08-19-2016 08:58 AM - edited 03-11-2019 12:00 AM
I'm trying to setup CWA on ISE for Wired users. A wired employee will get access via 802.1x or MAB - but a guest will use CWA - my problem is once the guest passes thru the Guest Portal - they are on the same subnet as the users - what would a DACL look like for that user to only be allowed internet access? I understand what it might look like for 1 subnet, but on ISE I'd need to configure 1 ACL to cover multiple subnets.
Solved! Go to Solution.
08-19-2016 01:56 PM
something like :
deny ip any 10.0.0.0 0.0.0.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.0.15.255
permit ip any any
08-19-2016 01:56 PM
something like :
deny ip any 10.0.0.0 0.0.0.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.0.15.255
permit ip any any
08-24-2016 09:28 AM
To add to Jan's comment: There are two more things I would suggest you add:
1. HTTPS access to the ISE PSN nodes. This will ensure that the authentication success page can load on the client
2. Access to DNS that can resolve the IP address of the PSN nodes and future Internet browsing.
I hope this helps!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide