Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
0
Helpful
2
Replies

Guest Portal authent policy / ISE_EST_Local_Host shared secret

Antho_Balitrand
Level 1
Level 1

‎10-08-2020 09:32 AM - edited ‎10-08-2020 11:20 AM

Hello guys ! 

 

I need some help on a weird scenario I try to put in place on our Guest Portal authentication on ISE. 

We need to be able to authenticate our employees users on a first External LDAP identity source, and then use our AD identity source if the authentication failed because of wrong password

This is actually not possible by using a simple Identity Source Sequence with LDAP, then AD, then Guest Users, which will continue if the user is not found, but will stop if the authentication fails. 

 

First question is : do you already have a solution for that ? 

 

I tried, as a workaround, to create a dedicated policy to be able to do that. 

In order to be able to send the requests of the Guest Portal to this policy (as this is actually not a supported feature), my idea was to create a RADIUS token external identity source, targeting 127.0.0.1, and add it (and only it) on the authentication sequence used by the captive portal. 

It partially works : ISE receives the RADIUS request, which is well matched by the policy using Network Access:NetworkDeviceName EQUALS ISE_EST_Local_Host as a Policy condition. 

The problem being that... I have a RADIUS shared secret error. 

 

This Network Device (ISE_EST_Local_Host)  is hidden on the Network Devices list on the GUI (it is supposed to be used only internally for Android devices with EST), but is visible using an ERS API request. 

I'm able to find the shared secret of this network device through the ERS API on ISE 2.6 (which displays the RADIUS secrets on this kind of API calls), but I cannot have it on ISE 2.2, which doesn't.... 

 

Do you guys ever used this network device as a (very ugly) workaround, and do you know the way to find the associated shared secret ? 

 

 

Thanks a lot for your help ! 

0 Helpful
2 Replies 2

Antho_Balitrand
Level 1
Level 1

‎10-19-2020 01:45 AM

Any idea there guys ?

0 Helpful

Peter Koltl
Level 7
Level 7

‎10-22-2020 02:06 PM

I’m trying hard but still unable to see the point of  “using our AD identity source if the authentication failed because of wrong password“  and having both ldap and AD connections and mixing the guest authentication with AD. Please explain.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents