Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
Anybody have any ideas? It seems so basic that it has to be possible somehow?!
this is based on your design, you should be able to map guest portals to specific SSIDs for example if the authentication for one is open vs the other which is locked down by 802.1x or psk. however if you are using 802.1x for corporate users then it doesnt make much sense to redirect users to a corporate portal.
However you can not map a guest identity group to a specific portal, the reason is that the group information is retrieved when the user authenticates, in order for the user to authenticate the guest portal will have to provided ahead of time.
Thanks for your reply. This is a bit disappointing, since a company could need different Guest SSIDs with different portals.The Multi-Portal feature is given, but now I cannot really restrict guest users from portal A logging into portal B, without getting sucessfully authenticated. The guest will think he/she logged into the correct portal, but it wont work since I would have to deny access at a later stage (authorization rule).
You can map different guest portals to different SSIDs. The initial question was a bit vague so I didnt understand what the question was. However you can tie in the radius called station attribute which will contain the SSID, you can use that to map the request to a specific authorization profile that contains the portal for that connection.
I know that this is possible...however if all the SSIDs are open, the user could initially connect to any SSID. When presented with the login page, the use will however be able to sucessfully log into any portal, as long as his/her credentials are correct, and the portal authentication source is the same. I can deny access at a later stage, but the user will still be able to authenticate with any SSID initially, and get presented with an authentication successful page.
You can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...