06-07-2016 04:22 AM
Hi team,
I have a use case where the customer has an open SSID used for guest and they are using CWA with ISE. Because this is a public place, when people walk by, their cell phones will automatically join the SSID; however, very few people actually have guest accounts. Every time a device associates with the SSID, this will consume a license on ISE. Is there any way to configure ISE such that a license will only be consumed if a user actually authenticates through the guest portal?
Thanks
Solved! Go to Solution.
06-07-2016 06:02 AM
To reduce impact, you can try setting shorter session timeout or idle timeout in web redirect policy.
Another method (preferred).
Restrict access by requiring authentication before contacting ISE.
Also encrypts guest traffic & protects DHCP scope
WLC 8.4 WPA-PSK supports URL-redirect and COA (RADIUS NAC)
You can also try 802.1X auth using PEAP to Guest database, or EAP-TTLS-PAP or EAP-GTC EAP methods to guest db.
For simple portals, local web auth (LWA) may be an option as it does not rely on MAB flow.
06-07-2016 06:02 AM
To reduce impact, you can try setting shorter session timeout or idle timeout in web redirect policy.
Another method (preferred).
Restrict access by requiring authentication before contacting ISE.
Also encrypts guest traffic & protects DHCP scope
WLC 8.4 WPA-PSK supports URL-redirect and COA (RADIUS NAC)
You can also try 802.1X auth using PEAP to Guest database, or EAP-TTLS-PAP or EAP-GTC EAP methods to guest db.
For simple portals, local web auth (LWA) may be an option as it does not rely on MAB flow.
12-12-2017 01:58 PM
Hello Craig
can you please expand more on what you mean by "Restrict access by requiring authentication before contacting ISE.
Also encrypts guest traffic & protects DHCP scope" ? How is this done on an Open SSID with CWA?
thanks
12-12-2017 02:03 PM
Using wpa-psk SSID added in WLC 8.3 I believe
12-12-2017 02:26 PM
ok but this requires guests to know a PSK. I can see how that would keep the noise levels down.
Is there a movement towards Guest Wireless using pre shared keys these days? Advantage is that traffic is encrypted.
12-12-2017 02:39 PM
Straight 802.1X is possible, but there are cases where requirement is web auth, and the PSK could be private key per user, or a shared key for all users connecting to SSID to avoid incidental association. Private PSK (P-PSK) / Identity PSK (iPSK) is gaining momentum to address the many non-1X capable devices like IoT that need better security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide