cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2330
Views
22
Helpful
1
Replies
Highlighted
Beginner

Employee CWA (guest portal) flow with remember me

Here is the use case...feel free to suggest another approach, you won't hurt my feelings.

Would like a dedicated SSID for employee internet access only (no other networks will be exposed)...there is no concept of corp devices so profile/posture is not an issue and an AD username/password will be used to auth (both auth's). Is there a better way then....create an SSID for employee internet access only they join the SSID and get redirected to a splash that prompts for AD username/password....AD validates credentials and network access (Internet) is allowed. I think this part is fairly strait forward (if not please correct me, again my feelings don't matter here).

The question I have is can I adjust the authorization time to be say 30 days or longer so the employees log's in once per device (we will limit the number of devices per employee) and that login is valid for say 30 days until a re-auth is required?  (it's an end user thing were the business does not want to "burden" the end user with logging in everyday (spare me the why...already tried)

Thanks

Everyone's tags (8)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Authentication timeout variable?

This is a common ask and people do this all the time.

You would use a guest portal (sponsored guest will work fine).

when the AD user logs in the endpoint is registered in the guest endpoint group ( a new group called employee endpoint could be used as well)

The endpoint purge policy by default will remove the guest endpoint after 30 days

Screen Shot 2017-03-23 at 10.41.32 AM.png

The endpoint group is assigned in the guest type ( you could create a guest type for employees)

Screen Shot 2017-03-23 at 10.30.15 AM.png

Under the portal settings there is an option on what guest type to use for employee logins

change weekly to employee

Screen Shot 2017-03-23 at 10.34.21 AM.png

The authz rules would be the following (order)

if guest_endpoints and wireless_mab then permit internet

if wireless_mab then redirect to portal

1 REPLY 1
Cisco Employee

Re: Authentication timeout variable?

This is a common ask and people do this all the time.

You would use a guest portal (sponsored guest will work fine).

when the AD user logs in the endpoint is registered in the guest endpoint group ( a new group called employee endpoint could be used as well)

The endpoint purge policy by default will remove the guest endpoint after 30 days

Screen Shot 2017-03-23 at 10.41.32 AM.png

The endpoint group is assigned in the guest type ( you could create a guest type for employees)

Screen Shot 2017-03-23 at 10.30.15 AM.png

Under the portal settings there is an option on what guest type to use for employee logins

change weekly to employee

Screen Shot 2017-03-23 at 10.34.21 AM.png

The authz rules would be the following (order)

if guest_endpoints and wireless_mab then permit internet

if wireless_mab then redirect to portal