cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

391
Views
0
Helpful
2
Replies
Tutu
Beginner

Guest portal Cisci ISE

Hello,

i want to know if i am missing something in my configuration.

So when i connect a laptop to the network it brings up the guest portal but i can also access the internet which is not what i want to happen. the user is not supposed to access internet unless they are logged in through the guest portal.

 

i believe it is something to do with my dacl. please help.

 

This is the port config on the switch

ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 25.00
storm-control multicast level 25.00
storm-control unicast level 25.00
spanning-tree portfast edge
access-list

...............

ip access-list extended ACL-ALLOW
permit ip any any

2 ACCEPTED SOLUTIONS

Accepted Solutions
Marcelo Morais
Advocate

Hi @Tutu 

 your dACL is permitting anything, try to

permit ip any 10.0.0.0 0.255.255.255 (where 10.0.0.0/24 is your internal network)
deny ip any any

 

Hope this helps !!!

View solution in original post

Mike.Cifelli
VIP Advocate

Please take a look at the following: ISE Guest Access Prescriptive Deployment Guide - Cisco Community

As mentioned you need to tweak your dacl.  If you have services outside of one subnet you will need to add lines to allow things such as DNS for ise fqdn resolution, potentially dhcp, & of course 443/8443/80 which will tell your switch what to redirect.  This link has a really good breakdown of configuration/how things work: You have to deny to allow…..what? – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

HTH!

View solution in original post

2 REPLIES 2
Marcelo Morais
Advocate

Hi @Tutu 

 your dACL is permitting anything, try to

permit ip any 10.0.0.0 0.255.255.255 (where 10.0.0.0/24 is your internal network)
deny ip any any

 

Hope this helps !!!

View solution in original post

Mike.Cifelli
VIP Advocate

Please take a look at the following: ISE Guest Access Prescriptive Deployment Guide - Cisco Community

As mentioned you need to tweak your dacl.  If you have services outside of one subnet you will need to add lines to allow things such as DNS for ise fqdn resolution, potentially dhcp, & of course 443/8443/80 which will tell your switch what to redirect.  This link has a really good breakdown of configuration/how things work: You have to deny to allow…..what? – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

HTH!

View solution in original post

Content for Community-Ad