Solved: Re: Using Azure AD to authenticate guest portal users

Xeladona · ‎08-17-2021

Hi Guys,

is it possible, in your opinion,use azure AD to authenticate guest users (with portal?)

I would like to implement a guest wifi (open access) for internet access where:

- guest are sponsored

- employee use their azure credentials

In case can you provide some good links where i can find how to implement this solutions?

Regards

hslai · ‎08-21-2021

> only one captive portal must be used for employee with AZ-AD and guest with self-registration

Even so, we may create two portals and link one to the other to create Alternative Login Option.

You may follow Configure ISE 2.1 Guest Portal with PingFederate SAML SSO and replace PingFederate with AAD.

View solution in original post

Milos_Jovanovic · ‎08-17-2021

Hi @Xeladona,

Is this what you are looking for? Your ISE must be on v3.0.

BR,

Milos

Xeladona · ‎08-17-2021

Hi Milos,

helpful link

i have to study thsi solution and check if it fits with my needs.

Thank you very much

Xeladona · ‎08-18-2021

##- Please type your reply above this line -##

Hi Milos,

i studied the document and i think it does not fit with my needs.

Infact with saml user is always redirected to Azure authentication page but i also have user sponsored or self registerd

so the flow should be:

Captive portal auth page and then to grant the access only if the user in in the internal store or in MS zure AD.

Do you know if it is possible to integrate Azure as LDAP server (i do not think i can join it :-))

Regards

Milos_Jovanovic · ‎08-18-2021

Hi @Xeladona,

These are additional requirements then your intial ones

On Sponsor portal you can either choose SAML IDP or Identity Store Sequence (which can contain internal users and other external ID sources such as AD or LDAP). You can't mix these, so the answer would be no. You could create multiple Sponsor portals, if that suits you, and then to use SSO on one, and Identity Store Sequence on another.

I don't know much about Azure AD (apart from what I already used), but this request doesn't seem natural to me However, I did quick Google on this, and found that you can configure LDAPS on Azure AD DS, if that suits you.

BR,

Milos

Greg Gibbs · ‎08-18-2021

This is more of a combination between true Guest and BYOD use cases. A better option, and one that worked well for a large enterprise, would be to use a separate BYOD SSID for your employees that authenticates against Azure AD. This SSID could be anchored out to the DMZ to provide basic internet access similar to the true Guest network.

See ISE BYOD Flow Using Azure AD

Xeladona · ‎08-19-2021

Hi Greg,

first of all thank you for your kindly reply.

Your solution, even if valid, unluckly does not meet customer requirement (only one captive portal must be used for employee with AZ-AD and guest with self-registration).

So my only way is or to demonstrate it is impossible and propose other solution or find out a way to match his needs.

Best Regards

Xeladona · ‎08-24-2021

Hi Greg,

i have to investigate further about this solution but at first could be valid.

as far as very helpful i will keep ypu informed about the developments

Regards

hslai · ‎08-21-2021

> only one captive portal must be used for employee with AZ-AD and guest with self-registration

Even so, we may create two portals and link one to the other to create Alternative Login Option.

You may follow Configure ISE 2.1 Guest Portal with PingFederate SAML SSO and replace PingFederate with AAD.