Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

wired guest vlan with ISE

Hi all,

For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
Thanks

Sent from Cisco Technical Support iPad App

7 REPLIES
Silver

Re: wired guest vlan with ISE

ISE uses 802.1x for authentication and this method is used by many company's so i would suggest do the lab deployment and test the solution before production deployment and Dynamic ACL/VLAN are a better and easy way to control the users

New Member

Re: wired guest vlan with ISE

From a security point I can't say that I like guests still to be able to plug in and if the ports are preconfigured for the corporate vlan, then guests being able to sniff off traffic. Currently in my lab I have this setup and rely on the java applet to change the guests PC to the guest vlan which works but isn't great

Whilst I will be changing the default ports to the guest vlan and testing, have people had issues with the change of vlan for the any connect supplicant NAM? I'd love to hear if by default if others have the ports remain in a non corporate vlan?

Sent from Cisco Technical Support iPad App

Cisco Employee

Re: wired guest vlan with ISE

If you are using "Closed Mode" then only EAPoL (802.1x) traffic is allowed to traverse that port until authenticaiton succeeds. If authentication fails then you can set the port to be dropped into a guest VLAN with Internet access only. You could also setup CWA (Central Web Auth) so if authenticaiton fails then the the user will be redirected to ISE's guest portal for CWA authentication.

I hope this helps

Thank you for rating!

Thank you for rating helpful posts!
New Member

Re: wired guest vlan with ISE

Sorry all, I don't think I'm making myself very clear. Say our corporate users are on vlan 20, and our guests on wired and wireless networks are on vlan 40. With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40. The problem with the last method is, by default the guest connects on the corporate vlan so can actually use wire shark to sniff our corporate traffic on that vlan.
I wanted to know if the change of vlan for corporate users with NAM is reliable? Ie when a corporate user authenticates, the change of vlan for the guest vlan, to the corporate vlan.

Sent from Cisco Technical Support iPad App

New Member

Re: wired guest vlan with ISE

We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things like PXE booting that needs to happen.

Sent from Cisco Technical Support iPad App

Cisco Employee

Re: wired guest vlan with ISE

I will try to answer all of your quesitons:

1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"

          - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab

2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"

          - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.

3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"

          - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break


Thank you for rating helpful posts!

Can some one please provide

Can some one please provide the actual configuration for this ? I was trying to do the following and for some reason , the IP address is still getting from the corporate  VLAN ( 46 )  rather from the Guest VLAN  ( 54 ) for the guest PCs.

Can some one help me ? Thanks in advance.. 

interface GigabitEthernet4/0/39
description User Port
switchport access vlan 46
switchport mode access
switchport voice vlan 219
authentication event fail action next-method
authentication event no-response action authorize vlan 54
authentication event server dead action reinitialize vlan 46
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust dscp
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 15
no mdix auto
storm-control broadcast level 20.00
spanning-tree portfast
ip dhcp snooping limit rate 50

581
Views
0
Helpful
7
Replies
CreatePlease login to create content