cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
756
Views
0
Helpful
3
Replies

ISE Guest Portal and AAA Services on one ISE Deployment / Security Concerns

tdoellma
Cisco Employee
Cisco Employee

My customer is planning to use ISE as AAA Server for 802.1X Authentication and as well as Guest Portal Server.

They now have security concerns regarding the guest portal and potential security vulnerabilities.

Do we have any best practices / recommendations regarding guest portal web page and AAA functionalities  running on the same ISE with regards to security?

Thanks,

TD

1 Accepted Solution

Accepted Solutions

paul
Level 10
Level 10

Assuming you are only doing guest portal services for wireless, the customer can easily turn up guest on PSNs in a DMZ and run the portal from there.  Turning up dedicate guest VMs is pretty trivial.  Consult the ISE guides for what ports you need open to allow for cluster communication.  You also need to allow RADIUS from the WLCs.

View solution in original post

3 Replies 3

paul
Level 10
Level 10

Assuming you are only doing guest portal services for wireless, the customer can easily turn up guest on PSNs in a DMZ and run the portal from there.  Turning up dedicate guest VMs is pretty trivial.  Consult the ISE guides for what ports you need open to allow for cluster communication.  You also need to allow RADIUS from the WLCs.

Arne Bier
VIP
VIP

Out of curiosity, have DT run any vulnerability tools (e.g. Nessus scan ) against ISE and found issue with the Guest Portal?

In my own deployments I always disable ALL "Allowed Protocols" that I know I won't be encountering. e.g. for

Default Policies I uncheck all protocols

MAB Web Auth I only allow "Process Host Lookup"

Health monitors (e.g F5) I only allow PAP

EAP-PEAP I only allow EAP-PEAP

etc.

Hardening the portals is a bit trickier - we have to rely on the BU here to ensure that they have made this thing as water tight as possible.  e.g. all web daemons running with lowest privileges etc.

And running a Nessus scan would certainly be interesting.   But having the Guest interface in a DMZ is probably a good strategy too.

ISE 2.2 patch 3 contains some patches in regards to combating cross site scripting.

Jason Kunst
Cisco Employee
Cisco Employee

If customer is really concerned they can have a separate ISE deployment as well