Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2107
Views
0
Helpful
7
Replies

ISE Multiple SSIDs using CWA

Roger Alderman
Level 3
Level 3

‎10-30-2014 09:10 AM - edited ‎03-10-2019 10:09 PM

I am using ISE 1.2.198 primarily to authenticate guest users.

I have 2 types of guest - day visitors and longer term visitors.

I am using 2 separate SSIDs on a 5760 controller.

On the ISE I have authentication conditions to differentiate between the different SSIDs and apply the relevant policy set.

I am using CWA with wireless MAB for both policy sets.

Everything is working fine using different portals for each SSID.

I have Sponsors set up to create accounts, to assign different roles (guest or partner) and to apply different time profiles. That all works and the account details get emailed to the recipient successfully.

The issue I have is that the sponsored account credentials can be used to authenticate a user on either SSID.

If the sponsor creates an account and assigns it to the guest role that user can authenticate successfully to both the guest and partner SSIDs with the same credentials. Similarly, if the account is assigned to the partner role, the user can again authenticate to both SSIDs.

There must be a way to differentiate between different roles within the authorization policies.

I can't find a way within the Policy Sets to separate the 2 types of users. Adding any conditions to the authorization rules that include the Network Access UseCase equals Guest Flow doesn't seem to have any affect.

Has anyone managed to do this type of thing successfully?

Labels:
0 Helpful
7 Replies 7

Charlie Moreton
Cisco Employee
Cisco Employee

‎10-30-2014 09:33 AM

Roger,

If you are using Active Directory as your Identity Source, then that is your issue.  As you know, ISE 1.2 is limited in AD Authentications.  What I would suggest is to go to Administration > Identity Management > External Identity Sources and set up an LDAP connection to the AD group from which you would like to authenticate.  One for each type of guest and choose only the AD Group that Guest type uses:

Once this is done, create an new Identity Source Sequence for each Guest type:

Then go to Administration > Web Portal Management > Settings and choose the Guest Portal you want to modify.  Click The Authentication tab and choose the Identity Store Sequence you just created for that portal.

That should fix the issue.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

 

Preview file
42 KB
Preview file
42 KB
Preview file
52 KB
0 Helpful

Roger Alderman
Level 3
Level 3
In response to Charlie Moreton

‎10-30-2014 09:41 AM

Thank you for the reply but I'm not using AD to authenticate guest or partner accounts.

I am creating sponsored accounts.

Regards

Roger

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to Roger Alderman

‎10-30-2014 09:55 AM

Roger,

 

Sorry to have missed that.  The Internal Users database is a single pool of users created through the Sponsor Portal and cannot be segmented to work in the manner you would like.  I have just looked through ISE 1.3 and did not see any setting for Internal User group segregation in that version, either.

Charles Moreton

0 Helpful

Roger Alderman
Level 3
Level 3
In response to Charlie Moreton

‎10-31-2014 12:24 AM

Hi Charles. That's more or less the conclusion I'm coming too although I'm a bit perplexed as to the purpose of the guest roles. You would think that by assigning a guest role you would be able to do some form of mapping or filtering. At the moment I can't see the point of assigning different guest users to different roles.

Roger

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Roger Alderman

‎10-31-2014 11:51 AM

If you can get your sponsors to put in say the word "contractor" in optional field 1 under the guest when they create the account, you can use that information to distinguish between regular guests and contractors. I did a mockup of the authz rule.

See the attached screenshots.

Preview file
21 KB
Preview file
6 KB
0 Helpful

Roger Alderman
Level 3
Level 3
In response to jan.nielsen

‎11-02-2014 11:16 PM

Hi Jan

Many thanks for this - it is a very helpful suggestion. Do you think it's possible to actually use the guest role that you can assign on the Sponsor page?

Regards

Roger

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Roger Alderman

‎11-03-2014 03:00 PM

I have not actually tried it, but i would think that since you can assign "roles" which in fact maps to an identity group, you would also be able to match on those in you authorization rules, by using the first field before the conditions, here you should be able to select any identity group. I did a basic example and attached some screnshots, i haven't tested it though

Preview file
42 KB
Preview file
12 KB
Preview file
3 KB
0 Helpful
Customers Also Viewed These Support Documents