Solved: ISE GUEST AUTHORIZATION ISSUE

isaaco001 · ‎08-07-2019

Dear community,

This concept escapes me. When a guest user connects to a wired network, what is ISE supposed to do? Is it to shutdown the port instantly or do a change of authorization where the guest user is placed into a new network?

In any case, the interface can only have one data vlan for the existing network which we are trying to prevent the guest from having any visibility. Currently the authorization profile that i have has the following downloadable ACL

permit udp any any eq 53
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
permit ip any host 192.168.x.x(ise)

deny ip any any

The issue when a guest users connect to the network they are issued an IP address, this gives them an opportunity to scan the network and do any kind of attacks with this issued internal IP! Ideally i would think a regular guest would be redirected to a guest portal where they would issue their credentials and ISE would do a change of authorization and put then into a new vlan.

whats the best practise here? kindly share downloadable ACL which would would protect internal network or a way to prevent guests from having any kind of interaction with internal network but be directed to guest portal.

Thank you all!

Mike.Cifelli · ‎08-07-2019

My opinion is that you should assign vlan via authz policies built in ISE. Your best bet for what your desire is to make like a restricted (parking lot) network for your guests that get redirected to a guest portal to either self-register or become registered via sponsor. Essentially in either scenario you would create your portal and create a specific authz profile that dumps the endpoint in your "parking lot", assigns a redirect acl, and redirects them to your guest portal. Without diving deeper into the details of what exactly you want to accomplish I think you have several avenues for options. If you are new to utilizing the portals you can check out Cisco documentation or follow along here: http://labminutes.com/video/sec

@Jason Kunst usually has good info for the portals. Good luck & HTH!

View solution in original post

Mike.Cifelli · ‎08-07-2019

My opinion is that you should assign vlan via authz policies built in ISE. Your best bet for what your desire is to make like a restricted (parking lot) network for your guests that get redirected to a guest portal to either self-register or become registered via sponsor. Essentially in either scenario you would create your portal and create a specific authz profile that dumps the endpoint in your "parking lot", assigns a redirect acl, and redirects them to your guest portal. Without diving deeper into the details of what exactly you want to accomplish I think you have several avenues for options. If you are new to utilizing the portals you can check out Cisco documentation or follow along here: http://labminutes.com/video/sec

@Jason Kunst usually has good info for the portals. Good luck & HTH!

Jason Kunst · ‎08-07-2019

Please check out the guest guide with details about wired connectivity under http://cs.co/ise-guest

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

Quick points. There is information about VLAN changes and port scripting under there. If you're really concerned about sharing IP space then don't use wired for guest. Force them to use wireless and do closed mode on your ports. otherwise they will have access. You can of course secure your wired ports in different ways (separate VRF)? Conference rooms? There are too many things to discuss here.

Please accept as solution and mark helpful