Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE 1.2 Multi-Portal Identity Group Mapping

Hi,

Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.

I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.

Anybody have any ideas? It seems so basic that it has to be possible somehow?!

Regards

  • AAA Identity and NAC
Everyone's tags (3)
5 REPLIES

ISE 1.2 Multi-Portal Identity Group Mapping

Hi,

this is based on your design, you should be able to map guest portals to specific SSIDs for example if the authentication for one is open vs the other which is locked down by 802.1x or psk. however if you are using 802.1x for corporate users then it doesnt make much sense to redirect users to a corporate portal.

However you can not map a guest identity group to a specific portal, the reason is that the group information is retrieved when the user authenticates, in order for the user to authenticate the guest portal will have to provided ahead of time.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE 1.2 Multi-Portal Identity Group Mapping

Thanks for your reply. This is a bit disappointing, since a company could need different Guest SSIDs with different portals.The Multi-Portal feature is given, but now I cannot really restrict guest users from portal A logging into portal B, without getting sucessfully authenticated. The guest will think he/she logged into the correct portal, but it wont work since I would have to deny access at a later stage (authorization rule).

ISE 1.2 Multi-Portal Identity Group Mapping

You can map different guest portals to different SSIDs. The initial question was a bit vague so I didnt understand what the question was. However you can tie in the radius called station attribute which will contain the SSID, you can use that to map the request to a specific authorization profile that contains the portal for that connection.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE 1.2 Multi-Portal Identity Group Mapping

Hey Tarik,

I know that this is possible...however if all the SSIDs are open, the user could initially connect to any SSID. When presented with the login page, the use will however be able to sucessfully log into any portal, as long as his/her credentials are correct, and the portal authentication source is the same. I can deny access at a later stage, but the user will still be able to authenticate with any SSID initially, and get presented with an authentication successful page.

Regards

ISE 1.2 Multi-Portal Identity Group Mapping

You can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.

In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.

Here is the document -

https://supportforums.cisco.com/docs/DOC-26667

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
3488
Views
3
Helpful
5
Replies