09-07-2017 04:45 PM
Here is an interesting ISE network access requirement I wanted to run by the experts. The requirement is to force a new corporate user through a captive portal to read and accept the corporate internet use policy. The customer is a heavy Microsoft/AD shop and has the capability to write ADSI scripts to modify AD on the fly or perhaps even using ISE EPS APIs. So given that, is this the best option?
The piece I’m not sure on is how the user gets bounced in step 3. In the typical guest or BYOD flow, the portal is running on an ISE node, so ISE knows how to reach the PSN to CoA the user. But in this flow the customer owns this ‘New user captive portal’. What ISE node would this EPS API talk to to CoA the user, MnT?
Thanks in advance
Solved! Go to Solution.
09-07-2017 05:27 PM
Eddie,
The can call the REST API against ISE MNT node to retrieve session info and trigger CoA. Another option is to simply have them accept AUP in ISE or link to external AUP from a CWA/Hotspot page which also flags AUP accept in ISE. This too will trigger CoA upon completion to allow different policy to be hit if authorization result different.
Craig
09-07-2017 05:27 PM
Eddie,
The can call the REST API against ISE MNT node to retrieve session info and trigger CoA. Another option is to simply have them accept AUP in ISE or link to external AUP from a CWA/Hotspot page which also flags AUP accept in ISE. This too will trigger CoA upon completion to allow different policy to be hit if authorization result different.
Craig
09-07-2017 09:34 PM
Thanks Craig, That helps. Can I assume if we used ISE for the AUP, we'd still need some external source to tell us if the user was a first time login using the AD group I mentioned above? Otherwise I'm not sure how ISE would know it was the first time that user logged into the network. We can't use the endpoint MAC because the PC may be recycled from previous user.
09-07-2017 10:05 PM
AUP is flagged to the endpoint, not user, but you may be able to combine your external AUP (link to it from CWA login page) and rely on local CoA from ISE to pick up the change in AD. For example:
Rule 1 - If EAP success and AD:AUP flag = true, then Permit
Rule 2 - If EAP success and AD:AUP flag = false, then CWA_AUP (or Hotspot AUP)
/Craig
09-07-2017 10:19 PM
If the customers mainly need users to ack access to an AD computer, it might not need to use ISE to enforce it at all. I am thinking to use login script to check some windows registry or the like and pop up a modal windows if not yet set to the ack'ed value, etc.
09-08-2017 08:52 AM
Thanks Hsing. Although customer is a heavy Microsoft shop, we're not sure if all endpoints will be Windows so wanted to suggest a solution that leveraged network access and worked for non-Windows endpoints.
09-08-2017 09:11 AM
How about something like this (though this is endpoint constrained vs user constrained:
1. User with endpoint not previously seen logs in.
2. Check if endpoint is in identity group EUP-Signed (for example)
3. If in identity group, then allow access
4. if not in identity group, then redirect using a hotspot portal with EUP. Have that hotspot portal place the endpoint in the EUP-Signed identity group once the user accepts the EUP
If you want the policy bound to a user, maybe you can do something with AD groups or a user attribute in AD using an external EUP portal. Once the user accepts the EUP, the portal adds the attribute to the user in AD and then generates a COA for the session.
George
09-08-2017 09:20 AM
Thanks George, The customer has plenty of wired/shared desktops. Therefore the solution needs to be focused on the user, not the endpoint. Since customer has skilled IT staff willing to write scripting to dynamically update AD, we thought using an AD group to track first time logins would be effective.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide