Re: CWA Auth for specific AD group

Anukalp S · ‎03-12-2018

Hi. i have setup CWA auth on ISE for our wireless corporate users so that they could connect on wifi using their AD credentials. Everything is setup on WLC and ISE side and it is also working but problem is all AD users are able to login though we want to give access to specific group in AD, i have also setup same in authorization rule but still it is not working. Please suggest , see below auth rule where i have allowed only "information technology" group users but all AD users are able to login.

Arne Bier · ‎03-13-2018

I don't think this is possible. Would be nice though. The more I think about it, the more I would like to see a Policy Set type of logic for the Portal Authentication - all the logic is tied up in menu options, which is not very flexible.

Have you asked this question over at https://communities.cisco.com/community/technology/security/pa/ise ? The ISE TME's usually provide a good answer.

jan.nielsen · ‎03-14-2018

Like Arne said, this actually used to be possible as there was a more granular control of the guest authentication policy, now it's basically down to selecting the identity store/sequence under the guest portal. What i have done before is to connect using LDAP to AD, and then restrict the container where i look for users, then ISE will simply not be able to authenticate users that are not in that container, it probably won't work if you users are members of a group, only if they are actually located in the same place in your AD.

Anukalp S · ‎03-15-2018

Hi.. Thanks it works now but facing ISE CWA redirect page opening issue on Chrome browser, on other browser it works, i have been running ISE 2.2, please suggest for compatibility with chrome.