Hi Ahollfield,

Thanks for your response, I'v already read your post before asking this question. There I learned about the remember me approach for Aruba sessions. Unfortunatelly it doesn't cover our needs, because we need to match the AD group for the logged in user, so if the user is member of group X we let it go to corporate network, if not we assign a guest network.

Thanks again

Regards

If I am understanding correctly, you should be able to handle this with authz rules in ISE, just push different User Roles to the IAP for each user type.  Each role would then be associated with a different VLAN.  

Hi ahollfield,

Thanks again for your response. I'v double checked this but there is no way to catch the corporate login from the web portal. There is only one event in live log which is "Authentication passed", but I'm not able to catch it on Authz rules. Then there is a CoA for Dynamic Authorization and then the new MAB access with the endpoint added to GuestEndpoints group.

I'm not able to figure out how to use the user identity in this scenario. I can see that the session ID is maintained in all the flow, but can't find a way to get info from the session too. So I get stucked to the GuestEndpoint option.

Let me explain the objective so maybe it helps you to understand it.

1- Customer is deploying ISE for: Guest/Sponsor access and 802.1x using TEAP for corporate networks (Ethernet and Wifi)

2-802.1x will not work in an out of the box computer

3-Customer wants to use guest portal for partners to catch an AD group (Which are the IT Team which platform the corporate computers) and assign the corporate vlan to this sessions, so they are able to add the machine to the AD and get all the corporate GPOs, do autoenrollment, setup Wifi and Ethernet supplicants etc...

4- The setup is working over Ethernet, with Cisco switches using GuestFlow condition

Please if you have any question let me know and I'll try to clarify more the setup

Please let me add the policy we are using:

This is the rule we would like to match, but fails, identity never match here

This is the rule that match, once the user is authenticated.

This is the rule that redirects the users which access from ise node 1 to the captive portal on ise node 1

The flow coming from Cisco switches match prolerly on that rule:

But Guest_Flow condition is not working with Aruba devices.

Is there any way to get identity associated to an existing session and use it on authz rules?

Thanks

Hello @Abdul Pallares were you able to resolve this? I am running into the same issue.

Sorry for my last response, just to other people that arrives to this post.

We didn't find any way to solve this, the only option is to use the guest endpoint group.