This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello,
The customer have ISE 2.6 integrated with Windows AD, we have retrieve 5 different groups to use them in different use cases,
One of the use cases is for GUEST-Access and BYOD, the customer wants to use 2 specific AD group has a allowed group to gain access at the guest portal, and the other 3 groups must be denied.
At the authentication method, by default provides the option to ''ALL_User_ID_Stores'', we also have created a "GuestPortalSequence", but only provides the option to select the AD, and not a specifics AD_Group
Solved! Go to Solution.
@hslai wrote:
I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.
One workaround is to change the guest portal pages so it reflecting such limitations.
Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.
Yet another is to use LDAP and put the permitted users into an OU.
Correct, there is a special flow that might help your situations under http://cs.co/ise-guest
In your authorization policy, create a rule that checks for AD group membership and then allows access if matched. As long as your Guest Portal sequence points to AD, then this should work.
I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.
One workaround is to change the guest portal pages so it reflecting such limitations.
Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.
Yet another is to use LDAP and put the permitted users into an OU.
@hslai wrote:
I believe you are correct on this. During ISE guest auth, ISE uses the identity source sequence direct. Only after the portal logins, accepting the AUP, hitting continue, ISE will evaluate the authorization policy to find a match.
One workaround is to change the guest portal pages so it reflecting such limitations.
Another is to use ISE as a RADIUS token server so that ISE guest will use ISE (either itself or another ISE) in the identity source sequence.
Yet another is to use LDAP and put the permitted users into an OU.
Correct, there is a special flow that might help your situations under http://cs.co/ise-guest
For version 2.6
--Authorization policy works using AD groups,