cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1841
Views
0
Helpful
2
Replies

ISE guest wifi design consideration

Darkmatter
Level 1
Level 1

We currently have a separate guest wifi infrastructure in place that is isolated from the rest of the network.

The guest ap's are patched on a Cisco SMB switch, which in turn has connectivity with an interface on the firewall.

There is a firewall policy allowing only hosts in this specific vlan to reach the internet, allowing some specific ports.

The guest wifi ap's don't make use of a WLC and are statically configured.

The purpose of this setup is to just give simple internet access without any of this traffic passing the internal network.


This has been a good solution for years, but with our ISE I now in place, we would like to integrate the guest wifi network into ISE.

Still without the use of a WLC, this to be able to reuse the current infrastructure and not having to buy additional hardware and keeping this separated from the rest of the network as much as possible.

 

Is this, from a technical standpoint, even possible?


I was thinking about giving the ISE an interface into the same VLAN as the current guest wifi addressing space and patching this small SMB guest wifi switch (with hold the ap's) on this newly configured ISE interface.

The ultimate goal is to still have the guest wifi isolated but now being able to use the ISE guest portal to authenticated guest users.

 

Thank you very much for the advice you can give to make this work.

2 Replies 2

Arne Bier
VIP
VIP

Did you have a Radius server in your old (current) solution and you’re planning to replace it with ISE? Or what is the reason for introducing ISE. Just asking, because it was not clear to me. I suppose you might want to use ISE guest portals perhaps?

The APs would have to support Radius as well as MAB authentication, because ISE guest portal URLs are dynamically generated per session. Kind of good and bad thing. 
For added security you could also dedicate one interface on the ISE node (running the PSN persona) for portal traffic. This interface can be on a “DMZ” VLAN. 

Panos Bouras
Level 1
Level 1

Hi @Darkmatter ,

 

As Arne mentioned, is more a WiFi/AP design question than an ISE one.

Does your AP support Central Web Authentication, 802.1x or MAB?

The AP, if they're standalone without any form of communication protocol between them (e.g. Cisco Mobility express etc.) then what will happen when the user roams from one AP to another?

I believe that in order to get more out of your AP then you should consider a solution that supports the above features.

Check ISE compatibility matrix to get an idea of what's supported for various vendor AP
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/compatibility_doc/b_ise_sdt_27.html#id_91062

Then you can start puzzle your self on how the wireless guest would be able to resolve ISE hostname (DNS), how you'll allow access to ISE guest portal etc.

 

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: