https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440663#M538304 <HTML><HEAD></HEAD><BODY><P>Setup a web portal with the on boarding piece enabled.</P><P></P><P>After login a COA will take place</P><P></P><P>If ADGROUP1 then redirect to NSP (BYOD registration)</P><P>If ADGROUP2 then redirect to CPP (Posture) are you going to use web agent posture or any connect?</P></BODY></HTML> Mon, 11 Jul 2016 14:22:55 GMT Jason Kunst 2016-07-11T14:22:55Z https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440660#M538294 <HTML><HEAD></HEAD><BODY><P style="font-size: 13.3333px;">hi,</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Our customer wants to split their BYOD flow for wired in the following:</P><OL style="font-size: 13.3333px;"><LI>BYOD user PC connects and gets redirected to web portal</LI><LI>User authenticates using their AD credentials</LI><LI>Depending on the AD group membership <SPAN style="text-decoration: underline;">either</SPAN><OL><LI>Do device registration for the BYOD device and authenticate based on the MAC address from then on.</LI><LI>OR validate posture using the web agent</LI></OL></LI></OL><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">From what I could find out, the device registration is enabled on the guest portal for all BYOD users - not based on any authorization such as AD groups.</P><P style="font-size: 13.3333px;">As such I assume it will be all BYOD users doing device regstration or all users doing posture validation - no combinations.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Can you confirm this is correct?</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Secondly, if we validate for posture using the web agent, is there any way to avoid having to redo on every new connection?</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Many thanks</P><P style="font-size: 13.3333px;">Gert</P></BODY></HTML> Mon, 11 Jul 2016 07:13:26 GMT https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440660#M538294 gtilburg 2016-07-11T07:13:26Z https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440661#M538297 <HTML><HEAD></HEAD><BODY><P>Gert, regarding first Q. You can achieve it but will need to use single-SSID flow instead. For the second Q, posture lease feature is what you are looking for, but it is only available on AnyConnect Agent.</P></BODY></HTML> Mon, 11 Jul 2016 14:09:51 GMT https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440661#M538297 howon 2016-07-11T14:09:51Z https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440662#M538300 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for the reply.</P><P></P><P>We are doing this on wired, not wireless.</P><P>Also, just to be clear: the user gets the web portal and provides credentials. If the user is member of a specific AD group, he should do device registration. If he is not, he should be validated for posture.</P><P></P><P>How can this be configured?</P><P>As both users are on AD, they will both hit the device registration or guest compliancy check (which both are configured on the guest portal).</P><P>I didn’t find a way to allow authorization for BYOD users.</P><P>Would be very interested to see how to configure this.</P><P></P><P>Many thanks</P><P>Gert</P><P></P><P></P><P>Gert Tilburgs - CCIE R&amp;S 21187</P><P>Network Consulting Engineer</P><P>Cisco Security Services</P><P>Phone: +3227046188 - Email: gtilburg@cisco.com</P><P>For corporate legal information go to:</P><P>http://www.cisco.com/web/about/doing_business/legal/cri/index.html</P></BODY></HTML> Mon, 11 Jul 2016 14:14:31 GMT https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440662#M538300 gtilburg 2016-07-11T14:14:31Z https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440663#M538304 <HTML><HEAD></HEAD><BODY><P>Setup a web portal with the on boarding piece enabled.</P><P></P><P>After login a COA will take place</P><P></P><P>If ADGROUP1 then redirect to NSP (BYOD registration)</P><P>If ADGROUP2 then redirect to CPP (Posture) are you going to use web agent posture or any connect?</P></BODY></HTML> Mon, 11 Jul 2016 14:22:55 GMT https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440663#M538304 Jason Kunst 2016-07-11T14:22:55Z https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440664#M538305 <HTML><HEAD></HEAD><BODY><P>Thanks Jason.</P><P></P><P>The customer does not want to install anything on the byod PC, so would go for the web agent. I am not a fan, but given the requirements, this seems the only option. They will check any AV.</P><P></P><P>Concerns?</P></BODY></HTML> Mon, 11 Jul 2016 14:31:55 GMT https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440664#M538305 gtilburg 2016-07-11T14:31:55Z https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440665#M538306 <HTML><HEAD></HEAD><BODY><P>You can do BYOD device registration only for ADGROUP1 (don't configure a supplicant or cert profile for that group)</P><P>then for ADGROUP2 redirect to CPP with web agent (windows only of course!)</P><P></P><P>I don't see anything as a problem.</P><P></P><P>Please do reach out direct if you need to discuss</P></BODY></HTML> Mon, 11 Jul 2016 14:36:34 GMT https://community.cisco.com/t5/network-access-control/split-byod-based-on-ad-group-membership/m-p/3440665#M538306 Jason Kunst 2016-07-11T14:36:34Z