cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1911
Views
0
Helpful
4
Replies

Guest Network Endpoints

We are rolling out the wired 802.1x configuration to our switches and we currently have authentication configured as open to prevent any issues while we tune our ISE implementation. We consider our Guest network to be out of scope of our ISE implementation but some of the endpoints on the Guest network are showing as rejected in ISE is there a way to create an endpoint profile based on the VLAN or to match an IP address and simply apply a DACL?

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

As you mention it out-of-scope, best to leave it.

Wired switches do not send VLAN info by default and IP addresses are not always sent or current in the RADIUS authentication requests. Later, you may consider VLAN RADIUS Attributes in Access Requests.  

View solution in original post

4 Replies 4

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   Are we speaking about wired Guest users? Are these users in a single VLAN or multiple VLANs, are these users spread across switches or in a single switch? How do you authenticate guest users?

   Are we speaking about wireless Guest users? Are these users attached to a single SSID or multiple SSIDs?How do you authenticate guest users?

 

Regards,

Cristian Matei.

This is just wired Guest endpoints and we don't do any authentication we simply have a VLAN configured with an ACL that only allows access to the Internet. The guests are all on the same endpoint across several switches.

Hi,

 

   If you don't have authentication enabled on those guest ports, how come you see rejection in ISE for these ports? Are you trying to authorise these ports via ISE and push an ACL along the way? If so, these endpoints need to be MAB or EAP authenticated to begin with.

 

Regards,

Cristian Matei.

hslai
Cisco Employee
Cisco Employee

As you mention it out-of-scope, best to leave it.

Wired switches do not send VLAN info by default and IP addresses are not always sent or current in the RADIUS authentication requests. Later, you may consider VLAN RADIUS Attributes in Access Requests.