Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Alan Inman

Hospital Guest Wireless DNS and DHCP Best Security Practice w/ISE Coming Soon

Hey Pros, 
What is the best security practice for allowing guest users out to the Internet when connecting to our APs? I'm primarily interested in DHCP and DNS configuration.
We use Cisco APs, firewall, and ISE coming soon. Internal network is a Windows DHCP server handling DHCP requests, and Cisco Umbrella working DNS
The current configuration is a separate Guest SSID w/our ASA5555 handing out DHCP requests. I'm not positive how we have DNS set up for guests. We are implementing ISE and there is some suggestion on using our internal Windows DHCP server to hand out DHCP requests to Guest users too, but I think to be done properly there is some MS licensing (CAL) that needs to be addressed. 
Thanks in advance for any suggestions.

Accepted Solutions
Cisco Employee

Rob Ingram
VIP Mentor

Hi @Alan Inman 

I wouldn't allow any guest access communication to the internal network, carry on using DHCP from the ASA. If using Umbrella, NAT this guest traffic behind a unique public IP address. You can then identify guest traffic by this source IP address and apply a different Umbrella policy to corporate traffic.


If/when you get ISE you could implement the guest portal to capture user/device information.



Tyson Joachims
Rising star

1. Do not allow guest users to communicate with the inside network. Accomplish this with a simple ACL denying source of the guest network destined to any RFC-1918 address and permit all other IPs (Internet). Add permit rules for DNS as needed.

2. Do not allow Layer 2 communication between wireless users on the guest network. Depending on if you're using Cisco Meraki, Cisco Lightweight APs controlled by a WLC, or Autonmous APs will change how this is deployed. This will ensure that a user on the guest network cannot try to scan the other guests or commit malicious acts.

3. If using Umbrella, ensure that you are blocking all other outbound DNS to ensure that your Umbrella policy is applied. Many web browsers will be using DNS over HTTPS now so you'll need to block access to external DNS servers (i.e.,, etc).

4. If you want to see the internal IP address of your users in the Umbrella dashboard, consider putting a Virtual Appliance (VA) on the guest network and make it the DNS server in your DHCP assignment so all users on the guest use Umbrella.

5. When you get ISE installed, you can require that users login via a splash page so you can then tie a user to the device instead of just seeing IP addresses. This will help to figure out who you need to talk to when you see an alarm about malware or any policy violations in Umbrella.

VIP Expert

DNS and DHCP should be always suggest to out of a network of enterprise LAN.


*** Rate All Helpful Responses ***

Cisco Employee

Content for Community-Ad