cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

332
Views
0
Helpful
6
Replies
Highlighted
Beginner

Cisco ISE 1.4 LDAP integration

Hi Forum.

So I am using GuestPortal (sponsored) with identity sequence "MYLDAP" only for authentication. I want grant access ONLY for users that are member of XY group in AD. By default ISE gives access for ALL users in AD. So if a user is not member of group XY he or she should get "Authentication failed message" direcitly from the portal.

Any experts?

Everyone's tags (1)
6 REPLIES 6
Highlighted
Cisco Employee

The authentication process

The authentication process will only fail if:

- Authentication fails

- A user is not found in that identity store

If you want to provide grannular restrictions basd on the actual user group then you have to utilize the authorization policies. 

Thank you for rating helpful posts! 

Highlighted
Beginner

Hi Neno.

Hi Neno.

I am aware of that. I was thinking about this.Only user1 user2 user3 should success the login because they are member of group "ISE".

AD

 - OU. MYCOMPANY XYZ

- OU Users

   User1

   User2

   User3

  User4

  User5

 - OU ISE

       member = user1

       member = user2

       member = user3

Highlighted
Cisco Employee

My answer remains the same:

My answer remains the same:

- You cannot restrict the authentication process on per individual user/endpoint. If the user/endpoint is found in the identity store and the credentials are correct then the authentication process will succeed

- You can accomplish what you want with authorization rules where you can tie the rule to a specific AD user group or even an individual user/endpoint

Thank you for rating helpful posts! 

Highlighted
Beginner

I see that. But how will you

I see that. But how will you stop the user before onboarding the device if he or she is not member of the AD group ? In my example everybody with the AD credentials can on board there device. But not everybody can have access because I am checking there user membership with in my second authorization rule.

BYOD flow (Sponsored Guest portal)

Flow steps.

1. Checking that you user is in the right AD group ; Checking that device MAC address is in the right onboarded device group -- If true - >Now you have internet access with that onborded device.

2 (catch all). Authorzation rule. Guest Portal -> Login with AD credentials - > Automatic device registration - > onbording done.

Highlighted
Cisco Employee

I would have to see your

I would have to see your complete rule-set and get a better idea of what you are trying to accomplish but BYOD/Device Onboarding is controlled under the "Client Provisioning" rules. There you can lock things down to the device type, version of code, user, user group, etc.

Thank you for rating helpful posts! 

Beginner

Hi,

Hi,

i have the same issue with Guest Portal and LDAP authentication.

I am not able to grant access (authentication) based on LDAP groups.

any idea?

ISE version 2.1

thanks

Marco