ISE, BYOD: guest clients provisioning

Jaaazman777 · ‎06-19-2013

Hello!

The question is about provisioning different types of wifi clients through the ISE Guest portal.

ISE 1.1.4, WLC 7.4.100 (Guest WLAN uses MAB)

Suppose, there are two groups of wireless clients:

1) guest user, which credentials are created through the ISE Sponsor Portal

2) domain user, who has credentials in ActiveDirectory

The aim is to provision domain user, and not provision guest user.

When client connects to Guest SSID and opens the browser, he is redirected to ISE Guest portal.

When client uses domain user, he is provisioned, and when uses guest credentials he is not provisioned

How ISE understands, that domain user must be provisioned and guest user must not be provisioned if Web portal is configured to provision everyone?

(Web Portal -> Settings -> Enable Self-Provisioning flow)

Marcin Latosiewicz · ‎06-20-2013

The answer is that typically you either know that MAC address or you have someting installed (NAC agent?) and fulfill some requirements.

Alternative, you can perform CWA first (and...)

Then if user is part of guest users -> allow internet only access

If user is part of AD -> send him to do registration.

Authorization policy allows you to use "identity group" as part of condition.

If device registered -> allow full access. (just an idea).

M.

mmangat · ‎06-20-2013

Hello,

Please check the following links - they may provide a resolution to your issue.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_61_byod_provisioning.pdf

http://www.thesecurityblogger.com/?tag=enhanced-client-provisioning

myanuary · ‎06-24-2013

for guest you can use CWA...

for domain user, i don't understand what you want... but if you want posture checking and provisioned, you can use NAC Agent or web Agent... ( if there is no NAC Agent installed, you will be provisioned)