cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
766
Views
10
Helpful
1
Replies

Once authenticated through CWA, want certain AD groups to be DeviceRegistered without using BYOD: How to?

cpaquet
Level 1
Level 1

Situation:  Open SSID for Guests Sponsored Access.  Either guests or Employees can authenticate on CWA.

 

Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.  Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.   The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.

 

Also, customer would like that, following CWA, if an AD:Employee is NOT from the IT group, then customer wants the MAC address to be put in Blacklist.

 

Summary:  the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.

 

Thanks.

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

@cpaquet wrote:

Situation:  Open SSID for Guests Sponsored Access.  Either guests or Employees can authenticate on CWA.

 

Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.  Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.   The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.

 

Also, customer would like that, following CWA, if an AD:Employee is NOT from the IT group, then customer wants the MAC address to be put in Blacklist.

 

Summary:  the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.

 

Thanks.


Check out special flows.

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

 

There is no way to choose on login which groups do what. however you can play with this. Look at the prescriptive guest guide for more details on some configurations . you can tweak around with this

 

You can however to do the following:

 

setup multiple endpoint groups for guest endpoints

allowedEndpoint

Denied endpoint

 

setup allowedhotspot portal mapped to allowedEndpoint

do similiar for denyportal

 

setup authorization flows

if mab and guestflow and adGroupAllowed then redirect to allowedHotspotPortal (device will be assigned correct group)

if mab and guestflow and deniedGroup ( or no groups) then redirect go denieDportal

if mab and GuestEndpoint group then permit access

if mab and deniedEndpoint then deny access

 

if mab then redirect to guest portal

 

View solution in original post

1 Reply 1

Jason Kunst
Cisco Employee
Cisco Employee

@cpaquet wrote:

Situation:  Open SSID for Guests Sponsored Access.  Either guests or Employees can authenticate on CWA.

 

Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.  Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.   The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.

 

Also, customer would like that, following CWA, if an AD:Employee is NOT from the IT group, then customer wants the MAC address to be put in Blacklist.

 

Summary:  the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.

 

Thanks.


Check out special flows.

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

 

There is no way to choose on login which groups do what. however you can play with this. Look at the prescriptive guest guide for more details on some configurations . you can tweak around with this

 

You can however to do the following:

 

setup multiple endpoint groups for guest endpoints

allowedEndpoint

Denied endpoint

 

setup allowedhotspot portal mapped to allowedEndpoint

do similiar for denyportal

 

setup authorization flows

if mab and guestflow and adGroupAllowed then redirect to allowedHotspotPortal (device will be assigned correct group)

if mab and guestflow and deniedGroup ( or no groups) then redirect go denieDportal

if mab and GuestEndpoint group then permit access

if mab and deniedEndpoint then deny access

 

if mab then redirect to guest portal

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: