cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1446
Views
4
Helpful
10
Replies
andre.ortega
Enthusiast

How to prevent corporate users to access guest network?

Hello everybody,

I have a corporate network (users are using NAM, User and Pass from AD and EAP-Chaining) and a Guest Network (webportal authentication, ISE local database).

I don't want that my corporate users access the guest network (supposing that them got an user and pass for that). How could I do that?

I know that is possible to block connections on NAM, but I'd like to know if it is possible control this on ISE, not on client.

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
jan.nielsen
Rising star

Unfortunately not, unless you have an identity store which only contains the corporate machine's mac adresses, you can not differentiate between corporate pc's and guest devices. Do your users not take their machines outside the corporate network normally?

View solution in original post

Ryan Coombs
Beginner

Andre - I see this is answered but as a quick note you can always push out a new profile to your corp users with a profile for your GUEST SSID set to use EAP-TLS or anything that will cause it to fail when connecting to your open network.

View solution in original post

10 REPLIES 10

Hello everybody,

I have a corporate network (users are using NAM, User and Pass from AD and EAP-Chaining) and a Guest Network (webportal authentication, ISE local database).

I don't want that my corporate users access the guest network (supposing that them got an user and pass for that). How could I do that?

I know that is possible to block connections on NAM, but I'd like to know if it is possible control this on ISE, not on client.

Thanks.

Hi Andre,

I think the best and easy way is to block based on ip subnet at firewall end, considering Guest network would be behind the firewall and corporate is also in different subnet. So you can block both the subnet communication in firewall.

Hope it Helps.

-GI

Hello Ganesh.
Probably there is a misunderstanding here.
I wanna prevent my corporate users connecting to the Guest SSID, not just to block traffic between the networks.

Regards.

Hello Ganesh.
Probably there is a misunderstanding here.
I wanna prevent my corporate users connecting to the Guest SSID, not just to block traffic between the networks.

Regards.

Hi Andre,

How is the authentication works for corporate users for connecting SSID, you do any group based AD policy with WLAN SSID parameters. If yes , Then you can apply the same for Guest in Group policy for all corporate laptops not to connect to Guest SSID rather only to corporate SSID.

Hope it Helps..

-GI

Hi Ganesh.

How could I check if a laptop is or is not a corporate device on my guest network?

On my guest network the authentication is through captive portal, so the user just inform a username and password (ISE local database) to get access.
I don't have any information about the machine but the mac address.

 

Thanks for your attention.

 

jan.nielsen
Rising star

Unfortunately not, unless you have an identity store which only contains the corporate machine's mac adresses, you can not differentiate between corporate pc's and guest devices. Do your users not take their machines outside the corporate network normally?

View solution in original post

Yes, they do.

So what would you be worried about if someone was connecting to your own guest network ? Wouldn't that just be like when they were outside the corp. network, like at home on their own wifi ?

I would suggest using NAM, like you already found out yourself, it would keep them from doing this, when your corp. ssid is within reach, this is normally how i keep corp. machines from connecting to guest ssid at the corp. location

Yes Jan, I totally agree with you, but it is a request from a customer of mine.
I was trying to do that using NAM, but it is necessary to allow the access (to guest network) sometimes.
I believe in this case I should have two NAM profiles, so I could choose when use one or another, but in my tests it didn't work (I created two client provisioning policies, for different AD Groups, but both groups are getting the same profile).
I will do some more test using NAM. It should be my only option.

Thanks.

Ryan Coombs
Beginner

Andre - I see this is answered but as a quick note you can always push out a new profile to your corp users with a profile for your GUEST SSID set to use EAP-TLS or anything that will cause it to fail when connecting to your open network.

View solution in original post

Thanks Ryan.

Content for Community-Ad