11-22-2020 03:32 PM
Currently have ISE guest portal working for "sponsored guest id's" in ISE , and have added AD lookup in the Guest Portal Sequence.
User case is to allow only one specified AD group access to the guest portal/internet , but currently it appears that anyone with a valid AD account can login to the portal and their MAC address is added to the "employee" identity group.
Is there a way to validate only one specific AD group membership during the auth policy , so that non group MAC addresses are not populated in the id group and validated by MAB after CoA.
In the Authz policy , AD group membership can be validated at the first CoA , (id group MAC = Empolyee and AD group membership) but this rule would then preclude the MAB enforcement on subsequent connections as the AD group info is not available during suubequent MAB rules only if rule of id group = employee + AD group not equal XXXX - as MAB calls do not provide the same group info as the initial 5236 Authorize-Only succeeded
sorry if question and flow is a bit unclear , happy to explain further if anyone has done guest AD integration based on a unique sec group member , not the domain.
11-22-2020 04:21 PM
See a similar use case and solution here:
Guest portal allowing only specific AD groups (no BYOD) and sponsored guests
11-22-2020 07:04 PM
Thank you Greg , much appreciated.
I will have a good read over the next few days and try to get it tested with client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide