cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3394
Views
1
Helpful
3
Replies
nadeekha
Beginner

ISE - Restricting Employee assets from accessing Guest SSID

Hi Experts,

My customer wants to know the following:

They currently have a Guest Wifi with an SSID in their environment for their guest users and access is separately anchored off at the DMZ.Guest access is purely WLC based and no NAC solution is in place for it.

Now we are in the process of setting up ISE Wireless /Wired 802.1x solution for the employee assets. The question is that with ISE deployed will we be able to restrict the employees from hoping on to the Guest network  SSID from their laptops?

They dont want employees to be able to get on the Guest Wifi period.

Thy have no plans to have Guest Access a part of the ISE design.

1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee

ISE has no visbility into the wireless guest network as its not managing it. That limits the options available. Might be best to reach out to wireless/prime team to validate some of these options.


Also see a similar thread Block Employee MAC's on guest SSID?


if you have a simple guest splash page from the controller then maybe the controller can query prime for mac addresses seen on internal network?


if they are requiring them to do LWA to the WLC guest portal then don't allow employees to create accounts

Anyconnect Network Access Module (windows only), restrict their window machines from connecting to unsanctioned WLANs?

Enterprise Connection Enforcement How-to guide Admin Guide


If integrating with ISE

Only allow sponsors to create accounts for visitors

restrict access to 1 device per credential

Register Corp machines into special endpoint group

If MAB and Corp ID Group then deny access or redirect to restricted message portal

Profiling to differentiate access (requires plus license)

Use profiling to differentiate corp devices. You can use Windows GPO to write identifiable string in to the browser user agent or DHCP client ID field that ISE can use to differentiate the corp devices. (Need Plus License) once you have the endpoint group created and populated, you simply need to redirect to a different portal to notify the user is not allowed on the guest network.

WPA2 Guest network (no open network, no portal)

Corporate Devices using cert auth

Guests use sponsored credentials with allow guest type to bypass portal

View solution in original post

3 REPLIES 3
Jason Kunst
Cisco Employee

ISE has no visbility into the wireless guest network as its not managing it. That limits the options available. Might be best to reach out to wireless/prime team to validate some of these options.


Also see a similar thread Block Employee MAC's on guest SSID?


if you have a simple guest splash page from the controller then maybe the controller can query prime for mac addresses seen on internal network?


if they are requiring them to do LWA to the WLC guest portal then don't allow employees to create accounts

Anyconnect Network Access Module (windows only), restrict their window machines from connecting to unsanctioned WLANs?

Enterprise Connection Enforcement How-to guide Admin Guide


If integrating with ISE

Only allow sponsors to create accounts for visitors

restrict access to 1 device per credential

Register Corp machines into special endpoint group

If MAB and Corp ID Group then deny access or redirect to restricted message portal

Profiling to differentiate access (requires plus license)

Use profiling to differentiate corp devices. You can use Windows GPO to write identifiable string in to the browser user agent or DHCP client ID field that ISE can use to differentiate the corp devices. (Need Plus License) once you have the endpoint group created and populated, you simply need to redirect to a different portal to notify the user is not allowed on the guest network.

WPA2 Guest network (no open network, no portal)

Corporate Devices using cert auth

Guests use sponsored credentials with allow guest type to bypass portal

View solution in original post

vibobrov
Cisco Employee

There were a couple of other options discussed here: Re: Limiting corporate users from guest wireless SSID's - specific use case

For Active Directory managed Clients you can enroll a GPO to deny Wireless Access to specific SSIDs.

How to use Group Policy to black/white list wireless networks in Vista & Windows 7

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel