10-21-2016 08:25 AM
Hi experts!
Here's the scenario: In Cisco ISE, normally when we configure guest access the client connects to an open SSID, right? ... and when they open a browser they are redirected to a captive portal asking for credentials. After that, they can navigate, but no encryption that I’m aware of. Can we provide a similar experience but encrypting the traffic? How would the flow be in this case? I was thinking about a mix between corporate access and guest access.
And since encryption it's a L2 thing.. from my point of view, would't be possible to have an open ssid to authenticate users using a captive portal and encrypt traffic after that. So, in a nutshell, my customer wants to know if we can provide with ISE a solution similar to a wireless guest access with captive portal but including encryption of the traffic.
Thanks in advance,
.:|:.:|:. Flavio Costa
CISCO Virtual Systems Engineer - Security
Sao Paulo, Brazil
Solved! Go to Solution.
10-21-2016 08:34 AM
you cannot encrypt on an open network.
You would have to setup a wpa-psk or WPA2 network and then redirect to the guest portal that way
recently WLC code has added WPA-PSK support for COA in 8.3 code, this way they can put in the PSK, redirect to ISE CWA that way
list of options
•WPA-PSK with CWA* (WLC 8.3+)
•WPA-PSK with LWA* (WLC <8.3)
•shared key + portal login
•CWA not supported
•Point to single PSN (HA requires LoadBalancer)
•WPA2 with CWA*
•shared user/pass + portal login (regular guest accounts)
•WPA2 without portal*
•sponsored credentials (guest type requires - Allow guest to bypass the Guest portal)
10-21-2016 08:31 AM
This sounds like Dual-SSID BYOD flow. You can initially connect to the open SSID, however, once on-boarded with (Cert of user/pass) then the device can be moved to secure SSID.
10-21-2016 08:34 AM
you cannot encrypt on an open network.
You would have to setup a wpa-psk or WPA2 network and then redirect to the guest portal that way
recently WLC code has added WPA-PSK support for COA in 8.3 code, this way they can put in the PSK, redirect to ISE CWA that way
list of options
•WPA-PSK with CWA* (WLC 8.3+)
•WPA-PSK with LWA* (WLC <8.3)
•shared key + portal login
•CWA not supported
•Point to single PSN (HA requires LoadBalancer)
•WPA2 with CWA*
•shared user/pass + portal login (regular guest accounts)
•WPA2 without portal*
•sponsored credentials (guest type requires - Allow guest to bypass the Guest portal)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: