Hi Neno.

I am aware of that. I was thinking about this.Only user1 user2 user3 should success the login because they are member of group "ISE".

AD

 - OU. MYCOMPANY XYZ

- OU Users

   User1

   User2

   User3

  User4

  User5

 - OU ISE

       member = user1

       member = user2

       member = user3

My answer remains the same:

- You cannot restrict the authentication process on per individual user/endpoint. If the user/endpoint is found in the identity store and the credentials are correct then the authentication process will succeed

- You can accomplish what you want with authorization rules where you can tie the rule to a specific AD user group or even an individual user/endpoint

Thank you for rating helpful posts! 

I see that. But how will you stop the user before onboarding the device if he or she is not member of the AD group ? In my example everybody with the AD credentials can on board there device. But not everybody can have access because I am checking there user membership with in my second authorization rule.

BYOD flow (Sponsored Guest portal)

Flow steps.

1. Checking that you user is in the right AD group ; Checking that device MAC address is in the right onboarded device group -- If true - >Now you have internet access with that onborded device.

2 (catch all). Authorzation rule. Guest Portal -> Login with AD credentials - > Automatic device registration - > onbording done.

I would have to see your complete rule-set and get a better idea of what you are trying to accomplish but BYOD/Device Onboarding is controlled under the "Client Provisioning" rules. There you can lock things down to the device type, version of code, user, user group, etc.

Thank you for rating helpful posts! 

Hi,

i have the same issue with Guest Portal and LDAP authentication.

I am not able to grant access (authentication) based on LDAP groups.

any idea?

ISE version 2.1

thanks

Marco