Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1416
Views
0
Helpful
1
Replies

Guest Access via ISE Guest Portal

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-21-2019 09:09 AM - edited ‎03-08-2019 07:13 PM

Looking for guidance on something I am attempting to setup in my current environment:

Overview of environment:
Currently running an SDA fabric running an ISIS underlay. Utilizing CTS with SGTs to provide a more granular rbacl setup. ISE is setup in a 4 node deployment (1 PAN, 1 backup PAN, 2 PSNs) which are integrated with AD.  Current ISE version is 2.3p4.  Current DNAC version is 1.2.6.

 

Requirement is to setup guest/sponsor portals. Currently we default users who fallback to mab authentication into a separate VN that has limited access to resources that for example would allow a user to image a box. Current plan that I am testing out is to change the default mab behavior to redirect users to the portal. The guest network will be a separate VN with different restricted access than the current default mab VN.

Questions:

Does anyone know (without using client provisioning/posture checks for guests) how to determine if a device is a legitimate GFE DoD approved box? I believe there is a way to identify this via reg key. However, this will introduce the requirement of guests needing to be scanned via the posture module. Unless there is an easier way?

 

How can I keep the imaging mab process separate from the eventual default mab policy that will redirect guests to the portal? I want to eliminate any manual processes such as manually adding MACs to endpoints groups from tickets submitted. Note that I have the portals setup to require sponsor approval and automatically register guest user macs to an endpoint group.

 

Also, is this the easiest way to allow a guest to connect and select what VN their endpoint should be a part of:

User connects, gets redirected to the portal, starts registration, selects whatever guest type which then auto-registers their mac into specific endpoint groups.  Then the policies dump them into the respective VN with SGT based on the separate groupings.  Is there another way of automating this process of how the endpoint identity should be placed for proper VN/SGT assignment? 

 

Any help is appreciated.  Thanks.

0 Helpful
1 Reply 1

paul
Level 10
Level 10

‎02-21-2019 09:49 AM

For the imaging issue I have written an executable that some of my customers have used in their imaging process that automatically takes the MAC address of the NIC, makes an API to ISE and add the MAC address to an identity group that is allowed access for imaging.  Once the computer was rebooted it would get the correct access.

 

I can't share that program with you but I can share the idea.

0 Helpful
Customers Also Viewed These Support Documents