I'm currently using ISE 1.2 to administer policy for two SSIDs. The first SSID is basically for domain devices only, and we utilize 802.1X and AD. Works great.
The second is currently utilizing the Sponsor Portal, and basically gives Internet-Only access to anybody with an e-mail address and who has a sponsor. In this way, we limited access and knew who was on our network, even though it was Internet Only. This access was intented for temps, contractors, and others who worked with us, but did not require access to domain devices or data.
Well, that's what the intent was. It seems that every once in a while, somebody with an AD computer from some other domain comes in and they are unable to utilize our SSID, because our requirement for a credential and their home domain's AD group policy are incompatible. Presumably, the policy in question is a restriction banning the ability for a computer to join an unknown infratsructure network, hidden deep inside Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network (IEEE802.11) Policies.
I can't really tell others that their GP is too restrictive, and I can't really feel good about having a completely open SSID.
Is there some middle ground? Am I overlooking something?
You are not missing anything. If the users are not admins on those computers then GPO and Windows Security is doing its job :) I used to do something similar in my previous job where there was a requirement that corporate owned PCs were not allowed on the Guest network. I used to push "Fake/Incorrect" security settings for the Guest SSID via GPO. As a result, the corporate PCs could not join the Guest SSID since the settings were incorrect and they could not manually add it since the SSID with that name already existed.
That's kind of what I thought. My users have no need for the Open SSID, because their domain machines automaticaly authenticate to the other SSID. They do use it for BYOD access. The problem is when we work with some OTHER company with overly torqued down GP, they cannot get in to our network when they are on-site with their domain machines, and it becomes my problem.
So I'm documenting the process to make sure that the GP is the issue, and looking for an alternative if that is the case. best I can thnk of is an unadvertised SSID that is completely open and internet only.
I totally understand your point when you say that "it becomes your problem" :) Nobody likes security but everyone wants it. Now with that being said, if the SSID is "Open" can these laptops connect to it? If yes, I believe that there is a setting in GPO that can prevent users from connecting to any other SSIDs besides the ones configured in GPO, thus you would still face the same problem. Also, the "not advertising" the SSID will not provide you with any additional security measures. The word will get out and you will see how everyone now is starting to use it :) Perhaps what you can do is make it less attractive by throttling the bandwidth and/or use some sort of a web filter and block sites like facebook, youtube, etc.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :