cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1338
Views
0
Helpful
6
Replies
skc455
Beginner

Hello, am looking for some suggestions with regards to wired 802.1x wired implementation using ise2.6.

My organization wants to configure a default policy to allow all ports to connect to guest internet as a last resort . I can do this by changing the default policy with an authorization profile but I feel that its not a secured option. I was looking for an option to limit only few ports to guest internet access and rest all ports to lock down if authentication fail. Is that possible? For example: a port in meeting room if a non corporate device is connected it should get default guest internet access and if a corporate device is connected it should get internal resource and internet access. All other ports in the building apart from the meeting room should block access if a non corporate device is connected. Is that a best practice? Any inputs on how you are doing at your work pISElace would be great?ISE

Currently we are using windows supplicant for dot1x and performing certificate authentication (user or machine).   

2 ACCEPTED SOLUTIONS

Accepted Solutions

You can definitely accomplish what you are trying to do without profiling.  You have the ability to use ISE portals to support this with redirect for guest users.  I strongly suggest taking a deep peek at this to understand the workflow and to help identify specific conditions you can utilize: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

HTH!

View solution in original post

It sounds like you are wanting to isolate Wired Guest access down to the switch and physical switchport level. While you can technically use matching conditions for those values, it will exponentially increase the size and complexity of your Authorization Policies. This type of use case does not scale very well.

In addition, you would typically want to segment your Wired Guest network off from the rest of the Corp network by mapping the VLAN to a separate VRF and tunneling that out to your external network/DMZ. Doing this would likely require using dynamic VLAN assignment, so you would need to consider issues with endpoints detecting that VLAN change and requesting new IP addresses as discussed here.

With the proliferation of Wireless, the vast majority of customers I've worked with have decided that the benefits to having Wired Guest access pale in comparison to the complexity of designing, deploying, and securing it and have focused on only Wireless Guest access for  visitors.

View solution in original post

6 REPLIES 6
balaji.bandi
VIP Guru

You can have a profile - if the device not recognized - the put in right profile, if the device not recognized set up a default VLAN which has limited access or send for an Authentication redirect page to use internet or any other resources.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for your response Balaji, I should have mentioned earlier we don't have profiling enabled, just base license.

You can definitely accomplish what you are trying to do without profiling.  You have the ability to use ISE portals to support this with redirect for guest users.  I strongly suggest taking a deep peek at this to understand the workflow and to help identify specific conditions you can utilize: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

HTH!

It sounds like you are wanting to isolate Wired Guest access down to the switch and physical switchport level. While you can technically use matching conditions for those values, it will exponentially increase the size and complexity of your Authorization Policies. This type of use case does not scale very well.

In addition, you would typically want to segment your Wired Guest network off from the rest of the Corp network by mapping the VLAN to a separate VRF and tunneling that out to your external network/DMZ. Doing this would likely require using dynamic VLAN assignment, so you would need to consider issues with endpoints detecting that VLAN change and requesting new IP addresses as discussed here.

With the proliferation of Wireless, the vast majority of customers I've worked with have decided that the benefits to having Wired Guest access pale in comparison to the complexity of designing, deploying, and securing it and have focused on only Wireless Guest access for  visitors.

Hi Greg, I totally agree with you on limiting guest access to wireless only. This was how we configured in my previous organizations too. I will try my best to convince this organization to go this way.

 

Thank you for your response Mike. I will look into this document for further options

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube