https://community.cisco.com/t5/network-access-control/once-authenticated-through-cwa-want-certain-ad-groups-to-be/m-p/4017459#M542453 <P>Situation:&nbsp; Open SSID for Guests Sponsored Access.&nbsp;&nbsp;Either guests or Employees can authenticate on CWA.</P><P>&nbsp;</P><P>Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.&nbsp; Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.&nbsp; &nbsp;The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.</P><P>&nbsp;</P><P>Also, customer would like that, following CWA, if an AD:Employee is <STRONG>NOT</STRONG> from the IT group, then customer wants the MAC address to be put in Blacklist.</P><P>&nbsp;</P><P>Summary:&nbsp; the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.</P><P>&nbsp;</P><P>Thanks.</P> Thu, 23 Jan 2020 23:24:08 GMT cpaquet 2020-01-23T23:24:08Z https://community.cisco.com/t5/network-access-control/once-authenticated-through-cwa-want-certain-ad-groups-to-be/m-p/4017459#M542453 <P>Situation:&nbsp; Open SSID for Guests Sponsored Access.&nbsp;&nbsp;Either guests or Employees can authenticate on CWA.</P><P>&nbsp;</P><P>Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.&nbsp; Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.&nbsp; &nbsp;The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.</P><P>&nbsp;</P><P>Also, customer would like that, following CWA, if an AD:Employee is <STRONG>NOT</STRONG> from the IT group, then customer wants the MAC address to be put in Blacklist.</P><P>&nbsp;</P><P>Summary:&nbsp; the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.</P><P>&nbsp;</P><P>Thanks.</P> Thu, 23 Jan 2020 23:24:08 GMT https://community.cisco.com/t5/network-access-control/once-authenticated-through-cwa-want-certain-ad-groups-to-be/m-p/4017459#M542453 cpaquet 2020-01-23T23:24:08Z https://community.cisco.com/t5/network-access-control/once-authenticated-through-cwa-want-certain-ad-groups-to-be/m-p/4022013#M542469 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291184">@cpaquet</a>&nbsp;wrote:<BR /> <P>Situation:&nbsp; Open SSID for Guests Sponsored Access.&nbsp;&nbsp;Either guests or Employees can authenticate on CWA.</P> <P>&nbsp;</P> <P>Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.&nbsp; Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.&nbsp; &nbsp;The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.</P> <P>&nbsp;</P> <P>Also, customer would like that, following CWA, if an AD:Employee is <STRONG>NOT</STRONG> from the IT group, then customer wants the MAC address to be put in Blacklist.</P> <P>&nbsp;</P> <P>Summary:&nbsp; the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.</P> <P>&nbsp;</P> <P>Thanks.</P> <HR /></BLOCKQUOTE> <P>Check out special flows.</P> <P><A href="https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119" target="_blank">https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119</A></P> <P>&nbsp;</P> <P>There is no way to choose on login which groups do what. however you can play with this. Look at the <A title="prescriptive guest guide" href="https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475" target="_blank" rel="noopener">prescriptive guest guide</A> for more details on some configurations . you can tweak around with this</P> <P>&nbsp;</P> <P><STRONG>You can however to do the following:</STRONG></P> <P>&nbsp;</P> <P>setup multiple endpoint groups for guest endpoints</P> <P>allowedEndpoint</P> <P>Denied endpoint</P> <P>&nbsp;</P> <P>setup allowedhotspot portal mapped to allowedEndpoint</P> <P>do similiar for denyportal</P> <P>&nbsp;</P> <P><STRONG>setup authorization flows</STRONG></P> <P>if mab and guestflow and adGroupAllowed then redirect to allowedHotspotPortal (device will be assigned correct group)</P> <P>if mab and guestflow and deniedGroup ( or no groups) then redirect go denieDportal</P> <P>if mab and GuestEndpoint group then permit access</P> <P>if mab and deniedEndpoint then deny access</P> <P>&nbsp;</P> <P>if mab then redirect to guest portal</P> <P>&nbsp;</P> Sat, 01 Feb 2020 04:28:51 GMT https://community.cisco.com/t5/network-access-control/once-authenticated-through-cwa-want-certain-ad-groups-to-be/m-p/4022013#M542469 Jason Kunst 2020-02-01T04:28:51Z