cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
867
Views
0
Helpful
6
Replies

Cisco ISE 1.4 LDAP integration

Roger Base
Level 1
Level 1

Hi Forum.

So I am using GuestPortal (sponsored) with identity sequence "MYLDAP" only for authentication. I want grant access ONLY for users that are member of XY group in AD. By default ISE gives access for ALL users in AD. So if a user is not member of group XY he or she should get "Authentication failed message" direcitly from the portal.

Any experts?

6 Replies 6

nspasov
Cisco Employee
Cisco Employee

The authentication process will only fail if:

- Authentication fails

- A user is not found in that identity store

If you want to provide grannular restrictions basd on the actual user group then you have to utilize the authorization policies. 

Thank you for rating helpful posts! 

Hi Neno.

I am aware of that. I was thinking about this.Only user1 user2 user3 should success the login because they are member of group "ISE".

AD

 - OU. MYCOMPANY XYZ

- OU Users

   User1

   User2

   User3

  User4

  User5

 - OU ISE

       member = user1

       member = user2

       member = user3

My answer remains the same:

- You cannot restrict the authentication process on per individual user/endpoint. If the user/endpoint is found in the identity store and the credentials are correct then the authentication process will succeed

- You can accomplish what you want with authorization rules where you can tie the rule to a specific AD user group or even an individual user/endpoint

Thank you for rating helpful posts! 

I see that. But how will you stop the user before onboarding the device if he or she is not member of the AD group ? In my example everybody with the AD credentials can on board there device. But not everybody can have access because I am checking there user membership with in my second authorization rule.

BYOD flow (Sponsored Guest portal)

Flow steps.

1. Checking that you user is in the right AD group ; Checking that device MAC address is in the right onboarded device group -- If true - >Now you have internet access with that onborded device.

2 (catch all). Authorzation rule. Guest Portal -> Login with AD credentials - > Automatic device registration - > onbording done.

I would have to see your complete rule-set and get a better idea of what you are trying to accomplish but BYOD/Device Onboarding is controlled under the "Client Provisioning" rules. There you can lock things down to the device type, version of code, user, user group, etc.

Thank you for rating helpful posts! 

Hi,

i have the same issue with Guest Portal and LDAP authentication.

I am not able to grant access (authentication) based on LDAP groups.

any idea?

ISE version 2.1

thanks

Marco