Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3350
Views
2
Helpful
5
Replies

Prevent ISE from consuming a license or IP address on OPEN Guest Network

Go to solution
acoyle
Level 1
Level 1

‎06-07-2016 04:22 AM

Hi team,

I have a use case where the customer has an open SSID used for guest and they are using CWA with ISE. Because this is a public place, when people walk by, their cell phones will automatically join the SSID; however, very few people actually have guest accounts. Every time a device associates with the SSID, this will consume a license on ISE. Is there any way to configure ISE such that a license will only be consumed if a user actually authenticates through the guest portal?

Thanks

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎06-07-2016 06:02 AM

To reduce impact, you can try setting shorter session timeout or idle timeout in web redirect policy.

Another method (preferred).

Restrict access by requiring authentication before contacting ISE.

Also encrypts guest traffic & protects DHCP scope

WLC 8.4 WPA-PSK supports URL-redirect and COA (RADIUS NAC)

You can also try 802.1X auth using PEAP to Guest database, or EAP-TTLS-PAP or EAP-GTC EAP methods to guest db.

For simple portals, local web auth (LWA) may be an option as it does not rely on MAB flow.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Craig Hyps
Level 10
Level 10

‎06-07-2016 06:02 AM

To reduce impact, you can try setting shorter session timeout or idle timeout in web redirect policy.

Another method (preferred).

Restrict access by requiring authentication before contacting ISE.

Also encrypts guest traffic & protects DHCP scope

WLC 8.4 WPA-PSK supports URL-redirect and COA (RADIUS NAC)

You can also try 802.1X auth using PEAP to Guest database, or EAP-TTLS-PAP or EAP-GTC EAP methods to guest db.

For simple portals, local web auth (LWA) may be an option as it does not rely on MAB flow.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Craig Hyps

‎12-12-2017 01:58 PM

Hello Craig

can you please expand more on what you mean by "Restrict access by requiring authentication before contacting ISE.

Also encrypts guest traffic & protects DHCP scope" ?  How is this done on an Open SSID with CWA?

thanks

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎12-12-2017 02:03 PM

Using wpa-psk SSID added in WLC 8.3 I believe

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎12-12-2017 02:26 PM

ok but this requires guests to know a PSK.  I can see how that would keep the noise levels down.

Is there a movement towards Guest Wireless using pre shared keys these days?  Advantage is that traffic is encrypted.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Arne Bier

‎12-12-2017 02:39 PM

Straight 802.1X is possible, but there are cases where requirement is web auth, and the PSK could be private key per user, or a shared key for all users connecting to SSID to avoid incidental association.  Private PSK (P-PSK) / Identity PSK (iPSK) is gaining momentum to address the many non-1X capable devices like IoT that need better security.

Customers Also Viewed These Support Documents