08-07-2019 12:20 AM
Dear community,
This concept escapes me. When a guest user connects to a wired network, what is ISE supposed to do? Is it to shutdown the port instantly or do a change of authorization where the guest user is placed into a new network?
In any case, the interface can only have one data vlan for the existing network which we are trying to prevent the guest from having any visibility. Currently the authorization profile that i have has the following downloadable ACL
permit udp any any eq 53
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
permit ip any host 192.168.x.x(ise)
deny ip any any
The issue when a guest users connect to the network they are issued an IP address, this gives them an opportunity to scan the network and do any kind of attacks with this issued internal IP! Ideally i would think a regular guest would be redirected to a guest portal where they would issue their credentials and ISE would do a change of authorization and put then into a new vlan.
whats the best practise here? kindly share downloadable ACL which would would protect internal network or a way to prevent guests from having any kind of interaction with internal network but be directed to guest portal.
Thank you all!
Solved! Go to Solution.
08-07-2019 04:49 AM
My opinion is that you should assign vlan via authz policies built in ISE. Your best bet for what your desire is to make like a restricted (parking lot) network for your guests that get redirected to a guest portal to either self-register or become registered via sponsor. Essentially in either scenario you would create your portal and create a specific authz profile that dumps the endpoint in your "parking lot", assigns a redirect acl, and redirects them to your guest portal. Without diving deeper into the details of what exactly you want to accomplish I think you have several avenues for options. If you are new to utilizing the portals you can check out Cisco documentation or follow along here: http://labminutes.com/video/sec
@Jason Kunst usually has good info for the portals. Good luck & HTH!
08-07-2019 04:49 AM
My opinion is that you should assign vlan via authz policies built in ISE. Your best bet for what your desire is to make like a restricted (parking lot) network for your guests that get redirected to a guest portal to either self-register or become registered via sponsor. Essentially in either scenario you would create your portal and create a specific authz profile that dumps the endpoint in your "parking lot", assigns a redirect acl, and redirects them to your guest portal. Without diving deeper into the details of what exactly you want to accomplish I think you have several avenues for options. If you are new to utilizing the portals you can check out Cisco documentation or follow along here: http://labminutes.com/video/sec
@Jason Kunst usually has good info for the portals. Good luck & HTH!
08-07-2019 07:57 AM - edited 08-07-2019 07:58 AM
Please check out the guest guide with details about wired connectivity under http://cs.co/ise-guest
Quick points. There is information about VLAN changes and port scripting under there. If you're really concerned about sharing IP space then don't use wired for guest. Force them to use wireless and do closed mode on your ports. otherwise they will have access. You can of course secure your wired ports in different ways (separate VRF)? Conference rooms? There are too many things to discuss here.
Please accept as solution and mark helpful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide