cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
274
Views
2
Helpful
7
Replies

Guest wifi becomes OPEN after the NAC it set from NONE TO ISE NAC

Weezy-F
Level 1
Level 1

Hi All,

 

I'm just newbie on cisco Wireless. We have guest users that can't connect to our guest wifi using the UN and PW we provided and when they login it was loading only.

 

After some doing research I found this I set go to our WLC and set the NAC settings from NONE to ISE NAC and it allows the guest users to connect without entering the credentials. Our local IT said that the GUEST WIFI shows not secured and open. I set back the settings of NAS to NONE and rebooted the WLC and issue still persist. I did check our ACL WEB redirect and ISE policy and its all their. The problem is its nor generating logs anymore. I need your help.

 

I'm thinking its open now, should I disable the guest wifi SSID?

 

WeezyF_0-1748250078649.png

 

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216191-troubleshoot-common-cisco-ise-guest-acce.html

 

https://community.cisco.com/t5/wireless/what-does-nac-state-do/td-p/3859969

 

 

 

7 Replies 7

marce1000
Hall of Fame
Hall of Fame

 

 - @Weezy-F   What type of wireless controller and software version are you using ?

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

We are using AIR-CT3504-K9

WeezyF_0-1748309841548.png

 

Saikat Nandy
Cisco Employee
Cisco Employee

o I just found out that when I compare the settings of all of our WLC in APAC sites, the GUEST WIFI NAC Settings is set to ISE NAC. This will allow the users to enter the UN and PW once only and will automatically connect them. Also I notice the other guest WIFI on other APAC sites are open too so it's safe I think as we have mac filtering and policy, web-auth redirect and policies on CISCO ISE.

 

But right now we are having an issue again, the local IT said new guest users can't connect on WLC again so I set the NAC to NONE and it allows them to connect again which is weird lol.

The insecure is due to the SSID using open authentication, captive portals are this way. You would need to set the SSID to OWE which may have client support issues.

Other options are to change to WPA2/3 Enterprise and use EAP-PEAP authentication

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Hi Haydn,

So I just found out that when I compare the settings of all of our WLC in APAC sites, the GUEST WIFI NAC Settings is set to ISE NAC. This will allow the users to enter the UN and PW once only and will automatically connect them. Also I notice the other guest WIFI on other APAC sites are open too so it's safe I think as we have mac filtering and policy, web-auth redirect and policies on CISCO ISE.

 

But right now we are having an issue again, the local IT said new guest users can't connect on WLC again so I set the NAC to NONE and it allows them to connect again which is weird lol.

I did send you a private message please check.

 

Review Cisco Networking for a $25 gift card