Solved: ISE Guest Authorization

kamlenegi · ‎01-17-2016

Hi All,

Can someone assist me for ISE designing for Guest users authorization.

Requirement:

1. Individual guest user's authorization requirement through ISE, each guest should have different access as per requirement. Is it possible? if yes then how we can achieve ? Only base license is purchased.

Thanks

Kamlesh

nspasov · ‎01-17-2016

Absolutely, you can place guest users in different groups within ISE or configure different AD groups for guests and then use DACLS, named-ACLs, etc to provide different access.

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

Jatin Katyal · ‎01-18-2016

Here you go:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html#anc5

- Jatin

~Jatin

View solution in original post

Jatin Katyal · ‎01-17-2016

With base license you can use guest feature on ISE.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0111.html

You can give different access based on the guest types:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01111.html#concept_921E58BE513A4E6EABEEDF380391A7A3

- Jatin

~Jatin

kamlenegi · ‎01-18-2016

Thanks Jatin,

So we can use only single SSID for guest and give authorization depend on guest user's group.

Is it possible in flexconnect environment? or if not then what would be the other options for remote location users.

Thanks Kamlesh

Jatin Katyal · ‎01-18-2016

Here you go:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html#anc5

- Jatin

~Jatin

kamlenegi · ‎03-30-2016

Hi Jatin,

Can you help me, I am stuck in Wireless Flexconnect integration with ISE 2.0.

Requirement: SSID (Corporate) required access only from domain machine and vlan tag from ISE.

Problem: When connecting machine, it is taking IP which is VLAN mapping in Flexconnect group in WLC and ISE showing authorization succeeded matching condition & result. However, I have configured different VLAN ID in ISE for tagging.

It look like Flexconnect override ISE policies.

Can you suggest me what is required to configure in WLC, I have configured AAA (ISE IP), NAC radius in Advance tab.

Thanks

Kamlesh

nspasov · ‎01-17-2016

Absolutely, you can place guest users in different groups within ISE or configure different AD groups for guests and then use DACLS, named-ACLs, etc to provide different access.

I hope this helps!

Thank you for rating helpful posts!

kamlenegi · ‎01-19-2016

Hi Neno,

Can I use Proxy at the time of guest user's authentication (wired & wireless web-auth).

How is it possible ?

Kamlesh

Jatin Katyal · ‎01-19-2016

This procedure describes how to change the port the controller listens on to the port the proxy server is listening on.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/116052-config-webauth-proxy-00.html#anc6

HTH

- Jatin

~Jatin

kamlenegi · ‎01-19-2016

Thanks Jatin,

It will help me to freeze the ISE solution.

Thanks

Kamlesh

Jatin Katyal · ‎01-19-2016

You bet !

~Jatin