Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1528
Views
0
Helpful
4
Replies

ISE 2.4 different device authentication using same SSID

Go to solution
waqas gondal
Level 1
Level 1

‎04-15-2019 02:19 PM

Hi!

 

I have ISE 2.4 with BYOD authentication for wireless guest users. It is currently working without any issues.

 

We have different devices such as apple, android and windows devices that can authenticate using the guest portal.

 

What I am trying to add is a different authentication parameter for the same SSID that can authenticate a printer with a static IP.

 

Question is, is it possible for ISE to use the same SSID to authenticate a wireless device with a static IP using a PSK instead of the portal that everyone else gets redirected to?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎04-15-2019 07:12 PM

You can't mix security controls on an SSID, but what I do on all my guest wireless setups is setup an Identity Group called, Guest_No_Portal.  It is to hold MAC addresses of devices that can't handle a portal or you don't want to ever see a portal (i.e. CEOs iPhone).  Add MACs into the Guest_No_Portal identity group and add a rule to your guest policy set to allow that identity group to connect without being redirected to a portal.  Most customers leverage this setup for any numbers of devices that can't handle portals, printers, wireless vending machines, conference room AV equipment, etc.

View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to waqas gondal

‎04-16-2019 09:42 AM

PSK is a wireless security method and nothing involved with ISE. The SSID will either be Open, PSK or 802.1x. If this is a classic guest it will be an Open SSID. All you are doing is adding an endpoint identity group that is allowed in the authorization rules for the SSID without setting the portal. You rules would look something like this:



1) If MAC is in Guest_No_Port then grant Internet access.

2) If MAC is in GuestEndpoints (i.e. users that have gone through portal process) then grant Internet access.

3) Else send users to guest portal.


View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul
Level 10
Level 10

‎04-15-2019 07:12 PM

You can't mix security controls on an SSID, but what I do on all my guest wireless setups is setup an Identity Group called, Guest_No_Portal.  It is to hold MAC addresses of devices that can't handle a portal or you don't want to ever see a portal (i.e. CEOs iPhone).  Add MACs into the Guest_No_Portal identity group and add a rule to your guest policy set to allow that identity group to connect without being redirected to a portal.  Most customers leverage this setup for any numbers of devices that can't handle portals, printers, wireless vending machines, conference room AV equipment, etc.

0 Helpful

Go to solution
waqas gondal
Level 1
Level 1
In response to paul

‎04-16-2019 09:08 AM

Thanks Paul,

Does this setup include authentication for non portal devices like a PSK?

Do you have a link to a doc for this configuration?
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to waqas gondal

‎04-16-2019 09:42 AM

PSK is a wireless security method and nothing involved with ISE. The SSID will either be Open, PSK or 802.1x. If this is a classic guest it will be an Open SSID. All you are doing is adding an endpoint identity group that is allowed in the authorization rules for the SSID without setting the portal. You rules would look something like this:



1) If MAC is in Guest_No_Port then grant Internet access.

2) If MAC is in GuestEndpoints (i.e. users that have gone through portal process) then grant Internet access.

3) Else send users to guest portal.


0 Helpful

Go to solution
waqas gondal
Level 1
Level 1
In response to paul

‎04-16-2019 10:45 AM

Thanks
0 Helpful
Customers Also Viewed These Support Documents
Top