03-29-2023 04:52 AM
I am currently implementing a PoC for an ISE guest solution. I got the question from the clients if it is possible to secure the SSID additionally with a PSK, so that the traffic from client to AP is encrypted as well.
Do you know if this works? Or is the traffic encrypted after a successful login anyway and only the first time to the guest portal is not encrypted? The WLC has Flex Connect configured.
Solved! Go to Solution.
03-29-2023 05:34 AM
I you don't have security like PSK on the WLAN, the link between the Client and the AP is unencrypted. The traffic from the Client to the ISE is always HTTPS and encrypted. The rest of the user traffic is whatever it is, encrypted or unencrypted. The WLAN-Security only defines the link between client and AP.
03-29-2023 05:18 AM
The usage of the ISE guest portal is completely independent of your choice of WLAN security. Yes, you can enable PSK security if you want. This security is used throughout the user session, before and after the authentication on the guest portal. Only the assigned authorisation (VLAN, ACL, SGT) can change if you want.
03-29-2023 05:24 AM
After successful login to the guest portal, is the traffic then end-to-end encrypted if I do not activate PSK? Can anyone tell me this?
03-29-2023 05:23 AM
After successful login to the guest portal, is the traffic then end-to-end encrypted if I do not activate PSK? Can anyone tell me this?
03-29-2023 05:34 AM
I you don't have security like PSK on the WLAN, the link between the Client and the AP is unencrypted. The traffic from the Client to the ISE is always HTTPS and encrypted. The rest of the user traffic is whatever it is, encrypted or unencrypted. The WLAN-Security only defines the link between client and AP.
03-29-2023 08:21 AM
Sometimes overdoing it makes the user experience really bad. If you take a look at your guest users, do you think they want to have to connect to a guest network that they need to enter a crazy psk and then go through a portal page? If you have users that are young, they might not mimd, but older folks will not want to do that because it's a pain in their a$$. Best way is to test that out, have some non technical customer employees try to access the guest and get feedback. I remember when we were deploying guest and the business wanted the users to have the best experience and even navigating through the portal with a mobile phone was not welcomed. They decided to just have an open SSID and the feedback from guest users was exactly what they wanted. The process was easy and fast.
03-29-2023 10:26 PM
Thank you for the comment. I completely agree with you on this, but the decision on how to implement it lies with someone else. At the presentation I will have to say what is possible and what I would recommend. How the decision will turn out, I can't say yet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide