Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
762
Views
2
Helpful
5
Replies

Conditional Guest Authentication Success?

Go to solution
Arne Bier
VIP
VIP

‎03-11-2018 08:05 PM

Hi

Is it possible to perform conditional redirection based on the authentication method chosen?

e.g.

My customer would like to redirect the successful Guest to a different URL, depending on what Identity Source was used to perform the auth.

e.g.

I have an identity source sequence of  

Guest_Portal_Sequence (Contains search list: Guest Users)

AD_or_Guest_Portal (Contains search list:  Guest Users, ADJoinPoint)

If the auth was a success performed against Guest Users, then redirect to www.somesite1.com

If the auth was a success performed against ADJoinPoint, then redirect to www.somesite2.com

The use case is that we want to (ab)use the Guest portal to allow AD users to authenticate using their AD creds, and after they have done so, redirect them to a custom MDM onboarding web site.  But regular sponsored guests would be redirected to a generic page like google.com.

If there is a better way to do this then I would be open to hearing about it.

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-13-2018 08:30 AM

Just an idea. Perhaps, keep it at the authentication success page and then in the success page to test an URL to determine whether to go to MDM or not, based on the authorization profile(s) after CoA.

View solution in original post

5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-11-2018 09:49 PM

Under your portal settings make sure you have a guest type for employees

Under this guest type you would register these devices into an employee endpoint group

Would suggest authorization rules if guest flow and ad group then redirect to portal

If guest endpoints permit internet

If mab then redirect to portal for login

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎03-11-2018 10:47 PM

Hi Jason

We have a Guest Type that we defined for employee guests.  We then tie that to the Guest Portal under the option "Employees using this portal as guests inherit login options from:"

All of this is working fine and I can authenticate Sponsored Guests and AD guests without any issues.  Their MAC addresses end up in the correct Endpoint Identity Groups.

My question was around the "Authentication Success Settings" radio buttons.  I am only allowed to choose one option that then applies to the entire Guest Portal.  I wanted to know if this choice could be made conditional - i.e. have the "Success" redirection based on how the user authenticated.  Is that possible?

The authentication processing logic is mostly a black box inside ISE (as opposed to the flexible Radius Policy Set logic) and we are constrained by what the GUI allows us to do.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎03-11-2018 11:15 PM

No that cannot be made conditional.

You have to identify authorization flows for different groups with different authorization results

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-11-2018 10:05 PM

If your ad rule is above your guest endpoints then you don’t need to worry about the portal setting for employees guest type or endpoints

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-13-2018 08:30 AM

Just an idea. Perhaps, keep it at the authentication success page and then in the success page to test an URL to determine whether to go to MDM or not, based on the authorization profile(s) after CoA.

Top