ISE User Authentication Options for Wireless

stephendrkw · ‎12-10-2018

Hi! At the moment we use ISE for Guest Wireless Authentication, where user accounts are created on our ISE Sever Portal, basically users connect to their local AP request gets forwarded to the Anchor WLC which redirects them to a URL hosted on ISE and they login, so user accounts are held locally on ISE...................

I now have a request for all staff to access the Internet with their own devices BYOD, however instead of staff users authenticating locally on ISE I would like them to use Active Directory where perhaps ISE offloads the user request to a AD Server to authenticate. Without reading too much what would be the best way to configure this? I still want to hold the Portal Page on the ISE which means I intend to purchase another External Cert for this purpose, AD authentication would mean I would not need to find out who has left the company, when someone leaves or joins, to avoid the huge admin task AD is what I want.

Another question can you have 2 external certs on the ISE tied to one ISE interface? I'm guessing a DNS alias is the answer?

So I guess...

User personal Device>AP>Foreign WLC>Anchor WLC>Redirect request to new External DMZ Cert (ISE)> ISE offloads to AD directory>User authenticates with AD>signs disclaimer> Internet access becomes live!!

jrensink78 · ‎12-12-2018

So to be clear you want BYOD users to connect to an open network and get redirected to a CWA portal, like your guests do? Normally I'd recommend just doing an 802.1x BYOD network, but if you want to go CWA, here would be my suggestion.

Option 1- use the same guest SSID for your user BYOD access. In the ISE portal config, just make sure the identity source sequence used for the portal includes your AD identity store. Then it will be able to auth both guest accounts and AD accounts. When AD users are authed, they will be treated as an Employee for the purposes of the portal and get the settings of the associated guest user type called out in the portal config for employees. This option has the benefit of not needing to add another SSID to your network.

Option 2- If you want BYOD users to see a different portal than guests, then you'd need to add in another SSID for this. Setup another CWA portal for this SSID and ensure that the referenced identity source sequence only allows for AD. You can install an additional certificate onto ISE if you need one specifically for this portal. When you install the certificate, enable it for use with portals and give it a unique tag. Then call that tag out in the portal config to map the certificate to the portal.

As a point of clarification, system certificates are tied to features (admin, eap auths, portals, etc) and not to interfaces.