cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


126
Views
0
Helpful
7
Replies
Highlighted
Beginner

WLC Guest and Domain Users

I have a Cisco WLC and we are using ISE with a Sponsored Guest Portal.  This is working as intended.  What we discovered today is that any domain user is able to enter their Active Directory credentials into the portal and authenticate.  We only want users who have had an account created on the Guest Portal to be able to authenticate to this network.  I cant find any settings that would allow this to happen.  The user type is marked as NON_GUEST.  I can not find any setting that would allow this to happen.  Any idea of where to look?

 

Thanks

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
ajc Frequent Contributor
Frequent Contributor

Re: WLC Guest and Domain Users

sequence1.pngsequence2.pngCheck the Identity Source Sequence you are using in the AUTHC Policy, it should only contain GUEST DB. See next.

 

 

 

 

7 REPLIES
VIP Engager

Re: WLC Guest and Domain Users

Do you have any Group in AD for the Guest User group ?

 

BB
*** Rate All Helpful Responses ***
Enthusiast

Re: WLC Guest and Domain Users

You need to look at you ISE Policies and the Identity groups that are listed to authorize the users against. Im guessing that you have AD listed as a source. If the Guest accounts are going to live on AD then you need to define which AD group to look at rather than all of them.

Not sure which method of Guest you are using so below are the two options:

 

Take a look at the Central Web Auth Deployment guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc9

 

Or the guide for Local Web Auth with ISE: https://www.cisco.com/c/en_intl/support/docs/security/identity-services-engine/116217-configure-ISE-00.html#anc13

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
Beginner

Re: WLC Guest and Domain Users

We are using Central Web Auth. 

 

 

VIP Engager

Re: WLC Guest and Domain Users

How do you identify the user was an a guest or corporate user, there may be different Groups in AD right.

 

Look at the example guides :

 

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224

 

BB
*** Rate All Helpful Responses ***
Enthusiast

Re: WLC Guest and Domain Users

This comes down to what your trying to do.
If you want corporate users to be able to authenticate to the Guest network using BYOD devices and be segmented off from the corporate network then you might need to allow them.
If you don't then it comes down to where the identity store for the guest users lives, the ISE policy needs to reference this. This might be a local identity store on ISE or could be in AD.
How are the Guest User accounts being created? If its via the sponsor portal then you need to change the ISE profile to reference that identity store
*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
Beginner

Re: WLC Guest and Domain Users

We are using the sponsored portal and no BYOD. 

 

It appears that it should be Using the Local Group Of GuestEndpoints for authorization. 

ajc Frequent Contributor
Frequent Contributor

Re: WLC Guest and Domain Users

sequence1.pngsequence2.pngCheck the Identity Source Sequence you are using in the AUTHC Policy, it should only contain GUEST DB. See next.

 

 

 

 

CreatePlease to create content
Blog-New Labels