cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1331
Views
0
Helpful
6
Replies
skc455
Beginner

Hello, am looking for some suggestions with regards to wired 802.1x wired implementation using ise2.6.

My organization wants to configure a default policy to allow all ports to connect to guest internet as a last resort . I can do this by changing the default policy with an authorization profile but I feel that its not a secured option. I was looking for an option to limit only few ports to guest internet access and rest all ports to lock down if authentication fail. Is that possible? For example: a port in meeting room if a non corporate device is connected it should get default guest internet access and if a corporate device is connected it should get internal resource and internet access. All other ports in the building apart from the meeting room should block access if a non corporate device is connected. Is that a best practice? Any inputs on how you are doing at your work pISElace would be great?ISE

Currently we are using windows supplicant for dot1x and performing certificate authentication (user or machine).   

2 ACCEPTED SOLUTIONS

Accepted Solutions

You can definitely accomplish what you are trying to do without profiling.  You have the ability to use ISE portals to support this with redirect for guest users.  I strongly suggest taking a deep peek at this to understand the workflow and to help identify specific conditions you can utilize: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

HTH!

View solution in original post