09-27-2022 12:38 AM
Hi all,
I'd like to kindly ask you if you guys have any experience or even recommendation how to "modify"/"update" Wireless Guest portal running on ISE with additional login option for employees ideally "hidden" one.
At the moment CWA is configured with wireless guest to login to wireless guest network. Such guest can perform self-registration or sponsors can create wireless guest account upfront and provision it.
However we would like to look into possible options how to "allow" certain employees (based on AD group membership) to also be able to successfully connect/login to wireless guest network with their company credentials on their private devices. Though there could be a way to update authentication order so if such employee enter his/her credentials to logon prompt it gets connected while still entering credentials provisioned by sponsors or self-registration would work as well.
I've seen some guide to create multiple guest portals, but that seems to be kind of overkill.
Isn't there a way how same portal can be used by real guests but also by employees using their own company credentials to login to wireless guest network? I'd rather avoid an option to add additional "button" to the Guest portal as addition to "Don't have an account" to add something like "Employee login" for some compliance reasons if possible.
Maybe there are some improvements in ISE releases on this topic I'm not aware of. At the moment we are running ISE 2.6 but ongoing upgrade activity is running to release 3.1. So if there is maybe "easier" possibility built in 3.1 I don't know...
Hope topic is understandable what I'm trying to achieve.
Thanks for any hints
Cheers!
Martin
Solved! Go to Solution.
09-27-2022 12:43 PM - edited 09-27-2022 12:44 PM
09-29-2022 02:50 AM
Hi Charlie,
Thank you, though about it but wasn't sure it will work. In next days we should have our LAB instance upgraded to 3.1 release and will test it right after it.
Will let you know if that works...
Thank you
09-27-2022 01:37 AM
Hello @Martin Jelinek
The solution is surprisingly simple. You have to do two things:
1) Device what type of Guest an employee with get. E.g. is it a 1 Day, 1 Week
2) Create/Modify the Authentication Method Sequence to include the AD Join Point(s) for the Guest Portal (edit this sequence under Administration > Identity Management > Identity Source Sequences. By default the Guest_Portal_Sequence only
See below
That should work. But it's a bit too wide open, because it will allow any successful AD Authentication to succeed. What if you wanted to restrict this Guest access to a subset of AD Groups only? In that case, here is a great article
I hope that helps
09-27-2022 03:49 AM
Well that is the thing to prevent all AD users to login therefore it must be checked against a specific AD group only.
I've see given guide but still thought there is no need for a hotspot and it could be done in an easier way though.
I will try to look into the given guide again, possibly will test in the LAB to see...Not sure if that is the only way to keep it simple or whether some script adjustment can be made to achieve this goal..
Thank you
09-27-2022 12:43 PM - edited 09-27-2022 12:44 PM
09-29-2022 02:50 AM
Hi Charlie,
Thank you, though about it but wasn't sure it will work. In next days we should have our LAB instance upgraded to 3.1 release and will test it right after it.
Will let you know if that works...
Thank you
12-06-2022 12:34 AM
Hi @orchari
Seems it is not that simple. I was finally given time for LAB of this request and creation of LDAP external identity source where you discover an AD group is not enough, as using this identity store within Identity Source Sequence will basically allow anyone in AD to log in as guest with AD credentials.
Therefore need to find a way how to modify Guest Flow or adding a rule into configured Policy Set where Guest Flow is used to somehow add OR condition to accept users only if they are members of dedicated AD group.
Any clue how this can be done? Or do I need to be somehow strict with LDAP definition to point Base DN etc into the group itself?
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide