cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1754
Views
0
Helpful
1
Replies

Guest Self-registration to 802.1x/PEAP protected WLAN

lyle.cameron
Level 1
Level 1

I'm trying to figure if a particular guest workflow is possible and how to achieve it.

 

What we want is for guests to be able to self-register and have their accounts approved by a sponsor. The guest accounts should be ISE Internal users. The Guest WLAN should be an 802.1x/PEAP WLAN where guest users use their previously created Internal Credentials to authenticate and have their L2 session encrypted. The Internal Guest users accounts should have a limited lifetime etc in the same manner as a Web Guest Portal user.

 

I'm thinking the only way to do this is with 2 WLANs; An open 'registration' WLAN that guests associate to in order to get to the self-registration portal, as well as the actual Guest Service WLAN. Once registered, they'd have to disconnect and re-associate to the Guest Service WLAN with their PEAP credentials for Internet access.

 

Can someone give me some direction on if this is possible and how to achieve it?

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
Yes that sounds good.

Some other options
http://cs.co/ise-guest check for the kiosk option. Setup a machine for portal access
Create your own portal accessible to the internet for pre-registration – accessible outside via a DMZ PSN

Under your guest type you will need to allow user to bypass portal to allow them to use the guest accounts outside of a guest portal flow
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html

Keep in mind that user creds will be cached and if they expire the users supplicant will keep trying to connect to the network until it is forgotten, this will cause erroneous login failures

View solution in original post

1 Reply 1

Jason Kunst
Cisco Employee
Cisco Employee
Yes that sounds good.

Some other options
http://cs.co/ise-guest check for the kiosk option. Setup a machine for portal access
Create your own portal accessible to the internet for pre-registration – accessible outside via a DMZ PSN

Under your guest type you will need to allow user to bypass portal to allow them to use the guest accounts outside of a guest portal flow
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html

Keep in mind that user creds will be cached and if they expire the users supplicant will keep trying to connect to the network until it is forgotten, this will cause erroneous login failures