Solved: Re: ISE Guest - two questions

ggriesse@cisco.com · ‎07-25-2017

Hi all

Related to ISE Guest (WLAN) , Scenario is a customer who has multiple branches and plans to offer guest services at the branch with local break out (WLAN FlexConnect) , ISE is Central in DC

Two questions

1) When a client connects to the "guest" SSID he gets DHCP and DNS , so he can access the ISE guest portal (DNS resolution) , however once he is Guest Authed .. the client doesnt want the guest to use the Corp DNS .. what options do we have here ?

2) Proposal is it use Guest Self Registration .. i know we can limit the duration (say 30 min) of the session BUT can we limit (via MAC address) the amount of guest sessions per say 24 hour cycle per Device ???, so Mr guest can only have 30 min of guest access over a 24 hour cycle for his mobile device.??

Thx

Greg

paul · ‎07-25-2017

For #1 you can use Internet DNS servers if you want and you have a few options here:

If you don't override the host names of the PSNs in the URL redirect you can put entries in public DNS for the PSNs and either point them to the internal IPs (if you allow some internal access) or to external IPs that NAT to the internal IPs on the corporate FWs. I don't personally like putting private IPs in public DNS, but it works fine.
Override the PSN host names with generic public guest DNS names like guest1.mycompany.com and guest2.mycompany.com and have those map to public IPs that get sent to the PSNs. You can either use dedicated guest PSNs in a DMZ or interfaces off your internal PSNs in the DMZ. You could also NAT the IPs straight through to your internal PSNs but stopping in a DMZ is a better design.

View solution in original post

Jason Kunst · ‎07-25-2017

Question 1 don't use Corp dns, look into a dns server in dmz

Question 2 not natively but yes please check under guest and web auth section of the community http://cs.co/ise-community there is a solution, please get customer requirements to the ise product management team so we can build in

paul · ‎07-25-2017

For #1 you can use Internet DNS servers if you want and you have a few options here:

If you don't override the host names of the PSNs in the URL redirect you can put entries in public DNS for the PSNs and either point them to the internal IPs (if you allow some internal access) or to external IPs that NAT to the internal IPs on the corporate FWs. I don't personally like putting private IPs in public DNS, but it works fine.
Override the PSN host names with generic public guest DNS names like guest1.mycompany.com and guest2.mycompany.com and have those map to public IPs that get sent to the PSNs. You can either use dedicated guest PSNs in a DMZ or interfaces off your internal PSNs in the DMZ. You could also NAT the IPs straight through to your internal PSNs but stopping in a DMZ is a better design.