When deploying Cisco Identity Services Engine (ISE) in today’s world, many companies want to take advantage of the guest services on offer. Cisco ISE has the ability to authenticate guest users and apply relevant controls while guests are visiting.
As Cisco ISE has evolved over time, the network requirements from companies have also evolved. Companies are more conscious about network security and are constantly looking for ways to further secure their networks. With that, this often means restricting access to the corporate network if certain requirements aren’t met.
By combining multiple Cisco technologies, we have the ability to segregate guests from the corporate network while still being able to allow them internet access. In summary, we can do this by deploying Cisco ISE in a DMZ and tunnelling all guest traffic to an anchor controller sat in the same DMZ.
As you can imagine, designs for this sort of deployment can vary and no doubt if you’re reading this, you more than likely already have design in mind. That design will no doubt include a firewall between the corporate network and the DMZ. If my assumptions are correct, then you are in the right place because in this article I will highlight the firewall considerations for a deployment of this type.
The design below represents a distributed ISE deployment with two Wireless LAN Controllers (WLC), one of which is used to tunnel guest traffic to a DMZ.
The PSN that is used for guest services is located in the DMZ, alongside the anchor controller. These are separated from the internal network by a firewall.
The arrows, ports and protocols depict the flow of traffic and the type of traffic that is needed to be permitted by the firewall in order to get this solution working.
Although I have done my best to document the firewall considerations, these may differ in future deployments. Please also consult Cisco documentation or feel free to reach out to me on this article and I will do my best to update the image.