Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
202
Views
0
Helpful
2
Replies

ise portal help needed

muhsi_2015
Level 1
Level 1

‎04-13-2016 11:59 AM - edited ‎03-10-2019 11:40 PM


Hi,

I have the following scenarios ,how can i acheive this in the ise

1)

The user associates to the TEST1 (SSID), which is in fact open+macfiltering and no Layer 3 security.
The user opens the browser.
The WLC redirects to the guest portal.

users : internal users

2)

The user associates to the TEST2 (SSID), which is in fact open+macfiltering and no Layer 3 security.
The user opens the browser.
The WLC redirects to the custom portal.

users : domain users
security group : domain.local/employees

option 3 : how can i integrate option 1 and 2

for example use the single portal for both SSID and different vlan


Please help

Labels:
0 Helpful
2 Replies 2

nspasov
Cisco Employee
Cisco Employee

‎04-13-2016 02:01 PM

Hi there, you can definitely do that. You will need to:

1. Create an Identity Store Sequence (Administration > Identity Management > Identity Source Sequences"

2. Include both "Internal User and AD" in the sequence

3. Make sure you select the option "Treat as if the user was not found and proceed to the next store in the sequence"

4. Then assign that Identity Store Sequence to your Guest Portal (Located under the "Portal Settings > Authentication Method")

5. Create Authorization Rule for internal users

6. Create Authorization Rule for AD users

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

Joseph Johnson
Level 1
Level 1

‎04-13-2016 02:01 PM

The authentication rules would have to allow access to internal users and the AD group in the identity sequence.

You would use the Radius:Called-Station-ID attribute in the authorization rule. If it contains TEST1, the policy result sends to portal 1. If it contains TEST2, the policy result sends to portal 2.

As for the authenticated access, you will tie the Radius:Called-Station-ID contains TEST1 and Internal users to allow access through portal 1 for authenticated access. You will tie Radius:Called-Station-ID contains TEST2 and External Groups contains domain.local/employees (or whatever domain group) to allow access through portal 2 for authenticated access.

If you want to use a single SSID (e.g. TEST3), you would have to either do ACL assignment to differentiate allowed access based on the login used or VLAN assignment based on the login.

0 Helpful
Customers Also Viewed These Support Documents