Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
10
Helpful
1
Replies

Once authenticated through CWA, want certain AD groups to be DeviceRegistered without using BYOD: How to?

Go to solution
cpaquet
Level 1
Level 1

‎01-23-2020 03:24 PM

Situation:  Open SSID for Guests Sponsored Access.  Either guests or Employees can authenticate on CWA.

 

Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.  Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.   The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.

 

Also, customer would like that, following CWA, if an AD:Employee is NOT from the IT group, then customer wants the MAC address to be put in Blacklist.

 

Summary:  the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.

 

Thanks.

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-31-2020 08:28 PM

@cpaquet wrote:

Situation:  Open SSID for Guests Sponsored Access.  Either guests or Employees can authenticate on CWA.

 

Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.  Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.   The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.

 

Also, customer would like that, following CWA, if an AD:Employee is NOT from the IT group, then customer wants the MAC address to be put in Blacklist.

 

Summary:  the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.

 

Thanks.

Check out special flows.

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

 

There is no way to choose on login which groups do what. however you can play with this. Look at the prescriptive guest guide for more details on some configurations . you can tweak around with this

 

You can however to do the following:

 

setup multiple endpoint groups for guest endpoints

allowedEndpoint

Denied endpoint

 

setup allowedhotspot portal mapped to allowedEndpoint

do similiar for denyportal

 

setup authorization flows

if mab and guestflow and adGroupAllowed then redirect to allowedHotspotPortal (device will be assigned correct group)

if mab and guestflow and deniedGroup ( or no groups) then redirect go denieDportal

if mab and GuestEndpoint group then permit access

if mab and deniedEndpoint then deny access

 

if mab then redirect to guest portal

 

View solution in original post

1 Reply 1

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-31-2020 08:28 PM

@cpaquet wrote:

Situation:  Open SSID for Guests Sponsored Access.  Either guests or Employees can authenticate on CWA.

 

Requirement: Once an AD:IT user is authenticated via CWA, customers wants MAC address of device be automatically added to RegisteredDevices.  Goal: when the device reassociate with the Guest-Net, it will be automatically accepted on the Guest network without any further cwa.   The customer doesn't want to use BYOD for its employees, and wants the AD:IT employees to remain on the Guest-Net.

 

Also, customer would like that, following CWA, if an AD:Employee is NOT from the IT group, then customer wants the MAC address to be put in Blacklist.

 

Summary:  the customer wants that, for users authenticating via CWA and OU=IT, the MAC address be put in the RegisteredDevices, and that those devices when re-connecting to the Guest-Net, be automatically recognized without prompting the user for CWA, but only for users from OU=IT.

 

Thanks.

Check out special flows.

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

 

There is no way to choose on login which groups do what. however you can play with this. Look at the prescriptive guest guide for more details on some configurations . you can tweak around with this

 

You can however to do the following:

 

setup multiple endpoint groups for guest endpoints

allowedEndpoint

Denied endpoint

 

setup allowedhotspot portal mapped to allowedEndpoint

do similiar for denyportal

 

setup authorization flows

if mab and guestflow and adGroupAllowed then redirect to allowedHotspotPortal (device will be assigned correct group)

if mab and guestflow and deniedGroup ( or no groups) then redirect go denieDportal

if mab and GuestEndpoint group then permit access

if mab and deniedEndpoint then deny access

 

if mab then redirect to guest portal

 

Customers Also Viewed These Support Documents