Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2671
Views
5
Helpful
6
Replies

Sponsored Guest Portal with Active Directory users and group restrictions

Johannes Luther
Level 4
Level 4

‎09-04-2015 12:03 AM - edited ‎03-10-2019 11:01 PM

Hi board,

I'm using Cisco ISE 1.3 and 1.4 and (disclaimer following:) maybe this is a silliy question :)

Here's the deal:

I want to create a sponsored guest portal using Active Directory credentials.

The use case is Internet access for employees with personal devices and I don't want to implement the BYOD device registration stuff - sorry.

 

Here's what I did:

1.) Created a new guest type for employees. Basically to save the endpoint MAC addresses to a separate endpoint identity group ("employee_guest_endpoints")

2.) Added the Active-Directory external identity store to the guest sequence, which is used in the sponsored guest portal configuration

3.) Added an authorization rule for the corresponding AD group which are allowed to use this Internet access.

 

Sounds easy right? But there are some issues using this approach.

 

1.) All AD objects are able to authenticate (not authorize) at the guest portal

Because in the guest portal configuration only a sequence of identity stores is possible, all AD objects are able to register a MAC address because authentication is ok, right?

 

To overcome the issue 1.) I have to following authorization rule (simplified):

If "Wireless_MAB" and "guest-SSID" and "AD:external-groups equals "allowed-internet-employees" then PermitAccess

This works perfectly - but ....

 

2.) When the wireless connection is shortly down (WLC deletes user from WLC user db after the user idle timeout), the user needs to authorize again at the portal

Here's why:

The WLC performs MAB and sends the MAC to the ISE. The ISE passes authentication because it has the MAC in the EP identity group. Authorization fails, because the rule mentioned above with the AD group does not match. There is no link between the MAC address to the AD group if there's no authentication at the web portal.

 

- I cannot build an authorization rule like

If "employee_guest_endpoints" and "Wireless_MAB" and "guest-SSID" and then PermitAccess

Because the EP group "employee_guest_endpoints" is not limited to members of an AD group. Each object in the AD (because of the guest portal configuration) is able to authenticate to the portal and therefore a MAC address is added to the EP group "employee_guest_endpoints"

 

So long story short:

Is there a way to

  • Authenticate AD users but only authorize them if they belong to a group for CWA?
  • At the same time the AD users should not need to use the guest portal everytime the WLAN connection is shortly down as for the sponsored normal guest users
2 people had this problem
Labels:
0 Helpful
6 Replies 6

jan.nielsen
Level 7
Level 7

‎09-04-2015 07:14 AM

Create a new AD connector with LDAP to the same AD, and point the base DN user search to only look in the group you wan't to be able to authenticate with their AD credentials, to get guest access. Then use this id store in your guest sequence, and remove the old AD one. Now you should be able to allow the guest portal to auto-register those mac adresses in it's own group, and then just mab validate those mac addresses the next time the device is kicked off and tries to come back online, with a specific authorization rule for the condition : endpoint group+ssid+mab. If you wan't to, you can purge the devices from that group  when they reach a certain age, to re-trigger guest login.

Johannes Luther
Level 4
Level 4
In response to jan.nielsen

‎09-04-2015 07:32 AM

Wow - thats pretty clever! With this approach I can cover one AD group.

But (sorry to say this) this is like a "hack" for the whole problem (but a very clever one).

Is there no standard solution for this use case? Or does Cisco want to enforce the BYOD and myportal solution for this?

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Johannes Luther

‎09-04-2015 07:53 AM

I'm not aware of another way of doing this, the use case for this type of thing is normally filled by BYOD scenarios, where the authorization rules can be more granular if you use something like a single ssid with PEAP to start provisioning of certificates for "BYOD" devices.

0 Helpful

dkorell
Level 1
Level 1
In response to jan.nielsen

‎01-13-2017 02:07 PM

I have the exact same need to lockdown my staff portal to users in an AD group but having issues. I have the connector setup no problem but I can't find the users that are in an AD group. To clarify, this setup is for finding users in a group versus an OU? If I point the Subject Search Base to an OU where the user is stored it works but my users are stored in OUs all over AD so this won't work for this setup. If I point the Subject Search Base to the path of the group then it doesn't find any users. I've messed around with different combinations within the schema configuration and no luck.

Any help from anyone that has pointed the connector to a group and is able to retrieve the users would be much appreciated!

0 Helpful

Stevenmns
Level 1
Level 1
In response to dkorell

‎04-08-2022 09:23 AM

Hey I know this is a few years old, but were you ever able to figure out a solution to this? I'm running into this exact same scenario.

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to Stevenmns

‎04-15-2022 11:17 AM

I suggest creating a new Question in the community with your specific details.

See How to Ask The Community for Help to minimize any back and forth for details.

0 Helpful
Customers Also Viewed These Support Documents