Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
0
Helpful
4
Replies

ISE guest access controlled by MAC address

osw200051
Level 1
Level 1

‎04-01-2018 08:20 PM - edited ‎02-21-2020 10:52 AM

Hi Expert,

 

I have a problem, we have wifi guest and wifi internal network. but i found that many of our internal usage use the guest wifi rather than internal wifi since the internal wifi block some web page.

 

On this moment, i have our internal user's device Mac address only. Can I control on guest wifi that if the mac address match the list (internal's device list), then this device cannot access the guest network? Can ISE do that?

 

thanks

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎04-01-2018 08:34 PM

Hi

 

Do you have a group containing all your internal hosts mac addresses?

 

If so, you can duplicate the guest rule internal hosts are hitting above it and add your internal mac addresses group as condition and switch the rule as denied instead of permit.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

osw200051
Level 1
Level 1
In response to Francesco Molino

‎04-05-2018 01:58 AM

Hi Francesco,

Very happy for see your reply that can help me.
Your suggestion can be done on ISE?

Thanks
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to osw200051

‎04-05-2018 09:02 PM

Yes you can do that on ise.
You need to create at the top a rule saying your mac group containing all your internal hosts + your wlan id = deny.
Instead of wlan id you can also use normalisedradius contains ssidname

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

ajc
Level 7
Level 7

‎04-06-2018 07:17 AM

What version are you running?.

 

I have seen endpoint group value being modified after successful or failed authentication so even though you have the internal MAC addresses in an specific endpoint group, that value could change to Unknown, Blank or Profiled so they would eventually be authenticated using again the Guest SSID because you would not hit the new Authz policy for internal users.

 

I am assuming you have a guest network with only an AUP page or similar, no authentication. I would suggest you to evaluate modifying that to something like webauth so you can actually control who get access to that SSID.

 

 

0 Helpful
Customers Also Viewed These Support Documents