Sponsor Portal Alternatives

David Fitzgerald · ‎10-28-2014

I'm currently using ISE 1.2 to administer policy for two SSIDs. The first SSID is basically for domain devices only, and we utilize 802.1X and AD. Works great.

The second is currently utilizing the Sponsor Portal, and basically gives Internet-Only access to anybody with an e-mail address and who has a sponsor. In this way, we limited access and knew who was on our network, even though it was Internet Only. This access was intented for temps, contractors, and others who worked with us, but did not require access to domain devices or data.

Well, that's what the intent was. It seems that every once in a while, somebody with an AD computer from some other domain comes in and they are unable to utilize our SSID, because our requirement for a credential and their home domain's AD group policy are incompatible. Presumably, the policy in question is a restriction banning the ability for a computer to join an unknown infratsructure network, hidden deep inside Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network (IEEE802.11) Policies.

I can't really tell others that their GP is too restrictive, and I can't really feel good about having a completely open SSID.

Is there some middle ground? Am I overlooking something?

nspasov · ‎10-29-2014

You are not missing anything. If the users are not admins on those computers then GPO and Windows Security is doing its job :) I used to do something similar in my previous job where there was a requirement that corporate owned PCs were not allowed on the Guest network. I used to push "Fake/Incorrect" security settings for the Guest SSID via GPO. As a result, the corporate PCs could not join the Guest SSID since the settings were incorrect and they could not manually add it since the SSID with that name already existed.

Hope this helps!

Thank you for rating helpful posts!

David Fitzgerald · ‎10-29-2014

Hi Neno,

That's kind of what I thought. My users have no need for the Open SSID, because their domain machines automaticaly authenticate to the other SSID. They do use it for BYOD access. The problem is when we work with some OTHER company with overly torqued down GP, they cannot get in to our network when they are on-site with their domain machines, and it becomes my problem.

So I'm documenting the process to make sure that the GP is the issue, and looking for an alternative if that is the case. best I can thnk of is an unadvertised SSID that is completely open and internet only.

nspasov · ‎10-30-2014

I totally understand your point when you say that "it becomes your problem" :) Nobody likes security but everyone wants it. Now with that being said, if the SSID is "Open" can these laptops connect to it? If yes, I believe that there is a setting in GPO that can prevent users from connecting to any other SSIDs besides the ones configured in GPO, thus you would still face the same problem. Also, the "not advertising" the SSID will not provide you with any additional security measures. The word will get out and you will see how everyone now is starting to use it :) Perhaps what you can do is make it less attractive by throttling the bandwidth and/or use some sort of a web filter and block sites like facebook, youtube, etc.

Just some food for thought :)

Thank you for rating helpful posts!

David Fitzgerald · ‎10-30-2014

I'm open to a policy change that will allow particular MACs to get in automatically, so that seems to require a self-service portal, and possbly a new SSID.

Both of my current SSIDs require a credentials. The internal requires user and machine, and the internet-only requires a valid e-mail address.