cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1001
Views
0
Helpful
4
Replies

ISE 2.4 different device authentication using same SSID

waqas gondal
Level 1
Level 1

Hi!

 

I have ISE 2.4 with BYOD authentication for wireless guest users. It is currently working without any issues.

 

We have different devices such as apple, android and windows devices that can authenticate using the guest portal.

 

What I am trying to add is a different authentication parameter for the same SSID that can authenticate a printer with a static IP.

 

Question is, is it possible for ISE to use the same SSID to authenticate a wireless device with a static IP using a PSK instead of the portal that everyone else gets redirected to?

2 Accepted Solutions

Accepted Solutions

paul
Level 10
Level 10

You can't mix security controls on an SSID, but what I do on all my guest wireless setups is setup an Identity Group called, Guest_No_Portal.  It is to hold MAC addresses of devices that can't handle a portal or you don't want to ever see a portal (i.e. CEOs iPhone).  Add MACs into the Guest_No_Portal identity group and add a rule to your guest policy set to allow that identity group to connect without being redirected to a portal.  Most customers leverage this setup for any numbers of devices that can't handle portals, printers, wireless vending machines, conference room AV equipment, etc.

View solution in original post

PSK is a wireless security method and nothing involved with ISE. The SSID will either be Open, PSK or 802.1x. If this is a classic guest it will be an Open SSID. All you are doing is adding an endpoint identity group that is allowed in the authorization rules for the SSID without setting the portal. You rules would look something like this:



1) If MAC is in Guest_No_Port then grant Internet access.

2) If MAC is in GuestEndpoints (i.e. users that have gone through portal process) then grant Internet access.

3) Else send users to guest portal.


View solution in original post

4 Replies 4

paul
Level 10
Level 10

You can't mix security controls on an SSID, but what I do on all my guest wireless setups is setup an Identity Group called, Guest_No_Portal.  It is to hold MAC addresses of devices that can't handle a portal or you don't want to ever see a portal (i.e. CEOs iPhone).  Add MACs into the Guest_No_Portal identity group and add a rule to your guest policy set to allow that identity group to connect without being redirected to a portal.  Most customers leverage this setup for any numbers of devices that can't handle portals, printers, wireless vending machines, conference room AV equipment, etc.

Thanks Paul,

Does this setup include authentication for non portal devices like a PSK?

Do you have a link to a doc for this configuration?

PSK is a wireless security method and nothing involved with ISE. The SSID will either be Open, PSK or 802.1x. If this is a classic guest it will be an Open SSID. All you are doing is adding an endpoint identity group that is allowed in the authorization rules for the SSID without setting the portal. You rules would look something like this:



1) If MAC is in Guest_No_Port then grant Internet access.

2) If MAC is in GuestEndpoints (i.e. users that have gone through portal process) then grant Internet access.

3) Else send users to guest portal.


Thanks
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: