Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4279
Views
3
Helpful
5
Replies

ISE 1.2 Multi-Portal Identity Group Mapping

i.va
Level 3
Level 3

‎09-18-2013 10:38 AM - edited ‎03-10-2019 08:54 PM

Hi,

Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.

I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.

Anybody have any ideas? It seems so basic that it has to be possible somehow?!

Regards

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎09-18-2013 10:32 PM

Hi,

this is based on your design, you should be able to map guest portals to specific SSIDs for example if the authentication for one is open vs the other which is locked down by 802.1x or psk. however if you are using 802.1x for corporate users then it doesnt make much sense to redirect users to a corporate portal.

However you can not map a guest identity group to a specific portal, the reason is that the group information is retrieved when the user authenticates, in order for the user to authenticate the guest portal will have to provided ahead of time.

Tarik Admani
*Please rate helpful posts*

i.va
Level 3
Level 3
In response to Tarik Admani

‎09-18-2013 10:52 PM

Thanks for your reply. This is a bit disappointing, since a company could need different Guest SSIDs with different portals.The Multi-Portal feature is given, but now I cannot really restrict guest users from portal A logging into portal B, without getting sucessfully authenticated. The guest will think he/she logged into the correct portal, but it wont work since I would have to deny access at a later stage (authorization rule).

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to i.va

‎09-19-2013 06:54 AM

You can map different guest portals to different SSIDs. The initial question was a bit vague so I didnt understand what the question was. However you can tie in the radius called station attribute which will contain the SSID, you can use that to map the request to a specific authorization profile that contains the portal for that connection.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

i.va
Level 3
Level 3
In response to Tarik Admani

‎09-22-2013 11:17 PM

Hey Tarik,

I know that this is possible...however if all the SSIDs are open, the user could initially connect to any SSID. When presented with the login page, the use will however be able to sucessfully log into any portal, as long as his/her credentials are correct, and the portal authentication source is the same. I can deny access at a later stage, but the user will still be able to authenticate with any SSID initially, and get presented with an authentication successful page.

Regards

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to i.va

‎09-23-2013 08:28 AM

You can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.

In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.

Here is the document -

https://supportforums.cisco.com/docs/DOC-26667

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents