Re: ISE: Get AD logged in user details from sponsor portal?

Abdul Pallares · ‎07-16-2024

Hi All,

A customer wants to allow the admin team to login to an sponsored portal to be able to platform new endpoints.

The objective is to allow only some AD users, from an admin AD group, to login to the sponsored portal used by partners.

So if, once logged-in, the user belongs to the admin group, the corporate VLAN should be setted-up by ISE, if not the partners VLAN should be send.

The authentication to AD works perfect, but I'm not able to get the user identity in the authorization step. I receive only the endpoint's MAC address as Identity.

Is there any way to get the identity of the logged-in user, in a way that allows to check the groups that the user belongs to?

Thanks

ahollifield · ‎07-16-2024

What is the EAP type? Are you using MAB or 802.1X?

Abdul Pallares · ‎07-18-2024

We use MAB, because is a guest portal, but in logs when a corporate user logs in I can see 802.1x as authentication method.

For corporate users in a corporate computer we use 802.1x and TEAP

As authentication protocol default ones are allowed for MAB sessions (so MAB and 802.1x among others).

If you refer to the option of bypass the authentication portal by employees using 802.1x supplicant, no there is not any supplicant on the field, as it is a completely new device, for that we try to use the portal as the entry point to the network. I know that the user can setup the supplicant but this is the last option for the customer.

Not sure if this answer your question, because I don't fully understand it :).

Thanks

Abdul Pallares · ‎07-22-2024

After a test on cisco switch everything works properly. The problem is with Aruba APs so need to work on that devices to find a solution....