Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
1
Replies

Cisco CWA with AD account (wired/wireless MAB)

ssajiby2k
Level 1
Level 1

‎02-07-2022 08:25 AM

Hi,

I am evaluating ISE guest portal solution to create a guest solution for the company employees.

 

The policy should allow only one specific AD group to authenticate guest portal. But I do not find any option in identity sequence which allows binding to a AD group; instead it allows whole AD join point.

 

In the internet I am seeing people are posting policy sets with authorization rules which is using AD groups. I do not understand how they are evaluating those policy sets.

 

My requirements - Wired/Wireless MAB; user is presented with portal; portal accepts login credentials only for specific ad groups. After portal authentication; users are allowed network access. No sponsor, self-registration etc. required.

 

I cannot bind an AD-group for above in policy sets. What I am seeing from packet capture for wired-MAB is that -

 

Switch talks with ISE in radius - here the username is always the mac-address of the pc connected with the switch.

Login credentials (ad-username/password) flows through portal under http protocol. No relation to radius. Portal cannot evaluate AD-group, it can only evaluate whole AD- which defeats my purpose. 

 

For ISE policy set to match; the username must come from the switch (like 802.1x) by radius protocol and which is not possible in CWA-portal based scenario.

 

Can anybody give me a hint!!! Or any other ISE based solution where user will be granted access with device mac adress which comes from a selected AD-group only.

 

Regards.

 

0 Helpful
1 Reply 1

ssajiby2k
Level 1
Level 1

‎02-07-2022 08:45 AM

I am attaching a picture from CCNP Security Identity Management SISE 300-715 Official Cert Guide by Aaron Woland, Katherine McNamara. I hope, I am not breaching copyright.

 

In the book they are using something called Guest_Flow and AD-Group. From my experience - this Gest_Flow never works if I put it in a policy. The only difference is I am testing it with wired-MAB and another vendor's switch. But it should work as everything is based on radius. And how they are matching a AD-group as the switch have no idea (for radius) about what the user has entered as username/password.

 

Any idea what I am missing.

 

Preview file
95 KB
0 Helpful
Customers Also Viewed These Support Documents