cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1234
Views
15
Helpful
5
Replies

ISE - Wireless Guest portal - allow AD based login to existing portal

Martin Jelinek
Level 1
Level 1

Hi all,

I'd like to kindly ask you if you guys have any experience or even recommendation how to "modify"/"update" Wireless Guest portal running on ISE with additional login option for employees ideally "hidden" one.

At the moment CWA is configured with wireless guest to login to wireless guest network. Such guest can perform self-registration or sponsors can create wireless guest account upfront and provision it.

However we would like to look into possible options how to "allow" certain employees (based on AD group membership) to also be able to successfully connect/login to wireless guest network with their company credentials on their private devices. Though there could be a way to update authentication order so if such employee enter his/her credentials to logon prompt it gets connected while still entering credentials provisioned by sponsors or self-registration would work as well.

I've seen some guide to create multiple guest portals, but that seems to be kind of overkill.

Isn't there a way how same portal can be used by real guests but also by employees using their own company credentials to login to wireless guest network? I'd rather avoid an option to add additional "button" to the Guest portal as addition to "Don't have an account" to add something like "Employee login" for some compliance reasons if possible.

Maybe there are some improvements in ISE releases on this topic I'm not aware of. At the moment we are running ISE 2.6 but ongoing upgrade activity is running to release 3.1. So if there is maybe "easier" possibility built in 3.1 I don't know...

Hope topic is understandable what I'm trying to achieve.

Thanks for any hints

Cheers!

Martin

2 Accepted Solutions

Accepted Solutions

Charlie Moreton
Cisco Employee
Cisco Employee
  1. Create an LDAP External Identity Source to the domain. 
  2. Add the ONE group that you want to allow access. 
  3. Add this LDAP Store to the Identity Source Sequence for the Guest Portal.

View solution in original post

Hi Charlie,

Thank you, though about it but wasn't sure it will work. In next days we should have our LAB instance upgraded to 3.1 release and will test it right after it. 

Will let you know if that works...

Thank you

View solution in original post

5 Replies 5

Arne Bier
VIP
VIP

Hello @Martin Jelinek 

 

The solution is surprisingly simple. You have to do two things:

1) Device what type of Guest an employee with get. E.g. is it a 1 Day, 1 Week

2) Create/Modify the Authentication Method Sequence to include the AD Join Point(s) for the Guest Portal (edit this sequence under Administration > Identity Management > Identity Source Sequences.   By default the Guest_Portal_Sequence only

See below

employee guests.png

 

That should work. But it's a bit too wide open, because it will allow any successful AD Authentication to succeed. What if you wanted to restrict this Guest access to a subset of AD Groups only?  In that case, here is a great article

I hope that helps

 

Well that is the thing to prevent all AD users to login therefore it must be checked against a specific AD group only.

I've see given guide but still thought there is no need for a hotspot and it could be done in an easier way though.

I will try to look into the given guide again, possibly will test in the LAB to see...Not sure if that is the only way to keep it simple or whether some script adjustment can be made to achieve this goal..

Thank you 

Charlie Moreton
Cisco Employee
Cisco Employee
  1. Create an LDAP External Identity Source to the domain. 
  2. Add the ONE group that you want to allow access. 
  3. Add this LDAP Store to the Identity Source Sequence for the Guest Portal.

Hi Charlie,

Thank you, though about it but wasn't sure it will work. In next days we should have our LAB instance upgraded to 3.1 release and will test it right after it. 

Will let you know if that works...

Thank you

Hi @orchari 

Seems it is not that simple. I was finally given time for LAB of this request and creation of LDAP external identity source where you discover an AD group is not enough, as using this identity store within Identity Source Sequence will basically allow anyone in AD to log in as guest with AD credentials.

Therefore need to find a way how to modify Guest Flow or adding a rule into configured Policy Set where Guest Flow is used to somehow add OR condition to accept users only if they are members of dedicated AD group.

Any clue how this can be done? Or do I need to be somehow strict with LDAP definition to point Base DN etc into the group itself?

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: