Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
4
Helpful
2
Replies

ISE - Guest Access (without portal)

n.lavender
Level 1
Level 1

‎12-14-2012 04:10 AM - edited ‎03-10-2019 07:53 PM

Hi Guys,

I have a customer who current is using the cwa portal for guest access. Corporate use will be added in the future sometime next year.

Kit involved:

5508 - Internal (Inside Net)

5508 - Anchor (DMZ Net)

ISE - Inside Net

3600 APs

Presently, guest user connects, anchored to DMZ 5508, issued IP address from server in DMZ and DNS redirect to the web portal from same server. guest logs in and internet access through ASA and then content filtering box.

They want a solution whereby they do not have to use the portal for corporate user with their own devices such as ipads. I know BYOD is a possiblity but would involve using a CA server on the inside of the network. This is not something I'm keen as it opens a channel from the guest network directly to their AD infrastructure.

I'm leaning toward PEAP authentication atm using a GoDaddy SSL cert that is already installed. This would bypass the portal system and only involve client devices being configured once.

Is there any other option that would be simple to setup as this is on a limited timescale ?

Cheers,

Nick

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎12-14-2012 04:24 AM

Nick,

They want a solution whereby they do not have to use the portal for  corporate user with their own devices such as ipads. I know BYOD is a  possiblity but would involve using a CA server on the inside of the  network. This is not something I'm keen as it opens a channel from the  guest network directly to their AD infrastructure.

If you are referring to supplicant provisioning, the scep enrollment request is proxied from ISE and the private key and cert is transferred to the endpoint. This doesnt require your guest network having direct access to AD....just to ISE.

Tarik Admani
*Please rate helpful posts*

n.lavender
Level 1
Level 1
In response to Tarik Admani

‎12-14-2012 04:37 AM

Thanks Tarik,

That's good to know. I'll propose that to them as an option.

N

0 Helpful
Customers Also Viewed These Support Documents