Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2331
Views
4
Helpful
10
Replies

How to prevent corporate users to access guest network?

Go to solution
andre.ortega
Spotlight
Spotlight

‎10-26-2015 04:54 AM - edited ‎03-10-2019 11:11 PM

Hello everybody,

I have a corporate network (users are using NAM, User and Pass from AD and EAP-Chaining) and a Guest Network (webportal authentication, ISE local database).

I don't want that my corporate users access the guest network (supposing that them got an user and pass for that). How could I do that?

I know that is possible to block connections on NAM, but I'd like to know if it is possible control this on ISE, not on client.

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎10-26-2015 12:27 PM

Unfortunately not, unless you have an identity store which only contains the corporate machine's mac adresses, you can not differentiate between corporate pc's and guest devices. Do your users not take their machines outside the corporate network normally?

View solution in original post

0 Helpful

Go to solution
Ryan Coombs
Level 1
Level 1

‎10-27-2015 07:28 AM

Andre - I see this is answered but as a quick note you can always push out a new profile to your corp users with a profile for your GUEST SSID set to use EAP-TLS or anything that will cause it to fail when connecting to your open network.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎10-26-2015 10:21 AM 

Hello everybody,

I have a corporate network (users are using NAM, User and Pass from AD and EAP-Chaining) and a Guest Network (webportal authentication, ISE local database).

I don't want that my corporate users access the guest network (supposing that them got an user and pass for that). How could I do that?

I know that is possible to block connections on NAM, but I'd like to know if it is possible control this on ISE, not on client.

Thanks.

Hi Andre,

I think the best and easy way is to block based on ip subnet at firewall end, considering Guest network would be behind the firewall and corporate is also in different subnet. So you can block both the subnet communication in firewall.

Hope it Helps.

-GI

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to Ganesh Hariharan

‎10-26-2015 10:25 AM

Hello Ganesh.
Probably there is a misunderstanding here.
I wanna prevent my corporate users connecting to the Guest SSID, not just to block traffic between the networks.

Regards.

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to andre.ortega

‎10-26-2015 10:42 AM 

Hello Ganesh.
Probably there is a misunderstanding here.
I wanna prevent my corporate users connecting to the Guest SSID, not just to block traffic between the networks.

Regards.

Hi Andre,

How is the authentication works for corporate users for connecting SSID, you do any group based AD policy with WLAN SSID parameters. If yes , Then you can apply the same for Guest in Group policy for all corporate laptops not to connect to Guest SSID rather only to corporate SSID.

Hope it Helps..

-GI

Go to solution
andre.ortega
Spotlight
Spotlight
In response to Ganesh Hariharan

‎10-26-2015 10:58 AM

Hi Ganesh.

How could I check if a laptop is or is not a corporate device on my guest network?

On my guest network the authentication is through captive portal, so the user just inform a username and password (ISE local database) to get access.
I don't have any information about the machine but the mac address.

 

Thanks for your attention.

 

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7

‎10-26-2015 12:27 PM

Unfortunately not, unless you have an identity store which only contains the corporate machine's mac adresses, you can not differentiate between corporate pc's and guest devices. Do your users not take their machines outside the corporate network normally?

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to jan.nielsen

‎10-26-2015 12:30 PM

Yes, they do.

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to andre.ortega

‎10-26-2015 12:33 PM

So what would you be worried about if someone was connecting to your own guest network ? Wouldn't that just be like when they were outside the corp. network, like at home on their own wifi ?

I would suggest using NAM, like you already found out yourself, it would keep them from doing this, when your corp. ssid is within reach, this is normally how i keep corp. machines from connecting to guest ssid at the corp. location

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to jan.nielsen

‎10-26-2015 12:40 PM

Yes Jan, I totally agree with you, but it is a request from a customer of mine.
I was trying to do that using NAM, but it is necessary to allow the access (to guest network) sometimes.
I believe in this case I should have two NAM profiles, so I could choose when use one or another, but in my tests it didn't work (I created two client provisioning policies, for different AD Groups, but both groups are getting the same profile).
I will do some more test using NAM. It should be my only option.

Thanks.

0 Helpful

Go to solution
Ryan Coombs
Level 1
Level 1

‎10-27-2015 07:28 AM

Andre - I see this is answered but as a quick note you can always push out a new profile to your corp users with a profile for your GUEST SSID set to use EAP-TLS or anything that will cause it to fail when connecting to your open network.

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to Ryan Coombs

‎10-27-2015 08:38 AM

Thanks Ryan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents