Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1542
Views
0
Helpful
6
Replies

Hello, am looking for some suggestions with regards to wired 802.1x wired implementation using ise2.6.

Go to solution
skc455
Level 1
Level 1

‎09-02-2020 12:23 PM

My organization wants to configure a default policy to allow all ports to connect to guest internet as a last resort . I can do this by changing the default policy with an authorization profile but I feel that its not a secured option. I was looking for an option to limit only few ports to guest internet access and rest all ports to lock down if authentication fail. Is that possible? For example: a port in meeting room if a non corporate device is connected it should get default guest internet access and if a corporate device is connected it should get internal resource and internet access. All other ports in the building apart from the meeting room should block access if a non corporate device is connected. Is that a best practice? Any inputs on how you are doing at your work pISElace would be great?ISE

Currently we are using windows supplicant for dot1x and performing certificate authentication (user or machine).   

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to skc455

‎09-02-2020 04:31 PM

You can definitely accomplish what you are trying to do without profiling.  You have the ability to use ISE portals to support this with redirect for guest users.  I strongly suggest taking a deep peek at this to understand the workflow and to help identify specific conditions you can utilize: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

HTH!

View solution in original post

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎09-02-2020 05:01 PM

It sounds like you are wanting to isolate Wired Guest access down to the switch and physical switchport level. While you can technically use matching conditions for those values, it will exponentially increase the size and complexity of your Authorization Policies. This type of use case does not scale very well.

In addition, you would typically want to segment your Wired Guest network off from the rest of the Corp network by mapping the VLAN to a separate VRF and tunneling that out to your external network/DMZ. Doing this would likely require using dynamic VLAN assignment, so you would need to consider issues with endpoints detecting that VLAN change and requesting new IP addresses as discussed here.

With the proliferation of Wireless, the vast majority of customers I've worked with have decided that the benefits to having Wired Guest access pale in comparison to the complexity of designing, deploying, and securing it and have focused on only Wireless Guest access for  visitors.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-02-2020 12:27 PM

You can have a profile - if the device not recognized - the put in right profile, if the device not recognized set up a default VLAN which has limited access or send for an Authentication redirect page to use internet or any other resources.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
skc455
Level 1
Level 1
In response to balaji.bandi

‎09-02-2020 04:00 PM

Thanks for your response Balaji, I should have mentioned earlier we don't have profiling enabled, just base license.

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to skc455

‎09-02-2020 04:31 PM

You can definitely accomplish what you are trying to do without profiling.  You have the ability to use ISE portals to support this with redirect for guest users.  I strongly suggest taking a deep peek at this to understand the workflow and to help identify specific conditions you can utilize: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

HTH!

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎09-02-2020 05:01 PM

It sounds like you are wanting to isolate Wired Guest access down to the switch and physical switchport level. While you can technically use matching conditions for those values, it will exponentially increase the size and complexity of your Authorization Policies. This type of use case does not scale very well.

In addition, you would typically want to segment your Wired Guest network off from the rest of the Corp network by mapping the VLAN to a separate VRF and tunneling that out to your external network/DMZ. Doing this would likely require using dynamic VLAN assignment, so you would need to consider issues with endpoints detecting that VLAN change and requesting new IP addresses as discussed here.

With the proliferation of Wireless, the vast majority of customers I've worked with have decided that the benefits to having Wired Guest access pale in comparison to the complexity of designing, deploying, and securing it and have focused on only Wireless Guest access for  visitors.

0 Helpful

Go to solution
skc455
Level 1
Level 1
In response to Greg Gibbs

‎09-03-2020 09:28 AM

Hi Greg, I totally agree with you on limiting guest access to wireless only. This was how we configured in my previous organizations too. I will try my best to convince this organization to go this way.

 

0 Helpful

Go to solution
skc455
Level 1
Level 1
In response to Mike.Cifelli

‎09-03-2020 09:24 AM

Thank you for your response Mike. I will look into this document for further options

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents