topic Re: Conditional Guest Authentication Success? in Network Access Control

Conditional Guest Authentication Success?

Arne Bier — Mon, 12 Mar 2018 03:05:20 GMT

Is it possible to perform conditional redirection based on the authentication method chosen?

e.g.

My customer would like to redirect the successful Guest to a different URL, depending on what Identity Source was used to perform the auth.

e.g.

I have an identity source sequence of

Guest_Portal_Sequence (Contains search list: Guest Users)

AD_or_Guest_Portal (Contains search list: Guest Users, ADJoinPoint)

If the auth was a success performed against Guest Users, then redirect to www.somesite1.com

If the auth was a success performed against ADJoinPoint, then redirect to www.somesite2.com

The use case is that we want to (ab)use the Guest portal to allow AD users to authenticate using their AD creds, and after they have done so, redirect them to a custom MDM onboarding web site. But regular sponsored guests would be redirected to a generic page like google.com.

If there is a better way to do this then I would be open to hearing about it.

Re: Conditional Guest Authentication Success?

Jason Kunst — Mon, 12 Mar 2018 04:49:45 GMT

Under your portal settings make sure you have a guest type for employees

Under this guest type you would register these devices into an employee endpoint group

Would suggest authorization rules if guest flow and ad group then redirect to portal

If guest endpoints permit internet

If mab then redirect to portal for login

Re: Conditional Guest Authentication Success?

Jason Kunst — Mon, 12 Mar 2018 05:05:25 GMT

If your ad rule is above your guest endpoints then you don’t need to worry about the portal setting for employees guest type or endpoints

Re: Conditional Guest Authentication Success?

Arne Bier — Mon, 12 Mar 2018 05:47:05 GMT

Hi Jason

We have a Guest Type that we defined for employee guests. We then tie that to the Guest Portal under the option "Employees using this portal as guests inherit login options from:"

All of this is working fine and I can authenticate Sponsored Guests and AD guests without any issues. Their MAC addresses end up in the correct Endpoint Identity Groups.

My question was around the "Authentication Success Settings" radio buttons. I am only allowed to choose one option that then applies to the entire Guest Portal. I wanted to know if this choice could be made conditional - i.e. have the "Success" redirection based on how the user authenticated. Is that possible?

The authentication processing logic is mostly a black box inside ISE (as opposed to the flexible Radius Policy Set logic) and we are constrained by what the GUI allows us to do.

Re: Conditional Guest Authentication Success?

Jason Kunst — Mon, 12 Mar 2018 06:15:38 GMT

No that cannot be made conditional.

You have to identify authorization flows for different groups with different authorization results

Re: Conditional Guest Authentication Success?

hslai — Tue, 13 Mar 2018 15:30:17 GMT

Just an idea. Perhaps, keep it at the authentication success page and then in the success page to test an URL to determine whether to go to MDM or not, based on the authorization profile(s) after CoA.