cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6649
Views
22
Helpful
1
Replies

Employee CWA (guest portal) flow with remember me

sheff
Level 1
Level 1

Here is the use case...feel free to suggest another approach, you won't hurt my feelings.

Would like a dedicated SSID for employee internet access only (no other networks will be exposed)...there is no concept of corp devices so profile/posture is not an issue and an AD username/password will be used to auth (both auth's). Is there a better way then....create an SSID for employee internet access only they join the SSID and get redirected to a splash that prompts for AD username/password....AD validates credentials and network access (Internet) is allowed. I think this part is fairly strait forward (if not please correct me, again my feelings don't matter here).

The question I have is can I adjust the authorization time to be say 30 days or longer so the employees log's in once per device (we will limit the number of devices per employee) and that login is valid for say 30 days until a re-auth is required?  (it's an end user thing were the business does not want to "burden" the end user with logging in everyday (spare me the why...already tried)

Thanks

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

This is a common ask and people do this all the time.

You would use a guest portal (sponsored guest will work fine).

when the AD user logs in the endpoint is registered in the guest endpoint group ( a new group called employee endpoint could be used as well)

The endpoint purge policy by default will remove the guest endpoint after 30 days

Screen Shot 2017-03-23 at 10.41.32 AM.png

The endpoint group is assigned in the guest type ( you could create a guest type for employees)

Screen Shot 2017-03-23 at 10.30.15 AM.png

Under the portal settings there is an option on what guest type to use for employee logins

change weekly to employee

Screen Shot 2017-03-23 at 10.34.21 AM.png

The authz rules would be the following (order)

if guest_endpoints and wireless_mab then permit internet

if wireless_mab then redirect to portal

View solution in original post

1 Reply 1

Jason Kunst
Cisco Employee
Cisco Employee

This is a common ask and people do this all the time.

You would use a guest portal (sponsored guest will work fine).

when the AD user logs in the endpoint is registered in the guest endpoint group ( a new group called employee endpoint could be used as well)

The endpoint purge policy by default will remove the guest endpoint after 30 days

Screen Shot 2017-03-23 at 10.41.32 AM.png

The endpoint group is assigned in the guest type ( you could create a guest type for employees)

Screen Shot 2017-03-23 at 10.30.15 AM.png

Under the portal settings there is an option on what guest type to use for employee logins

change weekly to employee

Screen Shot 2017-03-23 at 10.34.21 AM.png

The authz rules would be the following (order)

if guest_endpoints and wireless_mab then permit internet

if wireless_mab then redirect to portal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: