Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5088
Views
11
Helpful
8
Replies

ISE Wired Guest control

Go to solution
manvik
Level 3
Level 3

‎04-23-2021 03:53 AM

How do I implement Guest authentication for Wired devices using Cisco ISE. Requirement is to display Guest Portal for Non-AD joined devices.

If the system is AD joined Access should be permitted.

 

Only AD joined systems need to have access, if someone brings a new device/system and plugs in it should not get connected.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-23-2021 04:15 AM

That is the basic nature of ISE right, only authorised device will get in to Right VLAN, if not authenticated user will be default VLAN until they get authenticated.

 

Most use case on Wireless this will be redirect to Guest portal to get Authenticated.

 

Wired means we trusitng the devices who ever plug in - but looks you have other requirement. Can be possible with Profiles.

 

Reference :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_26_guest.html

 

https://ciscocustomer.lookbookhq.com/iseguidedjourney/BYOD-configuration?utm_campaign=ISE&utm_content=Guide&utm_source=Cisco.com-Open&utm_medium=ISE-Page-BYOD&pfhide=true

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-23-2021 04:15 AM

That is the basic nature of ISE right, only authorised device will get in to Right VLAN, if not authenticated user will be default VLAN until they get authenticated.

 

Most use case on Wireless this will be redirect to Guest portal to get Authenticated.

 

Wired means we trusitng the devices who ever plug in - but looks you have other requirement. Can be possible with Profiles.

 

Reference :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_26_guest.html

 

https://ciscocustomer.lookbookhq.com/iseguidedjourney/BYOD-configuration?utm_campaign=ISE&utm_content=Guide&utm_source=Cisco.com-Open&utm_medium=ISE-Page-BYOD&pfhide=true

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
manvik
Level 3
Level 3
In response to balaji.bandi

‎04-23-2021 04:51 AM

Thank you @balaji

You are right, requirement is a bit different. Not-AD joined wired systems need to get a Guest portal only.

In this scenario, should any config be done in Network switches.

Does anyone have any links to documents for this.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to manvik

‎04-23-2021 06:53 AM

@mike beat me with the message - he provided all the information you need including videos

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-23-2021 05:39 PM - edited ‎04-23-2021 05:41 PM


802.1x will failed OR timeout for Guest 
then SW will give VLAN to Guest, Guest will get IP and if it try to connect to Web it will redirect to ISE for WebAuth.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216330-ise-self-registered-guest-portal-configu.html

 

0 Helpful

Go to solution
manvik
Level 3
Level 3

‎04-26-2021 05:17 AM

Thank you @balaji @mike

Those docs were helpful. It seems ISE Easyconnect would be an ideal solution, but few points on easyconnect;

Does easyconnect works with any network switches other than Cisco

How can ISE easyconnect track a cache login of AD user. Cache logins are not reflected in AD login audit logs.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to manvik

‎04-26-2021 07:16 AM

ISE is Identiy - So you can use ISE Log as audit Logs, i am sure it get data from your AD.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to manvik

‎04-27-2021 03:51 PM

> Does easyconnect works with any network switches other than Cisco

It might but our teams validated only Cisco catalyst switches.

> How can ISE easyconnect track a cache login of AD user. Cache logins are not reflected in AD login audit logs.

No. But, the WMI providers start with the last 1-hour historical events. EasyConnect works with WMI providers only today.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents