cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
293
Views
0
Helpful
5
Replies

configuring ise

kennedymacharia
Level 1
Level 1

hi,

I have configured ise and redirection is working fine but I an having a challenge separating guest traffic from corporate traffic.

I have attached a summary of my scenerio.

5 Replies 5

nspasov
Cisco Employee
Cisco Employee

Hi there, please see my comments below:

Here are my questions
• Can I restrict guests from accessing my corporate network via an access-list?

Yes, however, the WLCs do not support DACLs (Downloadable ACLs). As a result, you will have to configure the ACL locally on the WLC and then you can reference that ACL in the "Authorization Profile" in ISE

 Do I need to change the native vlan

You will need to elaborate more on this question as it is not clear in what context your are asking the question. However, just to note, the native VLAN must match on both sides of a trunk. 

 Or what can I do to make this scenario work in such a way that the internal wlan is authenticated by the AD and the guest vlan is authenticated by ISE and restrict guests from accessing internal network

I am not sure why your redirection is not working. You can try leaving the guests on the same VLAN as the rest of your machines/users but then restrict access via ACL. In addition, you can override the VLAN after the authorization happens in ISE. You would do this again in the "Authorization Profile" that you return in ISE.

I hope this helps!

 

Thank you for rating helpful posts!

hi Neno,

Thank you for your help. redirection is working fine but my challange is to prevent guests from accessing corporate network. I have attached screenshots. Is there any way I can modify that ACL to accomplish this or do I have to change the vlan of my Guest Wlan( i have tried but I loose redirection)
 

So, you would not want to modify the redirect-ACL. Leave that one alone and let it take care of redirection. What you need is to do is:

1. Create a new ACL on the WLC and call it something like "Internet-Only" that has the following rules:

- Permit guests network to your DNS servers

- Permit DNS servers to your guest

- Permit guest network to ISE PSN nodes

- Permit ISE PSN nodes to your guest network

- Deny guest network to all private/RFC 1918 networks

- Deny guest network to any public (if any) subnets/IP address used on the "inside" of your network

- permit any to any

2. Create a new "Authorization Profile" in ISE and call it something like "Authenticated_Guests"

3. Reference the previously created WLC ACL in the above created "Authorization Profile" by clicking the "Airspace ACL Name" checkbox and then copying and pasting the ACL name directly from the WLC

4. Attach that "Authorization Profile" in your Authorization policy rule for the authenticated guests. 

 

Let me know if that makes sense

 

Thank you for rating helpful posts! 

 

hi

This makes sense and it is working but I have a problem with the redirected url because it is https because it is asking for a certificate I  have tried to disable secure-web but I still get redirection in https .

That sounds a whole new question issue to ask outside of the original problem(s) on this thread. You should really start a new thread for this. 

Anyways, I could be wrong here but I don't think there is a way to disable the HTTPS based redirection. The client can initiate a http or https based connection but ISE will always return a HTTPS based redirection URL. 

 

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: