04-01-2018 08:20 PM - edited 02-21-2020 10:52 AM
Hi Expert,
I have a problem, we have wifi guest and wifi internal network. but i found that many of our internal usage use the guest wifi rather than internal wifi since the internal wifi block some web page.
On this moment, i have our internal user's device Mac address only. Can I control on guest wifi that if the mac address match the list (internal's device list), then this device cannot access the guest network? Can ISE do that?
thanks
04-01-2018 08:34 PM
Hi
Do you have a group containing all your internal hosts mac addresses?
If so, you can duplicate the guest rule internal hosts are hitting above it and add your internal mac addresses group as condition and switch the rule as denied instead of permit.
04-05-2018 01:58 AM
04-05-2018 09:02 PM
04-06-2018 07:17 AM
What version are you running?.
I have seen endpoint group value being modified after successful or failed authentication so even though you have the internal MAC addresses in an specific endpoint group, that value could change to Unknown, Blank or Profiled so they would eventually be authenticated using again the Guest SSID because you would not hit the new Authz policy for internal users.
I am assuming you have a guest network with only an AUP page or similar, no authentication. I would suggest you to evaluate modifying that to something like webauth so you can actually control who get access to that SSID.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide