Solved: Re: ISE CWA with Employee Login

dm2020 · ‎06-09-2019

Hi All,

I am trying to configure guest CWA to differentiate between guest and employees that are logging into our guest portal. I believe that I can do this by changing the portal parameter 'Employees using this portal as guests inherit login options from' to a new guest type of 'Employees' that registers employee devices to a dedicated endpoint group that I can call out in an authz policy. This is all good.

What I'm struggling to understand is how does ISE differentiate between an Employee and a guest user in the first place? Are users that authenticate against AD considered as employees and users that are created within the sponsor portal and local in ISE considered as guest users?

Thanks

Jason Kunst · ‎06-10-2019

@dm2020 wrote:

What I'm trying to do is use a single internal account for guests that is changed on a weekly basis (as the customer doesn't want to create separate guest accounts using the sponsor portal, or for guests to create their own accounts to start with) while also allowing employees to login using their AD credentials. I was hoping that I could difference between employees and guests using an internal account but that doesn't seem possible.

JAK > you could write a policy off the employee ad group, that would be a differentiator, if guest flow and ad group then X, otherwise Y

I've also looked at the sponsor portal to create a single reusable guest account but it looks like the password is auto generated and cant be manually defined (needs to be user friendly).

JAK> correct its not a feature, it can be done using the API.

Is what I'm trying to do achievable at all?

View solution in original post

Jason Kunst · ‎06-09-2019

Users that are in the guest database are guests. Sponsored or self-registered are guests.
All others are considered employees. Internal accounts, AD, etc

dm2020 · ‎06-09-2019

Thanks Jason, that makes sense.

What I'm trying to do is use a single internal account for guests that is changed on a weekly basis (as the customer doesn't want to create separate guest accounts using the sponsor portal, or for guests to create their own accounts to start with) while also allowing employees to login using their AD credentials. I was hoping that I could difference between employees and guests using an internal account but that doesn't seem possible.

I've also looked at the sponsor portal to create a single reusable guest account but it looks like the password is auto generated and cant be manually defined (needs to be user friendly).

Is what I'm trying to do achievable at all?

Jason Kunst · ‎06-10-2019

@dm2020 wrote:

What I'm trying to do is use a single internal account for guests that is changed on a weekly basis (as the customer doesn't want to create separate guest accounts using the sponsor portal, or for guests to create their own accounts to start with) while also allowing employees to login using their AD credentials. I was hoping that I could difference between employees and guests using an internal account but that doesn't seem possible.

JAK > you could write a policy off the employee ad group, that would be a differentiator, if guest flow and ad group then X, otherwise Y

I've also looked at the sponsor portal to create a single reusable guest account but it looks like the password is auto generated and cant be manually defined (needs to be user friendly).

JAK> correct its not a feature, it can be done using the API.

Is what I'm trying to do achievable at all?