Solved: ISE CWA Guest Portal ACL

moody · ‎08-19-2016

I'm trying to setup CWA on ISE for Wired users. A wired employee will get access via 802.1x or MAB - but a guest will use CWA - my problem is once the guest passes thru the Guest Portal - they are on the same subnet as the users - what would a DACL look like for that user to only be allowed internet access? I understand what it might look like for 1 subnet, but on ISE I'd need to configure 1 ACL to cover multiple subnets.

jan.nielsen · ‎08-19-2016

something like :

deny ip any 10.0.0.0 0.0.0.255

deny ip any 192.168.0.0 0.0.255.255

deny ip any 172.16.0.0 0.0.15.255

permit ip any any

View solution in original post

jan.nielsen · ‎08-19-2016

something like :

deny ip any 10.0.0.0 0.0.0.255

deny ip any 192.168.0.0 0.0.255.255

deny ip any 172.16.0.0 0.0.15.255

permit ip any any

nspasov · ‎08-24-2016

To add to Jan's comment: There are two more things I would suggest you add:

1. HTTPS access to the ISE PSN nodes. This will ensure that the authentication success page can load on the client

2. Access to DNS that can resolve the IP address of the PSN nodes and future Internet browsing.

I hope this helps!

Thank you for rating helpful posts!