Currently have ISE guest portal working for "sponsored guest id's" in ISE , and have added AD lookup in the Guest Portal Sequence.

User case is to allow only one specified AD group access to the guest portal/internet , but currently it appears that anyone with a valid AD account can login to the portal and their MAC address is added to the "employee" identity group.

Is there a way to validate only one specific AD group membership during the auth policy , so that non group MAC addresses are not populated in the id group and validated by MAB after CoA.

In the Authz policy , AD group membership can be validated at the first CoA , (id group MAC = Empolyee and AD group membership) but this rule would then preclude the MAB enforcement on subsequent connections as the AD group info is not available during suubequent MAB rules only if rule of id group = employee + AD group not equal XXXX - as MAB calls do not provide the same group info as the initial 5236 Authorize-Only succeeded

sorry if question and flow is a bit unclear , happy to explain further if anyone has done guest AD integration based on a unique sec group member , not the domain.