Cisco Cisco Identity Services Engine 1.0.4 技术手册

The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command. 

In many Bring Your Own Device (BYOD) environments, the guest network is fully isolated from the internal
network in a De−Militarized Zone (DMZ). Often, the DHCP in the guest DMZ offers public Domain Name
System (DNS) servers to the guest users because the only service that is offered is internet access.

This makes guest redirection on the ISE difficult prior to Version 1.2 because the ISE redirects clients to the
Fully Qualified Domain Name (FQDN) for web authentication. However, with ISE Versions 1.2 and later,
administrators can redirect guest users to a static IP address or hostname.

This is a logical diagram.

Note: Physically, there is a wireless controller in the internal network, the Access Points (APs) are on the
internal network, and the Service Set Identification (SSID) is anchored to the DMZ controller. Refer to the
documentation for Cisco WLCs for more information. 

The configuration on the WLC remains unchanged from a normal CWA configuration. The SSID is
configured in order to allow MAC filtering with RADIUS authentication, and the RADIUS accounting points
towards two or more ISE policy nodes.

This document focuses on the ISE configuration.

Note: In this configuration example, the policy nodes are jesse−dunkel (172.18.124.20) and jesse−maibock
(172.18.124.21).