12-05-2019 09:59 AM - edited 12-05-2019 10:03 AM
Hello,
The customer have ISE 2.6 integrated with Windows AD, we have retrieve 5 different groups to use them in different use cases,
One of the use cases is for GUEST-Access and BYOD, the customer wants to use 2 specific AD group has a allowed group to gain access at the guest portal, and the other 3 groups must be denied.
At the authentication method, by default provides the option to ''ALL_User_ID_Stores'', we also have created a "GuestPortalSequence", but only provides the option to select the AD, and not a specifics AD_Group
Solved! Go to Solution.
12-09-2019 09:15 AM
@hslai wrote:
I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.
One workaround is to change the guest portal pages so it reflecting such limitations.
Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.
Yet another is to use LDAP and put the permitted users into an OU.
Correct, there is a special flow that might help your situations under http://cs.co/ise-guest
12-05-2019 10:25 AM
In your authorization policy, create a rule that checks for AD group membership and then allows access if matched. As long as your Guest Portal sequence points to AD, then this should work.
12-05-2019 01:07 PM
12-09-2019 08:39 AM
I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.
One workaround is to change the guest portal pages so it reflecting such limitations.
Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.
Yet another is to use LDAP and put the permitted users into an OU.
12-09-2019 09:15 AM
@hslai wrote:
I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.
One workaround is to change the guest portal pages so it reflecting such limitations.
Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.
Yet another is to use LDAP and put the permitted users into an OU.
Correct, there is a special flow that might help your situations under http://cs.co/ise-guest
12-16-2019 07:21 AM
For version 2.6
--Authorization policy works using AD groups,
12-16-2019 11:03 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide