Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3995
Views
13
Helpful
2
Replies

Cisco ISE - Can Wireless Guest Access be encrypted??

Go to solution
Flavio Costa
Cisco Employee
Cisco Employee

‎10-21-2016 08:25 AM

Hi experts!

  Here's the scenario: In Cisco ISE, normally when we configure guest access the client connects to an open SSID, right? ... and when they open a browser they are redirected to a captive portal asking for credentials. After that, they can navigate, but no encryption that I’m aware of. Can we provide a similar experience but encrypting the traffic? How would the flow be in this case? I was thinking about a mix between corporate access and guest access.

  And since encryption it's a L2 thing.. from my point of view, would't be possible to have an open ssid to authenticate users using a captive portal and encrypt traffic after that. So, in a nutshell, my customer wants to know if we can provide with ISE a solution similar to a wireless guest access with captive portal but including encryption of the traffic.

Thanks in advance,

.:|:.:|:.  Flavio Costa

CISCO  Virtual Systems Engineer - Security

Sao Paulo, Brazil

flavicor@cisco.com

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-21-2016 08:34 AM

you cannot encrypt on an open network.

You would have to setup a wpa-psk or WPA2 network and then redirect to the guest portal that way

recently WLC code has added WPA-PSK support for COA in 8.3 code, this way they can put in the PSK, redirect to ISE CWA that way

list of options

WPA-PSK with CWA* (WLC 8.3+)

WPA-PSK with LWA* (WLC <8.3)

shared key + portal login

CWA not supported

Point to single PSN (HA requires LoadBalancer)

WPA2 with CWA*

shared user/pass + portal login (regular guest accounts)

WPA2 without portal*

sponsored credentials (guest type requires - Allow guest to bypass the Guest portal)

View solution in original post

2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-21-2016 08:31 AM

This sounds like Dual-SSID BYOD flow. You can initially connect to the open SSID, however, once on-boarded with (Cert of user/pass) then the device can be moved to secure SSID.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-21-2016 08:34 AM

you cannot encrypt on an open network.

You would have to setup a wpa-psk or WPA2 network and then redirect to the guest portal that way

recently WLC code has added WPA-PSK support for COA in 8.3 code, this way they can put in the PSK, redirect to ISE CWA that way

list of options

WPA-PSK with CWA* (WLC 8.3+)

WPA-PSK with LWA* (WLC <8.3)

shared key + portal login

CWA not supported

Point to single PSN (HA requires LoadBalancer)

WPA2 with CWA*

shared user/pass + portal login (regular guest accounts)

WPA2 without portal*

sponsored credentials (guest type requires - Allow guest to bypass the Guest portal)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents