cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1095
Views
4
Helpful
4
Replies

Requirement for ISE not having the guest user credentials

ppsychog
Cisco Employee
Cisco Employee

Hi All,

I have a customer that wants to deploy sponsored guest access with ISE. They have one tricky requirement though: the guest facing PSNs must not contain any user (guest nor sponsor) credentials.

I believe this can be done only by separating the sponsor facing ISE and the guest facing ISE, so two ISE deployments. The sponsor ISE has the sponsor and the guest information, the guest ISE acts as a Radius proxy between the NADs and the sponsor ISE:

NAD <-> Guest ISE (no network user database) <-> Sponsor ISE (guest user database)

Sponsors create guest users on the Sponsor ISE as usual, guest users get authenticated to the network via the Guest ISE proxying all authentication requests to the Sponsor ISE.

Question #1: Does this make sense or is there a better way to do it in ISE alone?

Question #2: Sponsor ISE should need only base licenses (required for guest management) and Guest ISE should need base and plus licenses, the latter if required for authorization policies for example. Is this right?

Regards,

Panos

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Sounds right

Guest only needs base licenses. The sponsor deployment 100 licenses to activate the system. The guest deployment on how many active endpoints would be logged in at one time.

You only need plus licensing if you’re doing profiling or BYOD for example. See license guide on what pluys gives you

View solution in original post