Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
0
Helpful
6
Replies

Identify type of users

tonyp8581
Level 1
Level 1

‎08-14-2015 06:12 AM - edited ‎03-10-2019 10:58 PM

Hi,

I'm am using a portal which an AD user or guest user can log in.  I'm trying to identify who is login in so I can assign Internet only to a Guest user and Full network access to an AD users.  I'm having some difficulty figuring out this part.

Has anybody ever done that ? BTW, I'm using ISEv1.3.

Thanks !

 

 

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-15-2015 07:01 AM

This is one of the most common ways to use ISE.

How you implement it depends on whether you are talking about wired vs. wireless and whether you are wanting to use strictly Central Web Authentication (usually not recommended since it is usually better to use native supplicant or AnyConnect supplicant for your AD users).

0 Helpful

tonyp8581
Level 1
Level 1
In response to Marvin Rhoads

‎08-17-2015 03:01 PM

Hi Marvin,

It's a wired deployment. 

I'm aware that 802.1x would be alot easier for me, but these users are consultant.  Their supplicant is not configured, but they have been issued an AD account.  This is why I need the cwa feature.  With some trial and error, I was able to identify both users.  Guest and Consultant with the same portal.

Unfortunately, I have reached another issue.  Always using the same portal, I am trying to identify the consultant computer to a corporate computer.  The reason why I'm asking is because I want the Web agent to launch if it's a AD account and no Web agent with Guest account. I noticed  the client provisioning is controlled through the Portal. Therefore, if I can identify the computer, I would be able to redirect to different portal.  Hence. controlling the web agent.

I hope my explanationt was clear enough.

Thanks !   

Tony

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tonyp8581

‎08-17-2015 06:00 PM

When a consultant logs in and authenticates with their AD account, you can check group membership and have AuthZ result (web agent or no web agent) chosen according to group membership of authenticated user (AuthC result).

0 Helpful

tonyp8581
Level 1
Level 1
In response to Marvin Rhoads

‎08-20-2015 02:59 PM

Hi Marvin,  I haven't had the chance to try your suggestion.  Maybe my setup is wrong, but to use a group membership check, the consultant has to be logged in.  But in my case, I'm pushing the portal prior to the consultant logging in. (see authz.rtf).  So I have the same portal for the consultant and the guest, and it's in the portal configuration I can check the Web agent(see PortalConfig.rtf).

Like I said in the beginning maybe I'm going about the wrong way.  I will definitely explore your suggestion.

 

Tony

 

 

Preview file
850 KB
Preview file
502 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tonyp8581

‎08-20-2015 04:24 PM

Tony,

Have a look at slides 109 onward in the presentation BRKSEC-3697 from Cisco Live. I believe it shows something along the lines of what you want - the AuthZ can force a CoA after authenticating the user.

0 Helpful

tonyp8581
Level 1
Level 1
In response to Marvin Rhoads

‎08-20-2015 05:01 PM

Marvin, I will definitely take a look at the presentation (Slide 109).

 

Thanks for your help.  Greatly appreciated !! I will keep you posted.

 

Tony

 

0 Helpful
Customers Also Viewed These Support Documents