ISE Web Auth portal network placement for Guest wireless access

msrohman · ‎03-15-2018

H all,

Does anyone know why the placement of the Cisco ISE Web Auth portal is located within the internal network for this design guide below? Is that the preferred security design? Figure 21-4.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Guest_Wireless_Access.html

I'm not sure if I can get company security-approval of this web auth portal being placed in our internal network. I believe this design would only get approved by placing the web-portal on a DMZ network.

Thanks.

Mike

Flavio Miranda · ‎03-15-2018

Hi

Well, ISE could be in a separate vlan and maybe it is, as its connections is not shown on the diagram. But I don't think it can pose any security risk but providing https portal on the data center.

The most important is that the guest traffic is on the DMZ.

Real scenario I have seeing is similar with the diagram.

-If I helped you somehow, please, rate it as useful.-

msrohman · ‎03-16-2018

Thanks Flavio. I guess I could see reasoning on putting the web auth portal on the DMZ. But it seems secure enough to place within the internal network,.

-Mike

RichardAtkin · ‎05-01-2018

It all comes down to your views on risk vs cost. Personally I've been putting a PSN out in the DMZ for this sort of thing as it feels the safest approach.

That said, there's nothing stopping you from putting the PSN on the inside of your network and leaking access to it, or you could even use multiple NICs on the PSN and span the DMZ FW so it has a NIC in both networks at the same time. However, in my humble opinion, 'here be dragons' - only do these if you are well aware of the risks.