Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
202
Views
1
Helpful
4
Replies

ISE 3.2 posturing for guests with sponsored portal

petrosab
Level 1
Level 1

‎06-13-2024 12:05 PM

Hi,

I am trying to setup ISE posturing for guests/contractors but need to make sure that after successful posture(Compliant) it redirects to Guest portal for authentication and use credentials created in sponsored portal. 

So basically: 

Connect to Wi-Fi -> Client provisioning portal-> if successful -> Guest portal

Is it something ISE can do ? Can someone provide some instruction with details please?

0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎06-13-2024 02:16 PM

Why do you want to posture users who are just trying to get onto the guest portal? That seems like a painful experience to me. It's bad enough having to deal with Guest portals in the first place.  I give guest portals another year or so before we kill them off - vendors like Apple are going to make life very hard for us, because in iOS 18 MAC Rotation is coming and that breaks all of this.

If you're offering a guest internet service, then rather make it easy to use - WPA3 with OWE. That ensures the user's data is encrypted on an open SSID.

Nobody reads the T&Cs anyway and just clicks through all the buttons to get to the internet.

petrosab
Level 1
Level 1

‎06-13-2024 02:28 PM

Infosec team requires to make sure contractors laptop are up to date , have firewall enabled and AV. That's why I need to configure posturing and wanted to use guest portal so anyone wouldn't connect to that wifi even tough they would be vetted before connecting 

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎06-13-2024 02:43 PM

Authentication and Compliance Authorization are very different things.

Guests should never need to deal with Compliance/Posture.

Contractors are either treated as Guests (using Guest Internet for VPN access) or Employees.

If they are handled like employees then you authenticate them with 802.1X then perform your compliance check. The default ISE Policy Set has rules for the recommended way to handle Compliance/Posture:

1) Unknown: no posture / MDM agent - give them limited access to access and install the agent + updates

2) Non-Compliant: they have the agent but will need limited access for any software updates (OS, apps, GPO, etc.)

3) Compliant: they are fine and get full employee access

These are the default authorization rules for posture compliance:

image.png

0 Helpful

petrosab
Level 1
Level 1
In response to thomas

‎06-13-2024 03:08 PM

The reason why we need to posture is because they are not guests , they are contractors who will have access to our production and infosec requires their laptops to be up to date and have firewall/AV enabled. I wanted to have posture and then after it became compliant use guest portal

Also we want to posture using stealth agent since it can perform more checks than temporal agent. 

0 Helpful
Customers Also Viewed These Support Documents