02-07-2022 08:25 AM
Hi,
I am evaluating ISE guest portal solution to create a guest solution for the company employees.
The policy should allow only one specific AD group to authenticate guest portal. But I do not find any option in identity sequence which allows binding to a AD group; instead it allows whole AD join point.
In the internet I am seeing people are posting policy sets with authorization rules which is using AD groups. I do not understand how they are evaluating those policy sets.
My requirements - Wired/Wireless MAB; user is presented with portal; portal accepts login credentials only for specific ad groups. After portal authentication; users are allowed network access. No sponsor, self-registration etc. required.
I cannot bind an AD-group for above in policy sets. What I am seeing from packet capture for wired-MAB is that -
Switch talks with ISE in radius - here the username is always the mac-address of the pc connected with the switch.
Login credentials (ad-username/password) flows through portal under http protocol. No relation to radius. Portal cannot evaluate AD-group, it can only evaluate whole AD- which defeats my purpose.
For ISE policy set to match; the username must come from the switch (like 802.1x) by radius protocol and which is not possible in CWA-portal based scenario.
Can anybody give me a hint!!! Or any other ISE based solution where user will be granted access with device mac adress which comes from a selected AD-group only.
Regards.
02-07-2022 08:45 AM
I am attaching a picture from CCNP Security Identity Management SISE 300-715 Official Cert Guide by Aaron Woland, Katherine McNamara. I hope, I am not breaching copyright.
In the book they are using something called Guest_Flow and AD-Group. From my experience - this Gest_Flow never works if I put it in a policy. The only difference is I am testing it with wired-MAB and another vendor's switch. But it should work as everything is based on radius. And how they are matching a AD-group as the switch have no idea (for radius) about what the user has entered as username/password.
Any idea what I am missing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide