Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
1
Helpful
2
Replies

Wired Guest redirection to an external captive portal ISE

adams pro
Level 1
Level 1

‎10-18-2023 09:46 AM

Hi Guys,

I couldn't find the answer on previous community discussion or webinars, even if I saw one question about it but no one replied.

Context : I'm in charge of deploying ISE on our head office network. We are actually in monitor mode, for 30 sites and 2k total endpoint (usually 1.3k concurrent endpoint), and profiling + tacacs licences activated. TEAP authentication for windows computer. And working on EAP-TLS authentication for MacOS users via MDM profile.

Problem : We want to create a default policy for computers that are not trusted. The policy would give access to internet only. Management want the guests to have the same user experience regardless of the connection type, WIFI or Wired. For the Wifi we use a saas solution called cloudi-fi. Wich works with a splash page in sponsor mode. So we need to use the same on the wired network. But there is no integration between cloudi-fi and ISE, so even if we manage to give the cloudi-fi splash page to the connected guest, how would ISE know that the client is authenticated ?

 

Possible solution : Push a guest vlan from ISE, and find a way to configure DHCP or Firewall to send a splash page to the client. But I never done this and can't think of a way to make it work.

If someone have a little idea of how I can resolve this problem, it would be great !

 

Environment : All cisco switch. catalysts 9200, 3650,3850,2960x running IOS 15.2 minimum. Infoblox DHCP.

Head office with 3 tier architecture for 30 Sites. Routing is done via OSPF between the sites. Each site have a distribution switch connected to our 2 core switch, wich are connected to our data center. We have a palo alto Firewall that is the gateway for the guests vlans. And for internet connectivity on corporate devices we use zscaler proxy.

I found two other discussion that are kind of related but they do not answer my question. I put them here for reference :

Discussion 1

Discussion 2

Discussion 3

0 Helpful
2 Replies 2

andrewswanson
Level 7
Level 7

‎10-18-2023 12:43 PM

Have you considered Wired Guest Access using the WLC?

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-1/config-guide/b_wl_17_11_cg/wired-guest.html#config-access-switch-wired-guest-cli

 

I've not tried this myself and it looks like you have to trunk the wired guest vlan from access switch to WLC.

hth
Andy

adams pro
Level 1
Level 1
In response to andrewswanson

‎10-18-2023 04:24 PM

Hello Andrew, thanks for your reply !

We do not have WLC, we only have Meraki and Aruba access points.

I found more information on another forum about guest access on cisco switch were the last answer was:

"I got this working. You have to send a URL redirect and redirect ACL back to the switch from the intial auth. Once redirected, there has to be a separate service policy for a WebAuth (through Clearpass Guest portal). Once the WebAuth takes place, you should mark some attribute that they are a guest user and then role map based on that. On the re-auth, guest access should work.

Posted Aug 31, 2015 03:34 PM"
I'll try to tweak some settings on ISE to make this work.
 
I've never used redirect ACL on a switch before, maybe that's why I feel a bit lost.
 
But again if someone have a little idea do not hesitate please.
0 Helpful
Customers Also Viewed These Support Documents