in the "Authorization Profile" that you return in ISE.
I hope this helps!
Thank you for rating helpful posts!
01-07-2015 07:36 AM
hi Neno,
Thank you for your help. redirection is working fine but my challange is to prevent guests from accessing corporate network. I have attached screenshots. Is there any way I can modify that ACL to accomplish this or do I have to change the vlan of my Guest Wlan( i have tried but I loose redirection)
01-07-2015 07:16 PM
So, you would not want to modify the redirect-ACL. Leave that one alone and let it take care of redirection. What you need is to do is:
1. Create a new ACL on the WLC and call it something like "Internet-Only" that has the following rules:
- Permit guests network to your DNS servers
- Permit DNS servers to your guest
- Permit guest network to ISE PSN nodes
- Permit ISE PSN nodes to your guest network
- Deny guest network to all private/RFC 1918 networks
- Deny guest network to any public (if any) subnets/IP address used on the "inside" of your network
- permit any to any
2. Create a new "Authorization Profile" in ISE and call it something like "Authenticated_Guests"
3. Reference the previously created WLC ACL in the above created "Authorization Profile" by clicking the "Airspace ACL Name" checkbox and then copying and pasting the ACL name directly from the WLC
4. Attach that "Authorization Profile" in your Authorization policy rule for the authenticated guests.
Let me know if that makes sense
Thank you for rating helpful posts!
01-08-2015 06:04 AM
hi
This makes sense and it is working but I have a problem with the redirected url because it is https because it is asking for a certificate I have tried to disable secure-web but I still get redirection in https .
01-09-2015 12:21 AM
That sounds a whole new question issue to ask outside of the original problem(s) on this thread. You should really start a new thread for this.
Anyways, I could be wrong here but I don't think there is a way to disable the HTTPS based redirection. The client can initiate a http or https based connection but ISE will always return a HTTPS based redirection URL.
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide