cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3987
Views
25
Helpful
8
Replies

Using Azure AD to authenticate guest portal users

Xeladona
Level 1
Level 1

Hi Guys,

 

is it possible, in your opinion,use azure AD to authenticate guest users (with portal?)

I would like to implement a guest wifi (open access) for internet access where:

- guest are sponsored

- employee use their azure credentials

In case can you provide some good links where i can find how to implement this solutions?

Regards 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

only one captive portal must be used for employee with AZ-AD  and guest with self-registration

Even so, we may create two portals and link one to the other to create Alternative Login Option.

You may follow Configure ISE 2.1 Guest Portal with PingFederate SAML SSO and replace PingFederate with AAD.

 

View solution in original post

8 Replies 8

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @Xeladona,

Is this what you are looking for? Your ISE must be on v3.0.

BR,

Milos

Hi Milos,

 

helpful link

i have to study thsi solution and check if it fits with my needs.

Thank you very much

Xeladona
Level 1
Level 1

##- Please type your reply above this line -##

 
Hi Milos,
 
i studied the document and i think it does not fit with my needs.
Infact with saml user is always redirected to Azure authentication page but i also have user sponsored or self registerd
 
so the flow should be:
 
Captive portal auth page and then to grant the access only if the user in in the internal store or in MS zure AD.
 
Do you know if it is possible to integrate Azure as LDAP server (i do not think i can join it :-))
 
Regards

Hi @Xeladona,

These are additional requirements then your intial ones

On Sponsor portal you can either choose SAML IDP or Identity Store Sequence (which can contain internal users and other external ID sources such as AD or LDAP). You can't mix these, so the answer would be no. You could create multiple Sponsor portals, if that suits you, and then to use SSO on one, and Identity Store Sequence on another.

I don't know much about Azure AD (apart from what I already used), but this request doesn't seem natural to me   However, I did quick Google on this, and found that you can configure LDAPS on Azure AD DS, if that suits you.

BR,

Milos

This is more of a combination between true Guest and BYOD use cases. A better option, and one that worked well for a large enterprise, would be to use a separate BYOD SSID for your employees that authenticates against Azure AD. This SSID could be anchored out to the DMZ to provide basic internet access similar to the true Guest network.

See ISE BYOD Flow Using Azure AD 

Hi Greg,

 

first of all thank you for your kindly reply.

Your solution, even if valid, unluckly does not meet customer requirement (only one captive portal must be used for employee with AZ-AD  and guest with self-registration).

So my only way is or to demonstrate it is impossible and propose other solution or find out a way to match his needs.

Best Regards

 

Hi Greg,

 

i have to investigate further about this solution but at first could be valid.

as far as very helpful i will keep ypu informed about the developments

Regards

 

 

hslai
Cisco Employee
Cisco Employee

only one captive portal must be used for employee with AZ-AD  and guest with self-registration

Even so, we may create two portals and link one to the other to create Alternative Login Option.

You may follow Configure ISE 2.1 Guest Portal with PingFederate SAML SSO and replace PingFederate with AAD.