03-23-2021 10:59 PM
Tell me please. Is it is possible to create an access policy for the MyDevices portal to allow access only to a certain group in AD?
At the moment, I have done this way:
In the Identity Source Sequences at MyDevice_Portal_Sequence I left "Internal Users" Identity Source only. Then I added the Network Access User with the same name as in the AD Database and password type as AD Sequence.
It works, but it is very inconvenient and not flexible.
And second question. How can I modify MyDevices Portal for add in standard form combo-box with selecting endpoint group?
Solved! Go to Solution.
03-25-2021 10:14 PM
Hi,
You can post your query in the below community channel:
https://community.cisco.com/t5/network-access-control/bd-p/discussions-network-access-control
Cheers,
Pratham
07-11-2021 10:30 PM
I have not scanned the Community questions in a little while and this one passed me by. But I have a solution for you. Did you find a solution in the end?
It so happens that I saw this work in a customer and it's quite unbelievable.
The trick is to tell the MyDevices Portal to NOT use AD or ISE Local users as the Authentication source, but use ISE Loopback addresses instead. WHAT? ISE has loopback addresses as an Identity Source? No, not by default, but this is where the hack starts.
Create a Loopback by defining ISE as a "RADIUS Token Server" - you're telling ISE that there is a token server (which is itself … max up to 2 servers can be defined.
The RADIUS shared secret must be the same as the shared secret mentioned further below … it's not used anywhere else other than here (in the token server definition) and later on, in the ISE NAD definition.
Then use that ISE Loopback definition to modify the standard My Devices Sequence
Hilarious isn't it
I have some screenshots but they are taken from a customer setup -I have not sanitised them for this Community - but I think you should be ok with the information above.
The bottom line is that with this hack, The My Devices Portal will cause ISE to make RADIUS requests to ITSELF and you can catch these requests in the standard Policy Set.
Let me know how you get on
03-25-2021 10:14 PM
Hi,
You can post your query in the below community channel:
https://community.cisco.com/t5/network-access-control/bd-p/discussions-network-access-control
Cheers,
Pratham
03-25-2021 10:46 PM
Thank you! Perhaps this is what I will do )
07-11-2021 10:30 PM
I have not scanned the Community questions in a little while and this one passed me by. But I have a solution for you. Did you find a solution in the end?
It so happens that I saw this work in a customer and it's quite unbelievable.
The trick is to tell the MyDevices Portal to NOT use AD or ISE Local users as the Authentication source, but use ISE Loopback addresses instead. WHAT? ISE has loopback addresses as an Identity Source? No, not by default, but this is where the hack starts.
Create a Loopback by defining ISE as a "RADIUS Token Server" - you're telling ISE that there is a token server (which is itself … max up to 2 servers can be defined.
The RADIUS shared secret must be the same as the shared secret mentioned further below … it's not used anywhere else other than here (in the token server definition) and later on, in the ISE NAD definition.
Then use that ISE Loopback definition to modify the standard My Devices Sequence
Hilarious isn't it
I have some screenshots but they are taken from a customer setup -I have not sanitised them for this Community - but I think you should be ok with the information above.
The bottom line is that with this hack, The My Devices Portal will cause ISE to make RADIUS requests to ITSELF and you can catch these requests in the standard Policy Set.
Let me know how you get on
07-11-2021 11:22 PM
Oh, thank you very much!
I have already been prompted for a similar solution.
This solution is really from the category of hacking skill )) But it works!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide