Organizations have little choice but to offer guest network access. Customers expect it. Contractors, vendors and business partners require it. And it needs to be simple for guests to use and easy for IT to monitor and manage. However, traditional guest access solutions don’t provide the security and control needed to support growing numbers of devices and increasingly sophisticated threats.
Most organizations provide guest Internet access by segmenting off a section of the Wi-Fi network. Typically, guests are sent to a captive portal — a branded web page that displays the organization’s accepted use policy and a legal disclaimer limiting the organization’s liability should the guest fall victim to a cyberattack.
But even if the organization isn’t legally liable, it can suffer brand damage if guests connect to a malicious website from the organization’s network. It can also face legal and regulatory risks if guests download copyrighted materials or inappropriate content. Organizations need a way to protect guests from known and emerging threats, and to control and manage guests’ Internet access.
Cisco Umbrella is a cloud-based secure Internet gateway that blocks access to malicious URLs, IP addresses and files at the DNS layer, before a connection is established. It also provides powerful category-based content filtering, giving administrators granular control with flexible, location-aware enforcement.
Unlike legacy web gateways, Umbrella does not create latency, so guests enjoy a high-quality user experience. And it’s simple to deploy on Cisco Meraki and other Wi-Fi networks, with complete visibility and centralized management. No additional hardware or software is needed, and Cisco charges by the access point (AP) rather than by the user.
Of course, some guests require more than just Internet access. Vendors and contractors, for example, may have a legitimate business need to access certain corporate resources. Employees visiting from another company site will need the same level of access they’re accustomed to when working in their usual location. For these guests, you need role-based access controls and more robust authentication.
Cisco Identity Services Engine (ISE) is the ideal solution for role-based guest access, particularly for larger networks that must handle hundreds or even thousands of concurrent user sessions. ISE enables the centralized creation and management of access control policies based upon user profile, location, device type and other criteria. Simple guest onboarding processes mask the complexity of these robust security controls.
Guest portals allow guests to self-register themselves, while sponsor portals enable authorized users such as front-desk personnel to create guest user accounts. Administrators can define a duration for various types of guest accounts so that users who need ongoing access don’t have to reregister. Access is automatically suspended at the end of the predefined period.
As part of the registration process, guests can be required to download the ISE posture agent. Each time a guest logs in through the guest portal, ISE will check the device profile and confirm that it’s compliant with established policies. ISE also works in concert with Cisco TrustSec to enable consistent, policy-defined network segmentation without the need to manage complex access control lists.
Organizations need to provide a high-quality guest access experience while protecting against cyberattacks, filtering content and preventing unauthorized access to sensitive data. Cerium’s experienced engineers can help you fortify your guest network with Cisco’s powerful tools.