Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1399
Views
0
Helpful
2
Replies

ISE Blacklist application

descalante2007
Level 1
Level 1

‎04-25-2013 02:22 PM - edited ‎03-10-2019 08:21 PM

My customer is requesting us something I am not very sure is possible.

The request is to avoid employees use the devices provided by the corporation to get internet access through the Wireless Guest Service. Currently the Guest Service is already working and is totally open (no restrictions to any service, page, or whatever). The employees have access to Internet through a separate link with many restrictions, basically they can access only pages and services aproved to be business related (no news, no chatting, no download software, etcetera). The sponsor portal for the guest service will be set to allow any employee (using AD credentials) to create guest accounts for visitors, contractors, suppliers, etc. So the IT management is worried about to avoid the employees to create guest accounts for themselves and avoid all the restrictions they have in the corporate internet access.

The basic idea is to create a blacklist with all the devices provided by the corporation, and set the guest service to deny access if the device used is in the blacklist.

I wonder how can I modify the Authentication process to make the ISE validate the MAC address, before (or after) the guest portal is displayed and the Guest username an password are typed in.

I will apreciate any comment you can give me.

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

Ryan Wolfe
Level 5
Level 5

‎04-25-2013 05:00 PM

Just put your guest access rule at the bottom of your authorization policy. If it's at the bottom and is preceded by all of the employee's users, devices, etc. then you don't have to blacklist anything. No managed/employee device should reach that rule. If they are, it means that they're not getting meeting a condition that they should be.

So, there's no need to blacklist anyone if the guest portal policy is the last one to be met. Any one else would match an earlier authorization profile and no be stopped before the guest portal profile.

HTH,

Ryan

0 Helpful

descalante2007
Level 1
Level 1
In response to Ryan Wolfe

‎04-30-2013 01:20 PM

Thanks for your reply.

If I understood correctly, your answer assume the employee's devices are authorized by the ISE. Unfortunately this is not the case (at least no yet). Currently the ISE is working for Guest service only. So I would need to avoid access thorugh a blacklist or modify the network in order to put the ISE into the authentication process for all computers (employees and visitors).

If I do that, I guess I will have a license limitation (current license has only 100 endpoints, while the wireless network has over 600 users all the time).

Regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents