Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1023
Views
0
Helpful
5
Replies

ISE wireless guest flow design

Go to solution
ahmedfouad
Level 1
Level 1

‎08-27-2018 05:30 AM

Hello , 

 

i have ISE version 2.3  , and we need to deploy Guest portal for wireless users , i have the below business requirements and i need to know if ISE can satisfy that :

 

1- self registration for wireless guests supplying mobile no. 

2- ISE to check if that mobile no. already in AD group of employees , if found , denies the user , texting please use employee ssid instead of guest

2- if mobile no. not found in the AD group , then allows for self-registration

 

thanks for your support

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to ahmedfouad

‎08-27-2018 01:34 PM

Here is how I approach this discussion with customers.



1) Typically the employee can use the Internet on the mobile device using the cellular network.

2) They usually want to jump on guest wireless to save on cellular data downloads or get better Internet speeds.

3) Most often there is nothing on the Internal network they mobile device needs to access. Being that they are mobile all the services they need to get to are typically available over the Internet.

4) If you aren't using an MDM to securely install certificates onto the mobile devices and are allowing them to connect to the internal SSID with PEAP AD User credentials you are opening up a security hole your design or you would have to be very careful about how you qualify the device to be on the network.



Some of the above may not be true in your case. I discourage all my customers from connecting mobile devices to the internal network unless there is very specific use case.


View solution in original post

0 Helpful
5 Replies 5

Go to solution
paul
Level 10
Level 10

‎08-27-2018 06:04 AM

Why would they want the employee mobile devices on the Employee SSID?  Are they MDM managed?

 

I know this doesn't answer your question, but part of our job as ISE engineers is to find a gentle way to tell customers "What you are asking for is silly and you don't want to do that."  I spend quite a bit of time saying that nicely to customers.

0 Helpful

Go to solution
ahmedfouad
Level 1
Level 1
In response to paul

‎08-27-2018 06:56 AM

Hello Pual , 

 

we have Employee SSID tied to AD group  , every employee has a record in the AD with mobile number . 

 

so i would like to use this attribute to make sure that anybody needs to register with Guest SSID not an official employee

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to ahmedfouad

‎08-27-2018 06:59 AM

But does the Employee SSID have internal access to the network or is it just a more secure form of guest?


0 Helpful

Go to solution
ahmedfouad
Level 1
Level 1
In response to paul

‎08-27-2018 01:21 PM

internal access , if guest accessible by employees , usually they you will use it for sake of another way to access internet and utilizing the sms service in abnormal way
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to ahmedfouad

‎08-27-2018 01:34 PM

Here is how I approach this discussion with customers.



1) Typically the employee can use the Internet on the mobile device using the cellular network.

2) They usually want to jump on guest wireless to save on cellular data downloads or get better Internet speeds.

3) Most often there is nothing on the Internal network they mobile device needs to access. Being that they are mobile all the services they need to get to are typically available over the Internet.

4) If you aren't using an MDM to securely install certificates onto the mobile devices and are allowing them to connect to the internal SSID with PEAP AD User credentials you are opening up a security hole your design or you would have to be very careful about how you qualify the device to be on the network.



Some of the above may not be true in your case. I discourage all my customers from connecting mobile devices to the internal network unless there is very specific use case.


0 Helpful
Customers Also Viewed These Support Documents