topic Re: ISE Portal Using Two Different Identity Sources in Network Access Control

ISE Portal Using Two Different Identity Sources

fdharmawan — Mon, 10 Sep 2018 08:28:27 GMT

Hi Guys,

I have a portal configured for internet access that requires the users to login using AD credential. Recently I got a requirement to create local users on ISE and those local users should be able to login to the same portal I mentioned before. Below are my conditions:

1. I created the local users on ISE using the InternalUser category.

2. I already set the portal to seek for AD then InternalUser for authentication list.

3. I set the "Employees using this portal as guests inherit login options from" setting to InternalUser.

Using the setting above, the local users able to login to the portal. But here is the thing. I want to treat those users differently. Let's say the users that login using AD credential can have up to 10 device registered and 10 concurrent login. On the other hand, I want to set the local users can only have up to 5 device registered and 5 concurrent login.

With my settings above, if I change the internal user settings, the AD account also got affected. Is there any way to treat the sources differently?

Thank you.

Re: ISE Portal Using Two Different Identity Sources

Cory Peterson — Mon, 10 Sep 2018 11:35:57 GMT

You need to change the setting in your 3rd point to something different than internal users, I always use Employee.

Then under guest type you can change the Employee settings and it will affect them different then the guest setting.

Re: ISE Portal Using Two Different Identity Sources

Jason Kunst — Mon, 10 Sep 2018 12:34:34 GMT

ISE internal users and active directory are considered employees and will have the same guest type assigned to them

A way to accomplish this is to use multiple portals and link them together.

https://community.cisco.com/t5/identity-services-engine-ise/linking-one-guest-portal-to-another-guest-portal/td-p/3467537

Recommendation would be to use the initial portal to handle what a majority of your flows would be

The additional portal flow would be the less used.

Keep in mind Apple Captive network assistant may not like this scripting and redirects and get confused. If In your testing you run into problems then recommend enabling captive portal bypass on the controller

Re: ISE Portal Using Two Different Identity Sources

fdharmawan — Mon, 10 Sep 2018 12:44:04 GMT

Hi Cory,

I just changed the account type to guest and contractor type. I am able to connect using the different account type but somehow unable to connect to the internet. And after a few minutes the system keep asking me for relogin. But when I login using the usual account type, it works normally.

Any idea why? Thank you.

Re: ISE Portal Using Two Different Identity Sources

Jason Kunst — Mon, 10 Sep 2018 12:47:34 GMT

Not sure, depends on your authorization rules. Perhaps you don’t have authorization rules for the different guest types?

Share your rules?

Re: ISE Portal Using Two Different Identity Sources

paul — Mon, 10 Sep 2018 13:39:24 GMT

Each Guest Type should map to its own unique Endpoint Identity Group. My typical portal setup looks something like this:

Guest-Daily- maps to Guest-Daily endpoint group and is purged daily.
Guest-Weekly- maps to Guest-Weekly endpoint group and is purged daily or weekly depending on customer input.
Guest-Custom- maps to Guest-Custom endpoint group and is purged weekly depending on customer input.
Employee-BYOD- maps to Employee-BYOD endpoint group and is purged once a month dependin on customer input.

Then the authorization rules simply state:

If member of Guest-Daily, Guest-Weekly, Guest-Custom or Employee-BYOD then you get Internet access.
If anything else then you get the guest portal.

Re: ISE Portal Using Two Different Identity Sources

Jason Kunst — Mon, 10 Sep 2018 13:49:34 GMT

Paul remember that internal users and AD all map to one guest type set on the self-registration portal so you can’t map internal users to internalendpointgroup and AD users to another endpoint group

However they could do device registration via the hotspot portal

https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-flow-with-multiple-endpoint-identities/td-p/3500190

Re: ISE Portal Using Two Different Identity Sources

paul — Mon, 10 Sep 2018 13:56:34 GMT

Yep, but there really isn't a reason to use Internal Users. Just create long term guest accounts. That is what the Guest-Custom category is for in my builds. Only certain AD groups can manage that Guest Type and I usually let those accounts go out to 365 days.

Re: ISE Portal Using Two Different Identity Sources

fdharmawan — Thu, 13 Sep 2018 03:02:08 GMT

Hi Jason,

Sorry for late reply. I was on something else lately.

Here are my current rules:

-When the device is connected to the SSID, ISE will check whether the MAC address is already registered previously. If so, the device will continue to internet access. We already set the period of time of a device listed on registered device. If the device is not registered yet, a captive portal will appear.

-The portal itself has the authentication method of Guest_Portal_Sequence. I don't know whether this one is default rule or not, but the login checking sequence is like this: AD, Internal User, Guest Users.

-For the guest inherit option, I picked InternalUser. I suppose it is not default. And regarding the guest user type I will be using on the portal will be InternalUser and Guest (from my understanding, these two are on Internal User sequence). The only differences are the period of account validity and devices allowed to be registered.

Thanks.

Re: ISE Portal Using Two Different Identity Sources

fdharmawan — Thu, 13 Sep 2018 03:10:53 GMT

Hi Jason,

Where should I put the script into? Is it on the optional content portal page customizations? Or somewhere else?

FYI, most of the mobile device on my company unfortunately are apple devices. Is there any other workaround other than this? Since you put an earlier notification regarding the apple captive assistant.

Thanks.

Re: ISE Portal Using Two Different Identity Sources

Jason Kunst — Thu, 13 Sep 2018 03:36:45 GMT

Would recommend opening different thread but yes optional content 2 will work. Actually any will work

No there isn’t another way besides what I listed