Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1997
Views
0
Helpful
2
Replies

Guest portal Cisci ISE

Go to solution
Tutu
Level 1
Level 1

‎02-23-2021 01:36 AM

Hello,

i want to know if i am missing something in my configuration.

So when i connect a laptop to the network it brings up the guest portal but i can also access the internet which is not what i want to happen. the user is not supposed to access internet unless they are logged in through the guest portal.

 

i believe it is something to do with my dacl. please help.

 

This is the port config on the switch

ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 25.00
storm-control multicast level 25.00
storm-control unicast level 25.00
spanning-tree portfast edge
access-list

...............

ip access-list extended ACL-ALLOW
permit ip any any

Preview file
2 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎02-23-2021 02:56 AM

Hi @Tutu 

 your dACL is permitting anything, try to

permit ip any 10.0.0.0 0.255.255.255 (where 10.0.0.0/24 is your internal network)
deny ip any any

 

Hope this helps !!!

View solution in original post

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-23-2021 06:08 AM - edited ‎02-23-2021 06:08 AM

Please take a look at the following: ISE Guest Access Prescriptive Deployment Guide - Cisco Community

As mentioned you need to tweak your dacl.  If you have services outside of one subnet you will need to add lines to allow things such as DNS for ise fqdn resolution, potentially dhcp, & of course 443/8443/80 which will tell your switch what to redirect.  This link has a really good breakdown of configuration/how things work: You have to deny to allow…..what? – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

HTH!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcelo Morais
VIP
VIP

‎02-23-2021 02:56 AM

Hi @Tutu 

 your dACL is permitting anything, try to

permit ip any 10.0.0.0 0.255.255.255 (where 10.0.0.0/24 is your internal network)
deny ip any any

 

Hope this helps !!!

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-23-2021 06:08 AM - edited ‎02-23-2021 06:08 AM

Please take a look at the following: ISE Guest Access Prescriptive Deployment Guide - Cisco Community

As mentioned you need to tweak your dacl.  If you have services outside of one subnet you will need to add lines to allow things such as DNS for ise fqdn resolution, potentially dhcp, & of course 443/8443/80 which will tell your switch what to redirect.  This link has a really good breakdown of configuration/how things work: You have to deny to allow…..what? – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

HTH!

0 Helpful
Customers Also Viewed These Support Documents