07-16-2024 06:02 AM
Hi All,
A customer wants to allow the admin team to login to an sponsored portal to be able to platform new endpoints.
The objective is to allow only some AD users, from an admin AD group, to login to the sponsored portal used by partners.
So if, once logged-in, the user belongs to the admin group, the corporate VLAN should be setted-up by ISE, if not the partners VLAN should be send.
The authentication to AD works perfect, but I'm not able to get the user identity in the authorization step. I receive only the endpoint's MAC address as Identity.
Is there any way to get the identity of the logged-in user, in a way that allows to check the groups that the user belongs to?
Thanks
07-16-2024 07:16 AM
What is the EAP type? Are you using MAB or 802.1X?
07-18-2024 04:26 AM - edited 07-18-2024 09:11 AM
We use MAB, because is a guest portal, but in logs when a corporate user logs in I can see 802.1x as authentication method.
For corporate users in a corporate computer we use 802.1x and TEAP
As authentication protocol default ones are allowed for MAB sessions (so MAB and 802.1x among others).
If you refer to the option of bypass the authentication portal by employees using 802.1x supplicant, no there is not any supplicant on the field, as it is a completely new device, for that we try to use the portal as the entry point to the network. I know that the user can setup the supplicant but this is the last option for the customer.
Not sure if this answer your question, because I don't fully understand it :).
Thanks
07-22-2024 09:00 AM
After a test on cisco switch everything works properly. The problem is with Aruba APs so need to work on that devices to find a solution....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide