Hello ISEberg,

My team is currently working with a customer to deploy a complex BYOD wireless guest access SSID at 100 sites using Entra ID as the IDP. The network technology in use is Meraki MR access points using Cisco ISE on the backend for authentication.

We have followed the legendary guide from Greg Gibbs and have successfully setup a basic BYOD guest access SSID that uses Entra ID for authenticating and self-registering the users device into a MAB list - no issues with this implementation. Works perfectly for a single Site A. (https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-entra-id/ta-p/4400675)

The trouble we are having is implementing security controls to prevent User A from being able to log into Site B if they are not apart of the Site B Entra Security Group. This is a security requirement from our customer that must be met. The user once authenticated also should not be prompted for re-login for 30 days so the endpoint mac must be persistent in the endpoint group for 30 days.

Entra ID is returning the users security group GUIDs in the SAML response to ISE after a successful authentication but ISE does not store the security groups against the endpoint, making it impossible to build policy that is based on the users group membership. After the user registers an endpoint via the first portal redirect AuthZ flow, the security group attribute is gone and when the device comes back around to authenticate the second time (once the MAC is stored in the endpoint list), we can't find a way to check the users security groups.