Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
5
Helpful
2
Replies

Using Guest Portal for Active Directory/Default Login

network_geek1979
Level 1
Level 1

‎08-27-2022 07:06 AM - edited ‎08-27-2022 10:24 PM

Folks,
We are trying to check if we can use the Guest Portal for Active Directory users to login as well as Guest users to login.

In our environment we have policies for devices like Phones, printers, Access points etc.
Then there are 802.1x policies for end users to login, if the certificate matches.

This all works fine, but we are facing challenges when an end user needs to load OS on his laptop for getting the Laptop fully functional. For this what we have actually done is allowed access to provisioning servers on an restricted VLAN with Internet access.
While the OS gets installed correctly, it still takes a lot of time to load the applications and does not work with full success always.

We were thinking if we can provide a portal on this restricted VLAN, where the end user can enter active directory credentials and get full access to the network for some limited period of time. If the username/password is correct the network access should switch from the restricted VLAN to the full access VLAN. At the same time this portal should also allow a guest to get access to the restricted VLAN only.

Can this even work?


Regards,
N!

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎08-28-2022 02:17 PM

One solution involves adding the MAC address of the host to an ISE Endpoint Identity Group that allows the endpoint on (Access-Accept) and returning an ACL that allows the machine to install/upgrade (PXEBoot). The process of getting the MAC into ISE is the hard part - either log a ticket with the ISE Team and they can add it in, or have some API integration with a web front end to self-serve. There is a nice Python solution called Vanilla ISE which allows an admin to "open" a port for access based on a graphical view of the switch. The assumption here is that you locate the correct port that needs to be opened.

The reason I would chose this over a portal login, is that the portal login won't help you much in the event of a PXE Boot. And you can also purge these endpoints very quickly to "close" the port back down into NAC mode.

 

network_geek1979
Level 1
Level 1
In response to Arne Bier

‎08-28-2022 11:32 PM

Hi Arne,
Thanks for the response. This will still involve some manual efforts and considering significant PC refresh will not be scalable. I'll try to work on the Guest portal where after a PXE boot, the end user gets a portal where AD credentials can be accepted to allow access. Let me see how this goes.

Regards,
N!!

0 Helpful
Customers Also Viewed These Support Documents