cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

569
Views
0
Helpful
5
Replies
Highlighted
Enthusiast

ISE CWA only allow certain AD group to register their devices

Hi there, I have a question regarding ISE and Central Web Auth (CWA)...

I would like to authorize an AD user who's a member of a particular AD group to be able to register their device's MAC address for "long term" guest access without using the BYOD flow.

For now, what works fine is setting up a sponsored guest portal with the identity source specified as AD. Then any AD user can authenticate to the portal and the device will be automatically registered into the specified endpoint identity group.  But we only want a subset of AD users to have the ability to do this.

I don't want to use the BYOD flow for the following reasons:  1) Cumbersome with Android or any non-Apple OS; 2) Does not support the iOS mini-browser, 3) Pre-auth ACL needs to allow Google to allow users to download the provisioning app.

I have tried adding a line in the related authorization policy saying "Network Access: Use Case = Guest Flow", with membership in the AD group as the condition and PermitAccess as the result, but it doesn't seem to take any effect.

I'd like to know if there is any known way to use an AD group as an authentication/authorization criteria for a CWA portal.

Thank you,

Justin

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE CWA - AD Group Criteria?

there is no way to call that out in the beginning or during the flow, has to be after the flow.  Please use this as an example of how it was done with multiple groups and i am sure you can derive a way out of that. If not let me know

Re: ISE map AD group to Endpoint Group

The guest portal has a setting for what guest type is used for employee logins (non-guest database).

Screen Shot 2018-04-09 at 4.35.33 PM.png

Under this guest type you would select a special identity group (EmployeeNoAccess) for example

Setup Hotspot portalX setting endpoint group to EmployeeAccess

Under authorization policy

the order matters:

if mab and endpoint group EmployeeAccess then permit access

if mab and guest flow and AGgroupX then redirect to hotspotportalX

if mab and endpoint group EmployeeNoAccess then redirect to uploaded HTML page with message

if mab redirection to guest portal

May need to be tweaked as this is off the top of my head

5 REPLIES 5
Cisco Employee

Re: ISE CWA - AD Group Criteria?

there is no way to call that out in the beginning or during the flow, has to be after the flow.  Please use this as an example of how it was done with multiple groups and i am sure you can derive a way out of that. If not let me know

Re: ISE map AD group to Endpoint Group

The guest portal has a setting for what guest type is used for employee logins (non-guest database).

Screen Shot 2018-04-09 at 4.35.33 PM.png

Under this guest type you would select a special identity group (EmployeeNoAccess) for example

Setup Hotspot portalX setting endpoint group to EmployeeAccess

Under authorization policy

the order matters:

if mab and endpoint group EmployeeAccess then permit access

if mab and guest flow and AGgroupX then redirect to hotspotportalX

if mab and endpoint group EmployeeNoAccess then redirect to uploaded HTML page with message

if mab redirection to guest portal

May need to be tweaked as this is off the top of my head

Enthusiast

Re: ISE CWA - AD Group Criteria?

I think I see where you're going with this. I'll give it a try!

Justin

Cisco Employee

Re: ISE CWA - AD Group Criteria?

I updated my answer check that out

Advocate

Re: ISE CWA only allow certain AD group to register their devices

[I have tried adding a line in the related authorization policy saying "Network Access: Use Case = Guest Flow", with membership in the AD group as the condition and PermitAccess as the result, but it doesn't seem to take any effect.]

May be hitting  CSCvh06189    Attributes for the guest flow do not match in the Authorization Policy.

As indicated in above, this involves a multi-pass flow where first pass is unknown getting redirected to general portal page (or portal specific to things known at RADIUS level like NAD/Called Station ID/SSID, etc) and ince authenticated to AD, we can use the web auth username to match a more specific portal for hotspot to trigger a group-specific registration ID group.

Craig

Enthusiast

Re: ISE CWA - AD Group Criteria?

Hi all,

OK, so I had a chance to try this out and it didn't quite work how I wanted.  ISE 2.1, latest patch.

We have policy sets differentiated by device type and by SSID.  The policy set used for this function (let's call it Policy Set A) has the criteria of Device Type: WLC and RADIUS:Called-Station-ID contains ssidname.

The first time going through the policies, the correct policy set runs and the user logs into the CWA portal.  After the CoA occurs, Policy Set A is not hit anymore, and the policy sets fall through to policy set B which only has the criteria of Device Type: WLC.

What we're missing here is persistence of the RADIUS:Called-Station-ID between the first and second authorizations.  The strange thing is it looks like it's there -- in the ISE log from the 2nd auth, which hit policy set B, there is an entry saying that SSID is "ssidname" so I'm not sure why that policy set isn't being hit.

Any ideas??

-Justin