cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

366
Views
0
Helpful
6
Replies
Highlighted
Beginner

Use Specific AD Group to authenticate users at the Guest Portal

Hello,

 

The customer have ISE 2.6 integrated with Windows AD,  we have retrieve 5 different groups to use them in different use cases, 
One of the use cases is for GUEST-Access  and BYOD, the customer wants to use 2  specific AD group  has a allowed group to gain access at the guest portal, and the other 3 groups must be denied.

 

At the authentication method, by default provides the option to ''ALL_User_ID_Stores'',  we also have created a  "GuestPortalSequence", but only  provides the option to select the AD,  and not a specifics AD_Group

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted


@hslai wrote:

I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.

One workaround is to change the guest portal pages so it reflecting such limitations.

Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.

Yet another is to use LDAP and put the permitted users into an OU.


Correct, there is a special flow that might help your situations under http://cs.co/ise-guest

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

 

View solution in original post

6 REPLIES 6
Highlighted
Collaborator

In your authorization policy, create a rule that checks for AD group membership and then allows access if matched.  As long as your Guest Portal sequence points to AD, then this should work.

Highlighted

Hello, that one of the first assumption, but Guest Portal Flow dont work in that way.
Highlighted

I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.

One workaround is to change the guest portal pages so it reflecting such limitations.

Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.

Yet another is to use LDAP and put the permitted users into an OU.

Highlighted


@hslai wrote:

I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.

One workaround is to change the guest portal pages so it reflecting such limitations.

Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.

Yet another is to use LDAP and put the permitted users into an OU.


Correct, there is a special flow that might help your situations under http://cs.co/ise-guest

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

 

View solution in original post

Highlighted

For version 2.6  
--Authorization policy works using  AD groups, 


Highlighted

Can you please share how your use case is working and what it is? Screenshots? This is great info but i am not sure its the same as we didn't make any changes around this