We had a great #WirelessFriday on January 20, 2017! The topic was all about GUEST ACCESS. We answered questions such as: Is there a technical reason why guest access should be super easy? What kind of self-service guest authorization mechanisms are there? What would the guest experience be and how is that managed on the back-end? If you weren’t able to join us live, you can watch the recording. Here’s the questions that came up during the call and the responses from our panelists.
We heard from Robert Roulhac, Cisco Virtual Systems Engineer, Security Focus.
I would like to thank the following panelists:
- Allan Ross, Enterprise Networking CSE, Cisco
- Ben Edwards, Enterprise Networking CSE, Cisco
- AJ Shah, Enterprise Networking CSE, Cisco
Q1. How does SMS integration work?
A1. ISE uses an SMS gateway to forward SMS messages to the user.
Q2. Is there any way Guest can select or put in email address for sponsor ?
A2. You can utilize a sponsor portal to create guest accounts for users. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/sponsor_guide/b_spons_SponsorPortalUserGuide_21/Support_Guests.html
Q3. We have setup guest access in such a way that sponsor has to create account for Guest… Is there any way Guest can enter email add of employee and employee get email to approve guest request ?
A3. Yes, Sponsors can also receive email notifications requiring their approval for self-registering guests. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html#task_1EAD5E171B7849EDA41
Q4. What if you don’t use ISE but currently have a guest anchor. Does this merge easily?
A4. The deployment of ISE would be identical on a primary or a guest anchor controller.
Q5. To clarify which is easier. Today I have an anchor what’s the advantage of ISE?
A5. ISE provides the same functionality on a guest anchor as it would on an internal controller.
Q6. Does ISE integrate with Meraki?
A6. Yes it does. please see https://communities.cisco.com/docs/DOC-68192
Q7. The guest service could then be provided on both the Meraki network and Corp HQ WLC?
A7. Yes, Meraki is just another Network Access Device (NAD) in ISE.
Q8. Is best practice to keep SSID’s down to a minimum to 3-4 range?
A8. Yes, the fewer the better. Each SSID requires management overhead of airtime. Management frames are sent at lowest set data rate and eats valuable airtime for data to clients. https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Multi-SSID_Deployment_Considerations
Q9. In a non-anchor deployment, the ACLs would have to allow guest traffic reach the corporate authentication server (ISE), correct?
A9. That is correct for redirect. To clarify, data traffic does not traverse the corporate network, only the webauth redirect for authentication
Q10. Does the auto-WLC-configuration script also configure url redirection for https?
A10. the redirect url is passed from ISE to the WLC via radius when the user associates
Q11. can the guest provisioning be utilized against an existing SSID?
A11. Yes once the WLC is integrated with ISE
Q12. what impact does WLC settings on timeout have?
A12. Authorization timeouts should be set in ISE and not in the WLC. If you are using ISE, it is advised to remove the session timeout values from the WLC.
Q13. Isnt there a security concern allowing 80 or 443 to ISE from guest endpoints?
A13. ISE is a hardened appliance. Access is controlled via the pre-auth ACL to only the ports the ACL allows
Q14. does the ISE guest SSID provisioning create the ACL on the WLC also?
A14. Using the guest wizard in ISE 2.2, it will be provisioned on the WLC via the wizard. Before ISE 2.2 the ACL will have to be manually configured.