Solved: Re: Hospital Guest Wireless DNS and DHCP Best Security Practice w/ISE Coming Soon

Alan Inman · ‎01-24-2021

Hey Pros,

What is the best security practice for allowing guest users out to the Internet when connecting to our APs? I'm primarily interested in DHCP and DNS configuration.

We use Cisco APs, firewall, and ISE coming soon. Internal network is a Windows DHCP server handling DHCP requests, and Cisco Umbrella working DNS

The current configuration is a separate Guest SSID w/our ASA5555 handing out DHCP requests. I'm not positive how we have DNS set up for guests. We are implementing ISE and there is some suggestion on using our internal Windows DHCP server to hand out DHCP requests to Guest users too, but I think to be done properly there is some MS licensing (CAL) that needs to be addressed.

Thanks in advance for any suggestions.

-Alan

thomas · ‎01-25-2021

The use of an anchor controller in a DMZ is the best practice recommendation.

See Enterprise Mobility 8.5 Design Guide > Cisco Unified Wireless Network Guest Access Services > Guest Access using the Cisco Unified Wireless Network Solution for the full details.

View solution in original post

Rob Ingram · ‎01-24-2021

Hi @Alan Inman

I wouldn't allow any guest access communication to the internal network, carry on using DHCP from the ASA. If using Umbrella, NAT this guest traffic behind a unique public IP address. You can then identify guest traffic by this source IP address and apply a different Umbrella policy to corporate traffic.

If/when you get ISE you could implement the guest portal to capture user/device information.

HTH

Tyson Joachims · ‎01-24-2021

1. Do not allow guest users to communicate with the inside network. Accomplish this with a simple ACL denying source of the guest network destined to any RFC-1918 address and permit all other IPs (Internet). Add permit rules for DNS as needed.

2. Do not allow Layer 2 communication between wireless users on the guest network. Depending on if you're using Cisco Meraki, Cisco Lightweight APs controlled by a WLC, or Autonmous APs will change how this is deployed. This will ensure that a user on the guest network cannot try to scan the other guests or commit malicious acts.

3. If using Umbrella, ensure that you are blocking all other outbound DNS to ensure that your Umbrella policy is applied. Many web browsers will be using DNS over HTTPS now so you'll need to block access to external DNS servers (i.e. 1.1.1.1, 8.8.8.8, etc).

4. If you want to see the internal IP address of your users in the Umbrella dashboard, consider putting a Virtual Appliance (VA) on the guest network and make it the DNS server in your DHCP assignment so all users on the guest use Umbrella.

5. When you get ISE installed, you can require that users login via a splash page so you can then tie a user to the device instead of just seeing IP addresses. This will help to figure out who you need to talk to when you see an alarm about malware or any policy violations in Umbrella.

balaji.bandi · ‎01-24-2021

DNS and DHCP should be always suggest to out of a network of enterprise LAN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thomas · ‎01-25-2021

The use of an anchor controller in a DMZ is the best practice recommendation.

See Enterprise Mobility 8.5 Design Guide > Cisco Unified Wireless Network Guest Access Services > Guest Access using the Cisco Unified Wireless Network Solution for the full details.