cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

405
Views
2
Helpful
5
Replies
Highlighted
Cisco Employee

WebAuth MAB with AD integration

Do we support this flow with ISE?

  1. User connects to the guest network and authenticate via WEBAUTH with its domain credentials
  2. This creates an entry in the endpoint database (this entry will add the mac-address, username and will also add values from Active directory like Pwd-Last-Set)
  3. After the user disconnects and reconnect it first attempt to connect with the mac-address
  4. This will match the entry created in the endpoint database and will run a second query to active directory by extracting the username from the first time the user connected via web-auth)
  5. Only if the values like the Pwd-Last-Set is equal to the value it printed the first time in the endpoint and if the account is enabled in active directory the MACAUTH will work and let the user connect.
Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: WebAuth MAB with AD integration

Hi,

This is not supported.

who is the customer asking for this? what is the business case for ISE?
Is this an existing customer or a new one?
Thanks

Tal.

jakunst

5 REPLIES 5
Cisco Employee

Re: WebAuth MAB with AD integration

This is not something that’s supported. Is this for customer to process accounts when they leave the company?

I would recommend they run a script with the API to remove the endpoints compared to a list of removed accounts.

For feature requests please reach out to the ISE Product Management team

Cisco Employee

Re: WebAuth MAB with AD integration

What about BYOD flow using certificate based auth we could take the username from cert in authz rule validate its part of an AD group, this is standard configuration recommendation.

VIP Engager

Re: WebAuth MAB with AD integration

Not sure of the exact use case here, but remember you always have an option to connect the device to the standard secure SSID and do a WLAN interface based on the results.  So something like this:

If PEAP Domain Computer then allows access to the internal network

If PEAP Domain User allow access to single the WLC to move the session to the guest interface

This is very friendly Employee Guest scenario that uses secure protocols and AD is checked every time they connect.

Cisco Employee

Re: WebAuth MAB with AD integration

Hi,

This is not supported.

who is the customer asking for this? what is the business case for ISE?
Is this an existing customer or a new one?
Thanks

Tal.

jakunst

Cisco Employee

Re: WebAuth MAB with AD integration

Please work offline with Tal as this is a public forum