I have a Cisco WLC and we are using ISE with a Sponsored Guest Portal. This is working as intended. What we discovered today is that any domain user is able to enter their Active Directory credentials into the portal and authenticate. We only want users who have had an account created on the Guest Portal to be able to authenticate to this network. I cant find any settings that would allow this to happen. The user type is marked as NON_GUEST. I can not find any setting that would allow this to happen. Any idea of where to look?
Solved! Go to Solution.
You need to look at you ISE Policies and the Identity groups that are listed to authorize the users against. Im guessing that you have AD listed as a source. If the Guest accounts are going to live on AD then you need to define which AD group to look at rather than all of them.
Not sure which method of Guest you are using so below are the two options:
Take a look at the Central Web Auth Deployment guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc9
Or the guide for Local Web Auth with ISE: https://www.cisco.com/c/en_intl/support/docs/security/identity-services-engine/116217-configure-ISE-00.html#anc13
How do you identify the user was an a guest or corporate user, there may be different Groups in AD right.
Look at the example guides :
We are using the sponsored portal and no BYOD.
It appears that it should be Using the Local Group Of GuestEndpoints for authorization.