Guest Policy (using default portal settings)
1. Guest Access>Configure>Guest Portals>Sponsor Guest Portal (Default)
2. Uncheck the box for Allow Guests to create their own accounts – SPONSOR Only will be allowed
3. Uncheck Allow Employees to use personal devices on the network since a BYOD policy is already built.
4. Navigate to Guest Access>Configure>Sponsor Groups:
5. edit the ALL_ACCOUNTS (Default) group
6. Click on Members and remove the ALL_ACCOUNTS default and add the following AD group: ad1:example.com/Users/Domain Users (or whatever AD group can be a sponsor user)
7. Guest Access>Configure>Sponsor Portals and edit the default sponsor portal. Change the FQDN to be sponsor.ise.example.com (need an A record for Sponsor pointing to the ISE server IP)
8. Policy>Policy Elements>Results>Authorization>Authorization Profiles page. Create the following authorization profiles:
9.
Name: GUEST-REDIRECT
- Check VLAN and enter
VLAN ID 70
- Check the box for Web
Redirection, choose Centralized
Web Auth, and type in ACL_WEBAUTH_REDIRECT
for the ACL value, and choose Guest
Portal from the drop-down
10. Name: GUEST-ACCESS
- Check DACL Name and
choose GUEST from the
drop-down
- Check VLAN and enter
VLAN ID 70
- Check the box next to Airespace
ACL Name and type in GUEST
11. Policy>Policy Sets and create a new policy set above all others
12. Name - Guest Wireless and
give it the following top-level conditions:
DEVICE:Device Type EQUALS All Device
Types#Wireless Controller
AND
Radius:Called-Station-ID ENDS WITH GuestSSID
13. In Authentication Policy on this policy set and create the following rule:
14.
Name: MAB
If: Wireless_MAB <-
this is pre-created condition in ISE
Allowed Protocols: Default
Network Access
Default: Internal Endpoints <- Under
If user not found, choose Continue from the drop-down
15. On the Default Rule of the Authentication Policy, just use the All_User_ID_Stores
16. Under the Authorization Policy, Create the following rules:
17. Name: Guest Access
If: GuestEndpoints <-
Predefined ISE group
Conditon(s): <blank>
Then: GUEST-ACCESS
18. Name: Guest Redirect
If: Any
Condition(s): Wireless_MAB <-
Predefined ISE group
Then: GUEST-REDIRECT
19. Default rule to DenyAccess at the end:
20. For Guest Access at the Wired Level, modify the existing WiredDot1x policy set
21. Add two rules in the Authorization policy at the very end before the Default rule.
22. Name: Guest Access
If: GuestEndpoints
Condition(s): <none>
Then: GUEST-ACCESS
23. Name: CWA Redirect
If: <any>
Condition(s): Wired_MAB OR Wired_802.1x
Then: GUEST-REDIRECT
24. Always make sure to keep
these two rules at the bottom of the Authorization rule set as a “catch-all”
ISE Configuration – Hotspot
1. Guest Access>Configure>Guest Portals and modify the Hotspot Guest (Default) portal
2. Go to AUP settings and check Require an access code if needed.
3. Policy>Policy Elements>Results>Authorization>Authorization Profiles and create the following profile
4.
Name: HOTSPOT-REDIRECT
- Check the VLAN box and type
in VLAN ID 70
- Check the box for Web
Redirection, change it to HotSpot
from the drop-down, type in ACL_WEBAUTH_REDIRECT
for the ACL, and choose HotSpot
Guest Portal from the drop-down
5. Policy>Policy Sets and create a new policy set
6.
name it Hotspot Wireless with the following top-level
conditions:
DEVICE:Device Type EQUALS All Device
Types#Wireless Controller
AND
Radius:Called-Station-ID ENDS WITH HotspotSSID
7. Under the Authentication Policy, add the following rule:
8.
Name: MAB
If: Wireless_MAB
Allowed Protocols: Default
Network Access
Use: Internal Endpoints (Also
set if user not found to Continue in the drop-down)
9. For the Default Rule, set the identity source sequence set to All_User_ID_Stores
10. Under the Authorization Policy, create the following policy rules:
11. Name: Hotspot Access
If: GuestEndpoints
Condition(s): <None>
Then: GUEST-ACCESS
12. For
the Default catch-all rule, change the following:
If no matches, then: HOTSPOT-REDIRECT
ISE Configuration – Profiling
1. If a new security policy is needed for a device like an access point or printer, navigate to Policy>Policy Elements>Authorization>Downloadable ACLs and click Add
2.
Name: AP-ONLY
ACL:
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host “wlc ip”
deny ip any any
3. Policy>Policy Elements>Authorization>Authorization Profiles and click Add
4.
Name: AP-ONLY
- Check DACL Name and
choose AP-ONLY from the
drop-down
- Check VLAN and type in VLAN ID 100
5. Policy>Policy Sets and edit existing WiredDot1x
6. Add the following rule on top of the other rules in the Authorization Policy:
7.
Name: CiscoAP
if: <any>
Condition(s): Endpoints:LogicalProfile EQUALS “profiled
device”
Then: AP-ONLY
8. Name:CiscoIPPhones
if: Cisco-IP-Phone
Condition(s): blank
Then: Cisco_IP_Phones
AMP with ISE Integration
1. Administration>Threat Centric NAC
2. Click Add to add a new vendor instance. On this page, you are asked to select a vendor and give it a name. Choose AMP:THREAT and name it AMP. Click Save
3. Ready to configure. Click on that next to the new instance
4. Click Next.
5. Drop-down to choose what AMP cloud for this ISE instance to reach out to. Choose the US Cloud and click Next.
6. Click on the link to take you to the AMP cloud.
7. In the AMP Cloud, click Allow and you will be taken back to ISE.
8. Back on ISE click Finished
9. Back at the Vendor Instance page, check the box next to the instance and click Edit to see some of the types of events that ISE will be receiving reporting for
10. navigate to Operations>Adaptive Network Control>Policy List
11. Add three new policies
a. Name- QUARANTINE
b. Action- QUARANTINE
c. Name – SHUTDOWN
d. Action – SHUTDOWN
e. Name – PORT-BOUNCE
f. Action – PORT_BOUNCE
12. Policy>Policy Sets>Global Exceptions and create the policy rules as such:
if Session:ANCPolicy Equals Quarantine then Quarantine (or whatever your authorization profile is for limited access)
