I am using ISE 1.2.198 primarily to authenticate guest users.
I have 2 types of guest - day visitors and longer term visitors.
I am using 2 separate SSIDs on a 5760 controller.
On the ISE I have authentication conditions to differentiate between the different SSIDs and apply the relevant policy set.
I am using CWA with wireless MAB for both policy sets.
Everything is working fine using different portals for each SSID.
I have Sponsors set up to create accounts, to assign different roles (guest or partner) and to apply different time profiles. That all works and the account details get emailed to the recipient successfully.
The issue I have is that the sponsored account credentials can be used to authenticate a user on either SSID.
If the sponsor creates an account and assigns it to the guest role that user can authenticate successfully to both the guest and partner SSIDs with the same credentials. Similarly, if the account is assigned to the partner role, the user can again authenticate to both SSIDs.
There must be a way to differentiate between different roles within the authorization policies.
I can't find a way within the Policy Sets to separate the 2 types of users. Adding any conditions to the authorization rules that include the Network Access UseCase equals Guest Flow doesn't seem to have any affect.
Has anyone managed to do this type of thing successfully?
If you are using Active Directory as your Identity Source, then that is your issue. As you know, ISE 1.2 is limited in AD Authentications. What I would suggest is to go to Administration > Identity Management > External Identity Sources and set up an LDAP connection to the AD group from which you would like to authenticate. One for each type of guest and choose only the AD Group that Guest type uses:
Once this is done, create an new Identity Source Sequence for each Guest type:
Then go to Administration > Web Portal Management > Settings and choose the Guest Portal you want to modify. Click The Authentication tab and choose the Identity Store Sequence you just created for that portal.
That should fix the issue.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Sorry to have missed that. The Internal Users database is a single pool of users created through the Sponsor Portal and cannot be segmented to work in the manner you would like. I have just looked through ISE 1.3 and did not see any setting for Internal User group segregation in that version, either.
Hi Charles. That's more or less the conclusion I'm coming too although I'm a bit perplexed as to the purpose of the guest roles. You would think that by assigning a guest role you would be able to do some form of mapping or filtering. At the moment I can't see the point of assigning different guest users to different roles.
If you can get your sponsors to put in say the word "contractor" in optional field 1 under the guest when they create the account, you can use that information to distinguish between regular guests and contractors. I did a mockup of the authz rule.
I have not actually tried it, but i would think that since you can assign "roles" which in fact maps to an identity group, you would also be able to match on those in you authorization rules, by using the first field before the conditions, here you should be able to select any identity group. I did a basic example and attached some screnshots, i haven't tested it though
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :