topic Re: Sponsor Portal with authentication active directory in Network Access Control

Sponsor Portal with authentication active directory

nstr1 — Sat, 08 Sep 2018 04:40:01 GMT

I have an ISE 1.4 standalone in the ise I have an active directory configured. I did an authentication test to the active directory and the authentication was successful.

I am also setting up a portal sponsor and the administrators of the portal sponsor will be users defined in a group of the active directory.

but when I use a user of the active directory in the portal sponsor it shows me "authentication error"

But in the sponsor group I specify that you use the active directory group.

What am I doing wrong or what is the configuration that I need?

I have to define it also in Adminitration> Identity Management> Identity Source Sequences
???

Re: Sponsor Portal with authentication active directory

paul — Sat, 08 Sep 2018 14:13:29 GMT

All portals in ISE use identity source sequences (ISS) to tell them where to authenticate users against. So even if you have one authentication source you need to define a sequence. If you are just going to use active directory then device an ISS called Active_Directory and assign your AD definition to it. Then assign Active_Directory as the ISS to your sponsor portal.

I usually build an ISS called AD_Local and assign Active Directory and Internal Users so I can setup local accounts to test various conditions as needed.

Re: Sponsor Portal with authentication active directory

nstr1 — Mon, 10 Sep 2018 17:48:31 GMT

I did what you say assign the ISS with the AD and in my Sponsor it also defines the ISS, but it still does not authenticate me.

partly I must define, "Sponsor Group" because in the sponsor gruop defines which group of the AD authenticated in the sponor ?????

Re: Sponsor Portal with authentication active directory

nstr1 — Mon, 10 Sep 2018 17:49:25 GMT

Re: Sponsor Portal with authentication active directory

paul — Mon, 10 Sep 2018 17:49:56 GMT

You have to assign an AD group to the sponsor groups to get into the Sponsor Portal.

Re: Sponsor Portal with authentication active directory

nstr1 — Mon, 10 Sep 2018 17:57:07 GMT

I am using the sponsor group default, there specify the group of the AD, but in my configuration in which part I add this group ??

Re: Sponsor Portal with authentication active directory

paul — Mon, 10 Sep 2018 17:59:34 GMT

You have to add your AD groups into ISE on the Administration->Identity Management->External Identity Sources->Active Directory. Then go to the Groups tab and map in the desired AD groups and then assign the AD groups to the sponsor groups.

Re: Sponsor Portal with authentication active directory

nstr1 — Mon, 10 Sep 2018 18:05:16 GMT

ok, also configure it

Re: Sponsor Portal with authentication active directory

kthiruve — Mon, 10 Sep 2018 20:05:32 GMT

Please look at the logs and see what is going on from the steps in the logs.

Also make sure that the authentication policy has MAB first and your MAB authentication results in URL-redirection etc.

Your authorization policy should have the right authorization profile as well to allow guest acess.

Finally make sure you change the sponsor portal and add AD under the right group.

Check out the flow in Guest deployment guide. Though this is for latest, some of the workflows are the same.

https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475?attachment-id=160597

Thanks

Krishnan