Re: ISE for Guest and Employees without AD

Aditya Gupta · ‎09-27-2017

Hi Experts,

I am working on ISE opportunity for Indian Customer. The requirement is as follows:

Customer wants to setup separate network for accessing internet for both employees and guest (not part of organisation).
This guest network will be entirely segregated from the corporate network at both physical and logical layer with no interconnectivity between them.
On this guest network customer wants to authenticate both employees and guest.
Employees can connect to this guest network both via their corporate devices (laptops) as well as BYOD which they already use for connecting to email etc.

I understand the guest connectivity can be achieve by using the guest portal. Customer does not want to connect his corporate Active Directory to this guest network.

My query here is:

How can we authenticate/authorize the employees who will also be connecting to this guest network in this scenario?

Any inputs will be greatly appreciated.

Regards

Aditya Gupta

Jason Kunst · ‎09-27-2017

If they don’t want to connect to AD then how do they expect to authenticate their employees?

Aditya Gupta · ‎09-27-2017

Hi Jason

We are exploring if we can export some of the data from is existing AD and maybe use it somehow.

That is where I am looking for some suggestions.

Regards

Aditya Gupta

paul · ‎09-27-2017

The guest network doesn’t need to talk to AD at all. If you do PEAP authentication the WLC talks to ISE PSN to authenticate. There is no connectivity required at all from the guest network. Are you dropping the guests of via an anchor controller into the DMZ or via a separate interface on the WLC?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Aditya Gupta · ‎09-27-2017

Hi Paul

Even the wireless network is going to be entirely separate. Customer's corporate network they are using a separate OEM (not cisco), whereas for this guest network we are looking at Cisco AP and WLC.

Even the WAN Links would not be the same.

Regards

Aditya Gupta

Jason Kunst · ‎09-27-2017

You can export users to ISE internal users store but the password would likely not export from AD. And I don’t think you would want it to.

Or the users could create their own guest accounts when they want to use personal devices on guest?

PEAP wireless 802.1x network for employees internal

Aditya Gupta · ‎09-27-2017

Hi Jason

Yes you are right, for employees we are not looking at using passwords.

Jason Kunst · ‎09-27-2017

Not sure what you can do otherwise

paul · ‎09-27-2017

I think your customer is confused about what actually connects to AD. The guest network doesn't connect to AD it connects to a portal running on an ISE PSN. That ISE PSN needs to talk to AD to authenticate the employees. Only the ISE PSN running the guest portals need to talk to the AD if you allow Employee access through the guest portal.

Honestly bringing employees into a guest portal is not very friendly for the employees. If you setup a different SSID for the employee guest access make it a 802.1x SSID where the employees can use their AD credentials to connect. In that case it is only a RADIUS authentication function to a PSN that is talking to AD. No portals needed for the employees.

Aditya Gupta · ‎09-27-2017

Hi Paul

No, there is no confusion. It is because of the internal security limitations/restrictions from customer's internal infosec team, that he cannot have any sort of connection between the guest network and the corporate network.

We have even gone in length to discuss a setting a separate AD within guest network, but customer will have to use a different forest. I am not sure if authentication can happen like that.

Yes, we don;t want employees to use guest portal, thus looking for some sort of suggestion.

Regards

Aditya Gupta