09-02-2020 12:23 PM
My organization wants to configure a default policy to allow all ports to connect to guest internet as a last resort . I can do this by changing the default policy with an authorization profile but I feel that its not a secured option. I was looking for an option to limit only few ports to guest internet access and rest all ports to lock down if authentication fail. Is that possible? For example: a port in meeting room if a non corporate device is connected it should get default guest internet access and if a corporate device is connected it should get internal resource and internet access. All other ports in the building apart from the meeting room should block access if a non corporate device is connected. Is that a best practice? Any inputs on how you are doing at your work pISElace would be great?ISE
Currently we are using windows supplicant for dot1x and performing certificate authentication (user or machine).
Solved! Go to Solution.
09-02-2020 04:31 PM
You can definitely accomplish what you are trying to do without profiling. You have the ability to use ISE portals to support this with redirect for guest users. I strongly suggest taking a deep peek at this to understand the workflow and to help identify specific conditions you can utilize: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475
HTH!
09-02-2020 05:01 PM
It sounds like you are wanting to isolate Wired Guest access down to the switch and physical switchport level. While you can technically use matching conditions for those values, it will exponentially increase the size and complexity of your Authorization Policies. This type of use case does not scale very well.
In addition, you would typically want to segment your Wired Guest network off from the rest of the Corp network by mapping the VLAN to a separate VRF and tunneling that out to your external network/DMZ. Doing this would likely require using dynamic VLAN assignment, so you would need to consider issues with endpoints detecting that VLAN change and requesting new IP addresses as discussed here.
With the proliferation of Wireless, the vast majority of customers I've worked with have decided that the benefits to having Wired Guest access pale in comparison to the complexity of designing, deploying, and securing it and have focused on only Wireless Guest access for visitors.
09-02-2020 12:27 PM
You can have a profile - if the device not recognized - the put in right profile, if the device not recognized set up a default VLAN which has limited access or send for an Authentication redirect page to use internet or any other resources.
09-02-2020 04:00 PM
Thanks for your response Balaji, I should have mentioned earlier we don't have profiling enabled, just base license.
09-02-2020 04:31 PM
You can definitely accomplish what you are trying to do without profiling. You have the ability to use ISE portals to support this with redirect for guest users. I strongly suggest taking a deep peek at this to understand the workflow and to help identify specific conditions you can utilize: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475
HTH!
09-02-2020 05:01 PM
It sounds like you are wanting to isolate Wired Guest access down to the switch and physical switchport level. While you can technically use matching conditions for those values, it will exponentially increase the size and complexity of your Authorization Policies. This type of use case does not scale very well.
In addition, you would typically want to segment your Wired Guest network off from the rest of the Corp network by mapping the VLAN to a separate VRF and tunneling that out to your external network/DMZ. Doing this would likely require using dynamic VLAN assignment, so you would need to consider issues with endpoints detecting that VLAN change and requesting new IP addresses as discussed here.
With the proliferation of Wireless, the vast majority of customers I've worked with have decided that the benefits to having Wired Guest access pale in comparison to the complexity of designing, deploying, and securing it and have focused on only Wireless Guest access for visitors.
09-03-2020 09:28 AM
Hi Greg, I totally agree with you on limiting guest access to wireless only. This was how we configured in my previous organizations too. I will try my best to convince this organization to go this way.
09-03-2020 09:24 AM
Thank you for your response Mike. I will look into this document for further options
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide