cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1349
Views
6
Helpful
6
Replies

Encryption ISE Guest Portal

mgollob
Level 1
Level 1

I am currently implementing a PoC for an ISE guest solution. I got the question from the clients if it is possible to secure the SSID additionally with a PSK, so that the traffic from client to AP is encrypted as well.

 

Do you know if this works? Or is the traffic encrypted after a successful login anyway and only the first time to the guest portal is not encrypted? The WLC has Flex Connect configured.

 

1 Accepted Solution

Accepted Solutions

I you don't have security like PSK on the WLAN, the link between the Client and the AP is unencrypted. The traffic from the Client to the ISE is always HTTPS and encrypted. The rest of the user traffic is whatever it is, encrypted or unencrypted. The WLAN-Security only defines the link between client and AP.

View solution in original post

6 Replies 6

The usage of the ISE guest portal is completely independent of your choice of WLAN security. Yes, you can enable PSK security if you want. This security is used throughout the user session, before and after the authentication on the guest portal. Only the assigned authorisation (VLAN, ACL, SGT) can change if you want.

After successful login to the guest portal, is the traffic then end-to-end encrypted if I do not activate PSK? Can anyone tell me this?

mgollob
Level 1
Level 1

After successful login to the guest portal, is the traffic then end-to-end encrypted if I do not activate PSK? Can anyone tell me this?

 

I you don't have security like PSK on the WLAN, the link between the Client and the AP is unencrypted. The traffic from the Client to the ISE is always HTTPS and encrypted. The rest of the user traffic is whatever it is, encrypted or unencrypted. The WLAN-Security only defines the link between client and AP.

Scott Fella
Hall of Fame
Hall of Fame

Sometimes overdoing it makes the user experience really bad.  If you take a look at your guest users, do you think they want to have to connect to a guest network that they need to enter a crazy psk and then go through a portal page?  If you have users that are young, they might not mimd, but older folks will not want to do that because it's a pain in their a$$.  Best way is to test that out, have some non technical customer employees try to access the guest and get feedback.  I remember when we were deploying guest and the business wanted the users to have the best experience and even navigating through the portal with a mobile phone was not welcomed.  They decided to just have an open SSID and the feedback from guest users was exactly what they wanted.  The process was easy and fast.

-Scott
*** Please rate helpful posts ***

Thank you for the comment. I completely agree with you on this, but the decision on how to implement it lies with someone else. At the presentation I will have to say what is possible and what I would recommend. How the decision will turn out, I can't say yet

 

Review Cisco Networking for a $25 gift card