cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2815
Views
2
Helpful
5
Replies

Prevent ISE from consuming a license or IP address on OPEN Guest Network

acoyle
Beginner
Beginner

Hi team,

I have a use case where the customer has an open SSID used for guest and they are using CWA with ISE. Because this is a public place, when people walk by, their cell phones will automatically join the SSID; however, very few people actually have guest accounts. Every time a device associates with the SSID, this will consume a license on ISE. Is there any way to configure ISE such that a license will only be consumed if a user actually authenticates through the guest portal?

Thanks

1 Accepted Solution

Accepted Solutions

Craig Hyps
Advocate
Advocate

To reduce impact, you can try setting shorter session timeout or idle timeout in web redirect policy.

Another method (preferred).

Restrict access by requiring authentication before contacting ISE.

Also encrypts guest traffic & protects DHCP scope

WLC 8.4 WPA-PSK supports URL-redirect and COA (RADIUS NAC)

You can also try 802.1X auth using PEAP to Guest database, or EAP-TTLS-PAP or EAP-GTC EAP methods to guest db.

For simple portals, local web auth (LWA) may be an option as it does not rely on MAB flow.

View solution in original post

5 Replies 5

Craig Hyps
Advocate
Advocate

To reduce impact, you can try setting shorter session timeout or idle timeout in web redirect policy.

Another method (preferred).

Restrict access by requiring authentication before contacting ISE.

Also encrypts guest traffic & protects DHCP scope

WLC 8.4 WPA-PSK supports URL-redirect and COA (RADIUS NAC)

You can also try 802.1X auth using PEAP to Guest database, or EAP-TTLS-PAP or EAP-GTC EAP methods to guest db.

For simple portals, local web auth (LWA) may be an option as it does not rely on MAB flow.

Hello Craig

can you please expand more on what you mean by "Restrict access by requiring authentication before contacting ISE.

Also encrypts guest traffic & protects DHCP scope" ?  How is this done on an Open SSID with CWA?

thanks

Using wpa-psk SSID added in WLC 8.3 I believe

ok but this requires guests to know a PSK.  I can see how that would keep the noise levels down.

Is there a movement towards Guest Wireless using pre shared keys these days?  Advantage is that traffic is encrypted.

Straight 802.1X is possible, but there are cases where requirement is web auth, and the PSK could be private key per user, or a shared key for all users connecting to SSID to avoid incidental association.  Private PSK (P-PSK) / Identity PSK (iPSK) is gaining momentum to address the many non-1X capable devices like IoT that need better security.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: