10-08-2020 09:32 AM - edited 10-08-2020 11:20 AM
Hello guys !
I need some help on a weird scenario I try to put in place on our Guest Portal authentication on ISE.
We need to be able to authenticate our employees users on a first External LDAP identity source, and then use our AD identity source if the authentication failed because of wrong password.
This is actually not possible by using a simple Identity Source Sequence with LDAP, then AD, then Guest Users, which will continue if the user is not found, but will stop if the authentication fails.
First question is : do you already have a solution for that ?
I tried, as a workaround, to create a dedicated policy to be able to do that.
In order to be able to send the requests of the Guest Portal to this policy (as this is actually not a supported feature), my idea was to create a RADIUS token external identity source, targeting 127.0.0.1, and add it (and only it) on the authentication sequence used by the captive portal.
It partially works : ISE receives the RADIUS request, which is well matched by the policy using Network Access:NetworkDeviceName EQUALS ISE_EST_Local_Host as a Policy condition.
The problem being that... I have a RADIUS shared secret error.
This Network Device (ISE_EST_Local_Host) is hidden on the Network Devices list on the GUI (it is supposed to be used only internally for Android devices with EST), but is visible using an ERS API request.
I'm able to find the shared secret of this network device through the ERS API on ISE 2.6 (which displays the RADIUS secrets on this kind of API calls), but I cannot have it on ISE 2.2, which doesn't....
Do you guys ever used this network device as a (very ugly) workaround, and do you know the way to find the associated shared secret ?
Thanks a lot for your help !
10-19-2020 01:45 AM
Any idea there guys ?
10-22-2020 02:06 PM
I’m trying hard but still unable to see the point of “using our AD identity source if the authentication failed because of wrong password“ and having both ldap and AD connections and mixing the guest authentication with AD. Please explain.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: