cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

396
Views
10
Helpful
1
Replies
Highlighted
Beginner

Once authenticated through CWA, want certain AD groups to be DeviceRegistered without using BYOD: How to?

Situation:  Open SSID for Guests Sponsored Access.  Either guests or Employees can authenticate on CWA.

 

Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.  Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.   The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.

 

Also, customer would like that, following CWA, if an AD:Employee is NOT from the IT group, then customer wants the MAC address to be put in Blacklist.

 

Summary:  the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee


@cpaquet wrote:

Situation:  Open SSID for Guests Sponsored Access.  Either guests or Employees can authenticate on CWA.

 

Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.  Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.   The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.

 

Also, customer would like that, following CWA, if an AD:Employee is NOT from the IT group, then customer wants the MAC address to be put in Blacklist.

 

Summary:  the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.

 

Thanks.


Check out special flows.

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

 

There is no way to choose on login which groups do what. however you can play with this. Look at the prescriptive guest guide for more details on some configurations . you can tweak around with this

 

You can however to do the following:

 

setup multiple endpoint groups for guest endpoints

allowedEndpoint

Denied endpoint

 

setup allowedhotspot portal mapped to allowedEndpoint

do similiar for denyportal

 

setup authorization flows

if mab and guestflow and adGroupAllowed then redirect to allowedHotspotPortal (device will be assigned correct group)

if mab and guestflow and deniedGroup ( or no groups) then redirect go denieDportal

if mab and GuestEndpoint group then permit access

if mab and deniedEndpoint then deny access

 

if mab then redirect to guest portal

 

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee


@cpaquet wrote:

Situation:  Open SSID for Guests Sponsored Access.  Either guests or Employees can authenticate on CWA.

 

Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.  Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.   The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.

 

Also, customer would like that, following CWA, if an AD:Employee is NOT from the IT group, then customer wants the MAC address to be put in Blacklist.

 

Summary:  the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.

 

Thanks.


Check out special flows.

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

 

There is no way to choose on login which groups do what. however you can play with this. Look at the prescriptive guest guide for more details on some configurations . you can tweak around with this

 

You can however to do the following:

 

setup multiple endpoint groups for guest endpoints

allowedEndpoint

Denied endpoint

 

setup allowedhotspot portal mapped to allowedEndpoint

do similiar for denyportal

 

setup authorization flows

if mab and guestflow and adGroupAllowed then redirect to allowedHotspotPortal (device will be assigned correct group)

if mab and guestflow and deniedGroup ( or no groups) then redirect go denieDportal

if mab and GuestEndpoint group then permit access

if mab and deniedEndpoint then deny access

 

if mab then redirect to guest portal

 

View solution in original post