When creating a new wlan for personal devices that would authenticate through ISE, they used the integrated ISE guest portal to authenticate users via their active directory credentials. The goal was for ISE to view AD attributes and determine whether a student or staff member was logging in, then be connected to their appropriate network. The ISE guest portal was limited in how it referenced AD especially the way their AD structure was set up. ISE would only view whether or not a user was in AD, not reach down to the attributes to view whether the user was a student or staff member.
AD structure is set up as follows:
Domain
-Site 1
-Staff
-Student
-Site 2
-Staff
-Student
The concern is the requirement to re-structure AD. TAC suggestions:
* (Option 1) To have two SSIDs , where base on WLAN ID (SSID name) we can redirect it to a different portal ID and specific AD join point/domain
They confirmed that they would need to make changes to AD structure.
* (Option 1.1) To have one SSID where base if the MAC address is on a staff member to use portal 1 and if it's something else, to use standard student portal
(Staff mac addresses need to be stored on a dedicated group - too many and too dynamic to be a acceptable solution)
* (Option 2) Use BYOD implementation via certificate base authentication issued by AD or ISE itself
They tried this option on first go around and results were inconstant even with the common iOS devices. They moved away from this option after a second failed attempt with partner assistance.
Any ideas here for a solution that doesn't require AD re-work?