Solved: Different Endpoint Identity Groups for External Identity Sources

Marc Aemmer · ‎01-30-2018

Hi there,

We're using a single SSID solution to provide internet access to our employees and patients. The employees are stored in Active Directory and the patients on a Radius Server. To handle them differently regarding access time and login options, they need to be assigned to different Guest Types and Endpoint Identity Groups. Now the problem is, that the portal is assigning users from external idenditity sources (AD and Radius) to the same Guest Type (Portal Settings -> "Employees using this portal as guests inherit login options from") and does not allow to handle them differently. Is there a solution for this problem?

Thanks and regards,

Marc

Jason Kunst · ‎01-30-2018

Correct

There is no direct way to do what you’re looking for

You can try the following With your authorization rules

If guest flow and other group then permit their access

If guest flow and employee group then permit employee access

If wireless mab then redirect to portal

The only problem with that is they are all in the inherited employee group per portal and you can’t remember the client so they don’t have to login every new wireless session

Another option is to use the hotspot portal to override the endpoint group

You will need a hotspotX for other group and hotspotY for employee

If hotspotXgroup then permit accordingly

If hotspotYGroup then permit accordingly

If guest flow and other group then redirect

to hotspotX

If guest flow and employee group then redirect to hotspotY

If wireless mab then redirect to portal

Yet another option

Create a portal for each type of group and link accordingly with necessary identity source sequence for each portal

Look for the linking one guest portal to another

https://communities.cisco.com/docs/DOC-64018?mobileredirect=true#jive_content_id_Customizations

View solution in original post

Jason Kunst · ‎01-30-2018

Correct

There is no direct way to do what you’re looking for

You can try the following With your authorization rules

If guest flow and other group then permit their access

If guest flow and employee group then permit employee access

If wireless mab then redirect to portal

The only problem with that is they are all in the inherited employee group per portal and you can’t remember the client so they don’t have to login every new wireless session

Another option is to use the hotspot portal to override the endpoint group

You will need a hotspotX for other group and hotspotY for employee

If hotspotXgroup then permit accordingly

If hotspotYGroup then permit accordingly

If guest flow and other group then redirect

to hotspotX

If guest flow and employee group then redirect to hotspotY

If wireless mab then redirect to portal

Yet another option

Create a portal for each type of group and link accordingly with necessary identity source sequence for each portal

Look for the linking one guest portal to another

https://communities.cisco.com/docs/DOC-64018?mobileredirect=true#jive_content_id_Customizations

Marc Aemmer · ‎01-31-2018

Very helpful, thank you Jason.

I added a button on the main portal which is leading to a second portal only used for employees. This way I'm able to put the employees to a different endpoint identity group. So far, this is working fine on a windows 7 workstation and a android phone. But I noticed, that pressing the button on the main portal on a iPhone is not redirecting to the second "employee" portal. Could this be a iOS related problem?

Thanks.

paul · ‎01-30-2018

The other option is why not use an 802.1x SSID for the employees. They should have no need to accept an AUP page as their signed Internet usage policy document should be on file in HR and refreshed ever year.

You could setup an employee 802.1x guest SSID they can join with their AD credentials to gain Internet access. You could also utilize the normal corporate secure SSID that should only be allowing PEAP computer/EAP-TLS authentication. You could allow PEAP User authentication but potentially do an interface switch in your authorization to move the session to the guest interface to give Internet only access.

IMO 802.1x SSID for employee guest access is much cleaner way to handle the employee side of this. Much easier to use on the employee side as well. Just enter your credentials once when you join the SSID and your device will remember your credentials.

Marc Aemmer · ‎01-31-2018

Hi Paul,

Thank you for your input. We will consider using 802.1x for employees as soon as we got a BYOD/MDM concept. For now, giving them a easy way to connect to the internet without provisioning profiles is just fine. The authorization profiles for the employees are configured to remember the automatically registered device after they re-login to the network. The devices will be purged after 30 days. This way, the employees are not forced to login every day.

regards,

Marc

Jason Kunst · ‎01-31-2018

I would still consider Dot1x for employees, once they save off their credentials it’s seamless , unless you don’t think they can handle it

On your ask about Apple devices and the button could you open a separate thread for that so we don’t clutter up this one?