topic Marvin, I will definitely in Network Access Control

Identify type of users

tonyp8581 — Mon, 11 Mar 2019 05:58:43 GMT

Hi,

I'm am using a portal which an AD user or guest user can log in. I'm trying to identify who is login in so I can assign Internet only to a Guest user and Full network access to an AD users. I'm having some difficulty figuring out this part.

Has anybody ever done that ? BTW, I'm using ISEv1.3.

Thanks !

This is one of the most

Marvin Rhoads — Sat, 15 Aug 2015 14:01:54 GMT

This is one of the most common ways to use ISE.

How you implement it depends on whether you are talking about wired vs. wireless and whether you are wanting to use strictly Central Web Authentication (usually not recommended since it is usually better to use native supplicant or AnyConnect supplicant for your AD users).

Hi Marvin,It's a wired

tonyp8581 — Mon, 17 Aug 2015 22:01:18 GMT

Hi Marvin,

It's a wired deployment.

I'm aware that 802.1x would be alot easier for me, but these users are consultant. Their supplicant is not configured, but they have been issued an AD account. This is why I need the cwa feature. With some trial and error, I was able to identify both users. Guest and Consultant with the same portal.

Unfortunately, I have reached another issue. Always using the same portal, I am trying to identify the consultant computer to a corporate computer. The reason why I'm asking is because I want the Web agent to launch if it's a AD account and no Web agent with Guest account. I noticed the client provisioning is controlled through the Portal. Therefore, if I can identify the computer, I would be able to redirect to different portal. Hence. controlling the web agent.

I hope my explanationt was clear enough.

Thanks !

Tony

When a consultant logs in and

Marvin Rhoads — Tue, 18 Aug 2015 01:00:29 GMT

When a consultant logs in and authenticates with their AD account, you can check group membership and have AuthZ result (web agent or no web agent) chosen according to group membership of authenticated user (AuthC result).

Hi Marvin, I haven't had the

tonyp8581 — Thu, 20 Aug 2015 21:59:37 GMT

Hi Marvin, I haven't had the chance to try your suggestion. Maybe my setup is wrong, but to use a group membership check, the consultant has to be logged in. But in my case, I'm pushing the portal prior to the consultant logging in. (see authz.rtf). So I have the same portal for the consultant and the guest, and it's in the portal configuration I can check the Web agent(see PortalConfig.rtf).

Like I said in the beginning maybe I'm going about the wrong way. I will definitely explore your suggestion.

Tony

Tony,Have a look at slides

Marvin Rhoads — Thu, 20 Aug 2015 23:24:43 GMT

Tony,

Have a look at slides 109 onward in the presentation BRKSEC-3697 from Cisco Live. I believe it shows something along the lines of what you want - the AuthZ can force a CoA after authenticating the user.

Marvin, I will definitely

tonyp8581 — Fri, 21 Aug 2015 00:01:36 GMT

Marvin, I will definitely take a look at the presentation (Slide 109).

Thanks for your help. Greatly appreciated !! I will keep you posted.

Tony