Solved: Re: Split BYOD based on AD group membership

gtilburg · ‎07-11-2016

hi,

Our customer wants to split their BYOD flow for wired in the following:

BYOD user PC connects and gets redirected to web portal
User authenticates using their AD credentials
Depending on the AD group membership either
1. Do device registration for the BYOD device and authenticate based on the MAC address from then on.
2. OR validate posture using the web agent

From what I could find out, the device registration is enabled on the guest portal for all BYOD users - not based on any authorization such as AD groups.

As such I assume it will be all BYOD users doing device regstration or all users doing posture validation - no combinations.

Can you confirm this is correct?

Secondly, if we validate for posture using the web agent, is there any way to avoid having to redo on every new connection?

Many thanks

Gert

Jason Kunst · ‎07-11-2016

Setup a web portal with the on boarding piece enabled.

After login a COA will take place

If ADGROUP1 then redirect to NSP (BYOD registration)

If ADGROUP2 then redirect to CPP (Posture) are you going to use web agent posture or any connect?

View solution in original post

howon · ‎07-11-2016

Gert, regarding first Q. You can achieve it but will need to use single-SSID flow instead. For the second Q, posture lease feature is what you are looking for, but it is only available on AnyConnect Agent.

gtilburg · ‎07-11-2016

Hi,

Thanks for the reply.

We are doing this on wired, not wireless.

Also, just to be clear: the user gets the web portal and provides credentials. If the user is member of a specific AD group, he should do device registration. If he is not, he should be validated for posture.

How can this be configured?

As both users are on AD, they will both hit the device registration or guest compliancy check (which both are configured on the guest portal).

I didn’t find a way to allow authorization for BYOD users.

Would be very interested to see how to configure this.

Many thanks

Gert

Gert Tilburgs - CCIE R&S 21187

Network Consulting Engineer

Cisco Security Services

Phone: +3227046188 - Email: gtilburg@cisco.com

For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html

Jason Kunst · ‎07-11-2016

Setup a web portal with the on boarding piece enabled.

After login a COA will take place

If ADGROUP1 then redirect to NSP (BYOD registration)

If ADGROUP2 then redirect to CPP (Posture) are you going to use web agent posture or any connect?

gtilburg · ‎07-11-2016

Thanks Jason.

The customer does not want to install anything on the byod PC, so would go for the web agent. I am not a fan, but given the requirements, this seems the only option. They will check any AV.

Concerns?

Jason Kunst · ‎07-11-2016

You can do BYOD device registration only for ADGROUP1 (don't configure a supplicant or cert profile for that group)

then for ADGROUP2 redirect to CPP with web agent (windows only of course!)

I don't see anything as a problem.

Please do reach out direct if you need to discuss