Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1912
Views
0
Helpful
4
Replies

Guest Network Endpoints

Go to solution
jmartin@mooresvillenc.gov
Level 1
Level 1

‎03-25-2020 12:04 PM

We are rolling out the wired 802.1x configuration to our switches and we currently have authentication configured as open to prevent any issues while we tune our ISE implementation. We consider our Guest network to be out of scope of our ISE implementation but some of the endpoints on the Guest network are showing as rejected in ISE is there a way to create an endpoint profile based on the VLAN or to match an IP address and simply apply a DACL?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-26-2020 03:58 PM

As you mention it out-of-scope, best to leave it.

Wired switches do not send VLAN info by default and IP addresses are not always sent or current in the RADIUS authentication requests. Later, you may consider VLAN RADIUS Attributes in Access Requests.  

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-25-2020 01:13 PM

Hi,

 

   Are we speaking about wired Guest users? Are these users in a single VLAN or multiple VLANs, are these users spread across switches or in a single switch? How do you authenticate guest users?

   Are we speaking about wireless Guest users? Are these users attached to a single SSID or multiple SSIDs?How do you authenticate guest users?

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
jmartin@mooresvillenc.gov
Level 1
Level 1
In response to Cristian Matei

‎03-25-2020 01:18 PM

This is just wired Guest endpoints and we don't do any authentication we simply have a VLAN configured with an ACL that only allows access to the Internet. The guests are all on the same endpoint across several switches.

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to jmartin@mooresvillenc.gov

‎03-25-2020 01:38 PM

Hi,

 

   If you don't have authentication enabled on those guest ports, how come you see rejection in ISE for these ports? Are you trying to authorise these ports via ISE and push an ACL along the way? If so, these endpoints need to be MAB or EAP authenticated to begin with.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-26-2020 03:58 PM

As you mention it out-of-scope, best to leave it.

Wired switches do not send VLAN info by default and IP addresses are not always sent or current in the RADIUS authentication requests. Later, you may consider VLAN RADIUS Attributes in Access Requests.  

0 Helpful
Customers Also Viewed These Support Documents