topic I'm not aware of another way in Network Access Control

Create a new AD connector

jan.nielsen — Fri, 04 Sep 2015 14:14:27 GMT

Create a new AD connector with LDAP to the same AD, and point the base DN user search to only look in the group you wan't to be able to authenticate with their AD credentials, to get guest access. Then use this id store in your guest sequence, and remove the old AD one. Now you should be able to allow the guest portal to auto-register those mac adresses in it's own group, and then just mab validate those mac addresses the next time the device is kicked off and tries to come back online, with a specific authorization rule for the condition : endpoint group+ssid+mab. If you wan't to, you can purge the devices from that group when they reach a certain age, to re-trigger guest login.

Wow - thats pretty clever!

Johannes Luther — Fri, 04 Sep 2015 14:32:03 GMT

Wow - thats pretty clever! With this approach I can cover one AD group.

But (sorry to say this) this is like a "hack" for the whole problem (but a very clever one).

Is there no standard solution for this use case? Or does Cisco want to enforce the BYOD and myportal solution for this?

I'm not aware of another way

jan.nielsen — Fri, 04 Sep 2015 14:53:29 GMT

I'm not aware of another way of doing this, the use case for this type of thing is normally filled by BYOD scenarios, where the authorization rules can be more granular if you use something like a single ssid with PEAP to start provisioning of certificates for "BYOD" devices.

I have the exact same need to

dkorell — Fri, 13 Jan 2017 22:07:00 GMT

I have the exact same need to lockdown my staff portal to users in an AD group but having issues. I have the connector setup no problem but I can't find the users that are in an AD group. To clarify, this setup is for finding users in a group versus an OU? If I point the Subject Search Base to an OU where the user is stored it works but my users are stored in OUs all over AD so this won't work for this setup. If I point the Subject Search Base to the path of the group then it doesn't find any users. I've messed around with different combinations within the schema configuration and no luck.

Any help from anyone that has pointed the connector to a group and is able to retrieve the users would be much appreciated!

Re: I have the exact same need to

Stevenmns — Fri, 08 Apr 2022 16:23:08 GMT

Hey I know this is a few years old, but were you ever able to figure out a solution to this? I'm running into this exact same scenario.

Re: I have the exact same need to

thomas — Fri, 15 Apr 2022 18:17:01 GMT

I suggest creating a new Question in the community with your specific details.

See to minimize any back and forth for details.

topic I'm not aware of another way in Network Access Control

Sponsored Guest Portal with Active Directory users and group restrictions

Create a new AD connector

Wow - thats pretty clever!

I'm not aware of another way

I have the exact same need to

Re: I have the exact same need to

Re: I have the exact same need to