Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
2
Replies

AD Group controlled access to BYOD self-reg portal (ISE 2.4)

Go to solution
darryldigsit
Cisco Employee
Cisco Employee

‎09-12-2018 08:20 AM

What is the recommendation if a customer wants to limit access to the self-reg BYOD portal based on AD Groups?  i.e. staff and contractors get access to self register devices, but no one else can access the portal....

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-12-2018 09:53 AM

Are you trying to limit access to the My Devices Portal? Then use this document as Paul mentioned
https://community.cisco.com/t5/security-documents/ise-1-3-2-1-sponsor-authorization-on-secondary-attributes/ta-p/3641379

Otherwise if you’re trying to determine what groups have to go through BYOD flow for native supplicant and certificate provisioning then you can do the following:

This will allow guests and certain non byod required direct to internet otherwise force them to go through BYOD
Authz rules:


* If TLS auth valid cert then permit access
* If mab and guestflow and BYODrequiredgroup (AD employee, contractor) then redirect to NSP (byod portal)
* If mab and guestflow then permit access
* OR if mab and guest endpointgroup then permit access


* If mab then redirect to guest portal (CWA)

View solution in original post

0 Helpful
2 Replies 2

Go to solution
paul
Level 10
Level 10

‎09-12-2018 09:33 AM

You have to use the RADIUS callback trick documented on the forums.  Basically setup ISE as a RADIUS server to itself which allows the flow to come into a normal policy set where you can apply AD restrictions.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-12-2018 09:53 AM

Are you trying to limit access to the My Devices Portal? Then use this document as Paul mentioned
https://community.cisco.com/t5/security-documents/ise-1-3-2-1-sponsor-authorization-on-secondary-attributes/ta-p/3641379

Otherwise if you’re trying to determine what groups have to go through BYOD flow for native supplicant and certificate provisioning then you can do the following:

This will allow guests and certain non byod required direct to internet otherwise force them to go through BYOD
Authz rules:


* If TLS auth valid cert then permit access
* If mab and guestflow and BYODrequiredgroup (AD employee, contractor) then redirect to NSP (byod portal)
* If mab and guestflow then permit access
* OR if mab and guest endpointgroup then permit access


* If mab then redirect to guest portal (CWA)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents