Solved: Use Specific AD Group to authenticate users at the Guest Portal

Braulio_g · ‎12-05-2019

Hello,

The customer have ISE 2.6 integrated with Windows AD, we have retrieve 5 different groups to use them in different use cases,
One of the use cases is for GUEST-Access and BYOD, the customer wants to use 2 specific AD group has a allowed group to gain access at the guest portal, and the other 3 groups must be denied.

At the authentication method, by default provides the option to ''ALL_User_ID_Stores'', we also have created a "GuestPortalSequence", but only provides the option to select the AD, and not a specifics AD_Group

Jason Kunst · ‎12-09-2019

@hslai wrote:

I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.

One workaround is to change the guest portal pages so it reflecting such limitations.

Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.

Yet another is to use LDAP and put the permitted users into an OU.

Correct, there is a special flow that might help your situations under http://cs.co/ise-guest

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

View solution in original post

Colby LeMaire · ‎12-05-2019

In your authorization policy, create a rule that checks for AD group membership and then allows access if matched. As long as your Guest Portal sequence points to AD, then this should work.

Braulio_g · ‎12-05-2019

Hello, that one of the first assumption, but Guest Portal Flow dont work in that way.

hslai · ‎12-09-2019

I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.

One workaround is to change the guest portal pages so it reflecting such limitations.

Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.

Yet another is to use LDAP and put the permitted users into an OU.

Jason Kunst · ‎12-09-2019

@hslai wrote:

I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.

One workaround is to change the guest portal pages so it reflecting such limitations.

Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.

Yet another is to use LDAP and put the permitted users into an OU.

Correct, there is a special flow that might help your situations under http://cs.co/ise-guest

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId--1778324119

Braulio_g · ‎12-16-2019

For version 2.6
--Authorization policy works using AD groups,

Jason Kunst · ‎12-16-2019

Can you please share how your use case is working and what it is? Screenshots? This is great info but i am not sure its the same as we didn't make any changes around this