06-13-2024 12:05 PM
Hi,
I am trying to setup ISE posturing for guests/contractors but need to make sure that after successful posture(Compliant) it redirects to Guest portal for authentication and use credentials created in sponsored portal.
So basically:
Connect to Wi-Fi -> Client provisioning portal-> if successful -> Guest portal
Is it something ISE can do ? Can someone provide some instruction with details please?
06-13-2024 02:16 PM
Why do you want to posture users who are just trying to get onto the guest portal? That seems like a painful experience to me. It's bad enough having to deal with Guest portals in the first place. I give guest portals another year or so before we kill them off - vendors like Apple are going to make life very hard for us, because in iOS 18 MAC Rotation is coming and that breaks all of this.
If you're offering a guest internet service, then rather make it easy to use - WPA3 with OWE. That ensures the user's data is encrypted on an open SSID.
Nobody reads the T&Cs anyway and just clicks through all the buttons to get to the internet.
06-13-2024 02:28 PM
Infosec team requires to make sure contractors laptop are up to date , have firewall enabled and AV. That's why I need to configure posturing and wanted to use guest portal so anyone wouldn't connect to that wifi even tough they would be vetted before connecting
06-13-2024 02:43 PM
Authentication and Compliance Authorization are very different things.
Guests should never need to deal with Compliance/Posture.
Contractors are either treated as Guests (using Guest Internet for VPN access) or Employees.
If they are handled like employees then you authenticate them with 802.1X then perform your compliance check. The default ISE Policy Set has rules for the recommended way to handle Compliance/Posture:
1) Unknown: no posture / MDM agent - give them limited access to access and install the agent + updates
2) Non-Compliant: they have the agent but will need limited access for any software updates (OS, apps, GPO, etc.)
3) Compliant: they are fine and get full employee access
These are the default authorization rules for posture compliance:
06-13-2024 03:08 PM
The reason why we need to posture is because they are not guests , they are contractors who will have access to our production and infosec requires their laptops to be up to date and have firewall/AV enabled. I wanted to have posture and then after it became compliant use guest portal
Also we want to posture using stealth agent since it can perform more checks than temporal agent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide