I'm currently using ISE 1.2 to administer policy for two SSIDs. The first SSID is basically for domain devices only, and we utilize 802.1X and AD. Works great.
The second is currently utilizing the Sponsor Portal, and basically gives Internet-Only access to anybody with an e-mail address and who has a sponsor. In this way, we limited access and knew who was on our network, even though it was Internet Only. This access was intented for temps, contractors, and others who worked with us, but did not require access to domain devices or data.
Well, that's what the intent was. It seems that every once in a while, somebody with an AD computer from some other domain comes in and they are unable to utilize our SSID, because our requirement for a credential and their home domain's AD group policy are incompatible. Presumably, the policy in question is a restriction banning the ability for a computer to join an unknown infratsructure network, hidden deep inside Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network (IEEE802.11) Policies.
I can't really tell others that their GP is too restrictive, and I can't really feel good about having a completely open SSID.
Is there some middle ground? Am I overlooking something?