Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2143
Views
0
Helpful
5
Replies

ISE CWA only allow certain AD group to register their devices

Go to solution
justinbodie
Level 4
Level 4

‎04-09-2018 01:05 PM

Hi there, I have a question regarding ISE and Central Web Auth (CWA)...

I would like to authorize an AD user who's a member of a particular AD group to be able to register their device's MAC address for "long term" guest access without using the BYOD flow.

For now, what works fine is setting up a sponsored guest portal with the identity source specified as AD. Then any AD user can authenticate to the portal and the device will be automatically registered into the specified endpoint identity group.  But we only want a subset of AD users to have the ability to do this.

I don't want to use the BYOD flow for the following reasons:  1) Cumbersome with Android or any non-Apple OS; 2) Does not support the iOS mini-browser, 3) Pre-auth ACL needs to allow Google to allow users to download the provisioning app.

I have tried adding a line in the related authorization policy saying "Network Access: Use Case = Guest Flow", with membership in the AD group as the condition and PermitAccess as the result, but it doesn't seem to take any effect.

I'd like to know if there is any known way to use an AD group as an authentication/authorization criteria for a CWA portal.

Thank you,

Justin

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-09-2018 01:20 PM

there is no way to call that out in the beginning or during the flow, has to be after the flow.  Please use this as an example of how it was done with multiple groups and i am sure you can derive a way out of that. If not let me know

Re: ISE map AD group to Endpoint Group

The guest portal has a setting for what guest type is used for employee logins (non-guest database).

Screen Shot 2018-04-09 at 4.35.33 PM.png

Under this guest type you would select a special identity group (EmployeeNoAccess) for example

Setup Hotspot portalX setting endpoint group to EmployeeAccess

Under authorization policy

the order matters:

if mab and endpoint group EmployeeAccess then permit access

if mab and guest flow and AGgroupX then redirect to hotspotportalX

if mab and endpoint group EmployeeNoAccess then redirect to uploaded HTML page with message

if mab redirection to guest portal

May need to be tweaked as this is off the top of my head

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-09-2018 01:20 PM

there is no way to call that out in the beginning or during the flow, has to be after the flow.  Please use this as an example of how it was done with multiple groups and i am sure you can derive a way out of that. If not let me know

Re: ISE map AD group to Endpoint Group

The guest portal has a setting for what guest type is used for employee logins (non-guest database).

Screen Shot 2018-04-09 at 4.35.33 PM.png

Under this guest type you would select a special identity group (EmployeeNoAccess) for example

Setup Hotspot portalX setting endpoint group to EmployeeAccess

Under authorization policy

the order matters:

if mab and endpoint group EmployeeAccess then permit access

if mab and guest flow and AGgroupX then redirect to hotspotportalX

if mab and endpoint group EmployeeNoAccess then redirect to uploaded HTML page with message

if mab redirection to guest portal

May need to be tweaked as this is off the top of my head

0 Helpful

Go to solution
justinbodie
Level 4
Level 4
In response to Jason Kunst

‎04-09-2018 01:30 PM

I think I see where you're going with this. I'll give it a try!

Justin

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to justinbodie

‎04-09-2018 01:40 PM

I updated my answer check that out

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to justinbodie

‎04-09-2018 03:50 PM

[I have tried adding a line in the related authorization policy saying "Network Access: Use Case = Guest Flow", with membership in the AD group as the condition and PermitAccess as the result, but it doesn't seem to take any effect.]

May be hitting  CSCvh06189    Attributes for the guest flow do not match in the Authorization Policy.

As indicated in above, this involves a multi-pass flow where first pass is unknown getting redirected to general portal page (or portal specific to things known at RADIUS level like NAD/Called Station ID/SSID, etc) and ince authenticated to AD, we can use the web auth username to match a more specific portal for hotspot to trigger a group-specific registration ID group.

Craig

0 Helpful

Go to solution
justinbodie
Level 4
Level 4

‎04-18-2018 02:57 PM

Hi all,

OK, so I had a chance to try this out and it didn't quite work how I wanted.  ISE 2.1, latest patch.

We have policy sets differentiated by device type and by SSID.  The policy set used for this function (let's call it Policy Set A) has the criteria of Device Type: WLC and RADIUS:Called-Station-ID contains ssidname.

The first time going through the policies, the correct policy set runs and the user logs into the CWA portal.  After the CoA occurs, Policy Set A is not hit anymore, and the policy sets fall through to policy set B which only has the criteria of Device Type: WLC.

What we're missing here is persistence of the RADIUS:Called-Station-ID between the first and second authorizations.  The strange thing is it looks like it's there -- in the ISE log from the 2nd auth, which hit policy set B, there is an entry saying that SSID is "ssidname" so I'm not sure why that policy set isn't being hit.

Any ideas??

-Justin

0 Helpful
Customers Also Viewed These Support Documents