cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1536
Views
2
Helpful
5
Replies

WebAuth MAB with AD integration

Rocky Scotti
Cisco Employee
Cisco Employee

Do we support this flow with ISE?

  1. User connects to the guest network and authenticate via WEBAUTH with its domain credentials
  2. This creates an entry in the endpoint database (this entry will add the mac-address, username and will also add values from Active directory like Pwd-Last-Set)
  3. After the user disconnects and reconnect it first attempt to connect with the mac-address
  4. This will match the entry created in the endpoint database and will run a second query to active directory by extracting the username from the first time the user connected via web-auth)
  5. Only if the values like the Pwd-Last-Set is equal to the value it printed the first time in the endpoint and if the account is enabled in active directory the MACAUTH will work and let the user connect.
1 Accepted Solution

Accepted Solutions

surasky
Cisco Employee
Cisco Employee

Hi,

This is not supported.

who is the customer asking for this? what is the business case for ISE?
Is this an existing customer or a new one?
Thanks

Tal.

jakunst

View solution in original post

5 Replies 5

Jason Kunst
Cisco Employee
Cisco Employee

This is not something that’s supported. Is this for customer to process accounts when they leave the company?

I would recommend they run a script with the API to remove the endpoints compared to a list of removed accounts.

For feature requests please reach out to the ISE Product Management team

What about BYOD flow using certificate based auth we could take the username from cert in authz rule validate its part of an AD group, this is standard configuration recommendation.

Not sure of the exact use case here, but remember you always have an option to connect the device to the standard secure SSID and do a WLAN interface based on the results.  So something like this:

If PEAP Domain Computer then allows access to the internal network

If PEAP Domain User allow access to single the WLC to move the session to the guest interface

This is very friendly Employee Guest scenario that uses secure protocols and AD is checked every time they connect.

surasky
Cisco Employee
Cisco Employee

Hi,

This is not supported.

who is the customer asking for this? what is the business case for ISE?
Is this an existing customer or a new one?
Thanks

Tal.

jakunst

Please work offline with Tal as this is a public forum

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: