cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1362
Views
2
Helpful
5
Replies
Highlighted
Beginner

Prevent ISE from consuming a license or IP address on OPEN Guest Network

Hi team,

I have a use case where the customer has an open SSID used for guest and they are using CWA with ISE. Because this is a public place, when people walk by, their cell phones will automatically join the SSID; however, very few people actually have guest accounts. Every time a device associates with the SSID, this will consume a license on ISE. Is there any way to configure ISE such that a license will only be consumed if a user actually authenticates through the guest portal?

Thanks

Everyone's tags (8)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Re: Prevent ISE from consuming a license on an open SSID

To reduce impact, you can try setting shorter session timeout or idle timeout in web redirect policy.

Another method (preferred).

Restrict access by requiring authentication before contacting ISE.

Also encrypts guest traffic & protects DHCP scope

WLC 8.4 WPA-PSK supports URL-redirect and COA (RADIUS NAC)

You can also try 802.1X auth using PEAP to Guest database, or EAP-TTLS-PAP or EAP-GTC EAP methods to guest db.

For simple portals, local web auth (LWA) may be an option as it does not rely on MAB flow.

View solution in original post

5 REPLIES 5
Highlighted
Advocate

Re: Prevent ISE from consuming a license on an open SSID

To reduce impact, you can try setting shorter session timeout or idle timeout in web redirect policy.

Another method (preferred).

Restrict access by requiring authentication before contacting ISE.

Also encrypts guest traffic & protects DHCP scope

WLC 8.4 WPA-PSK supports URL-redirect and COA (RADIUS NAC)

You can also try 802.1X auth using PEAP to Guest database, or EAP-TTLS-PAP or EAP-GTC EAP methods to guest db.

For simple portals, local web auth (LWA) may be an option as it does not rely on MAB flow.

View solution in original post

Highlighted
VIP Advocate

Re: Prevent ISE from consuming a license on an open SSID

Hello Craig

can you please expand more on what you mean by "Restrict access by requiring authentication before contacting ISE.

Also encrypts guest traffic & protects DHCP scope" ?  How is this done on an Open SSID with CWA?

thanks

Highlighted
Cisco Employee

Re: Prevent ISE from consuming a license or IP address on OPEN Guest Network

Using wpa-psk SSID added in WLC 8.3 I believe

Highlighted
VIP Advocate

Re: Prevent ISE from consuming a license or IP address on OPEN Guest Network

ok but this requires guests to know a PSK.  I can see how that would keep the noise levels down.

Is there a movement towards Guest Wireless using pre shared keys these days?  Advantage is that traffic is encrypted.

Highlighted
Advocate

Re: Prevent ISE from consuming a license on an open SSID

Straight 802.1X is possible, but there are cases where requirement is web auth, and the PSK could be private key per user, or a shared key for all users connecting to SSID to avoid incidental association.  Private PSK (P-PSK) / Identity PSK (iPSK) is gaining momentum to address the many non-1X capable devices like IoT that need better security.