Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
0
Helpful
3
Replies

ISE Guest Portal and AAA Services on one ISE Deployment / Security Concerns

Go to solution
tdoellma
Cisco Employee
Cisco Employee

‎09-04-2017 01:35 AM

My customer is planning to use ISE as AAA Server for 802.1X Authentication and as well as Guest Portal Server.

They now have security concerns regarding the guest portal and potential security vulnerabilities.

Do we have any best practices / recommendations regarding guest portal web page and AAA functionalities  running on the same ISE with regards to security?

Thanks,

TD

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎09-04-2017 07:53 AM

Assuming you are only doing guest portal services for wireless, the customer can easily turn up guest on PSNs in a DMZ and run the portal from there.  Turning up dedicate guest VMs is pretty trivial.  Consult the ISE guides for what ports you need open to allow for cluster communication.  You also need to allow RADIUS from the WLCs.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul
Level 10
Level 10

‎09-04-2017 07:53 AM

Assuming you are only doing guest portal services for wireless, the customer can easily turn up guest on PSNs in a DMZ and run the portal from there.  Turning up dedicate guest VMs is pretty trivial.  Consult the ISE guides for what ports you need open to allow for cluster communication.  You also need to allow RADIUS from the WLCs.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎09-04-2017 04:36 PM

Out of curiosity, have DT run any vulnerability tools (e.g. Nessus scan ) against ISE and found issue with the Guest Portal?

In my own deployments I always disable ALL "Allowed Protocols" that I know I won't be encountering. e.g. for

Default Policies I uncheck all protocols

MAB Web Auth I only allow "Process Host Lookup"

Health monitors (e.g F5) I only allow PAP

EAP-PEAP I only allow EAP-PEAP

etc.

Hardening the portals is a bit trickier - we have to rely on the BU here to ensure that they have made this thing as water tight as possible.  e.g. all web daemons running with lowest privileges etc.

And running a Nessus scan would certainly be interesting.   But having the Guest interface in a DMZ is probably a good strategy too.

ISE 2.2 patch 3 contains some patches in regards to combating cross site scripting.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-05-2017 08:17 AM

If customer is really concerned they can have a separate ISE deployment as well

0 Helpful
Customers Also Viewed These Support Documents