12-14-2012 04:10 AM - edited 03-10-2019 07:53 PM
Hi Guys,
I have a customer who current is using the cwa portal for guest access. Corporate use will be added in the future sometime next year.
Kit involved:
5508 - Internal (Inside Net)
5508 - Anchor (DMZ Net)
ISE - Inside Net
3600 APs
Presently, guest user connects, anchored to DMZ 5508, issued IP address from server in DMZ and DNS redirect to the web portal from same server. guest logs in and internet access through ASA and then content filtering box.
They want a solution whereby they do not have to use the portal for corporate user with their own devices such as ipads. I know BYOD is a possiblity but would involve using a CA server on the inside of the network. This is not something I'm keen as it opens a channel from the guest network directly to their AD infrastructure.
I'm leaning toward PEAP authentication atm using a GoDaddy SSL cert that is already installed. This would bypass the portal system and only involve client devices being configured once.
Is there any other option that would be simple to setup as this is on a limited timescale ?
Cheers,
Nick
12-14-2012 04:24 AM
Nick,
They want a solution whereby they do not have to use the portal for corporate user with their own devices such as ipads. I know BYOD is a possiblity but would involve using a CA server on the inside of the network. This is not something I'm keen as it opens a channel from the guest network directly to their AD infrastructure.
If you are referring to supplicant provisioning, the scep enrollment request is proxied from ISE and the private key and cert is transferred to the endpoint. This doesnt require your guest network having direct access to AD....just to ISE.
Tarik Admani
*Please rate helpful posts*
12-14-2012 04:37 AM
Thanks Tarik,
That's good to know. I'll propose that to them as an option.
N
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide