Hello all, I've got a design query with ISE.
We have two client groups, high priv and low priv, and we want to authenticate clients through a CWA portal using AD Credentials. When they first attempt to log on to the open SSID, the initial step is to manually put their endpoint into a high or low priv endpoint group. This is to prevent users from sharing their AD credentials to get around their high or low priv access, as that process is entirely manual and managed via us. The next stage is to present the CWA Portal to the user, where they will enter their AD Username and password.
Essentially my main query is does the CWA Portal -> AD return any group information, and how do I go about accessing that information to use in a Auth rule in a policy...?
End goal is if a user is in the High Priv endpoint group, AND in the High Priv AD Group, then they can authenticate successfully and a Radius Attribute is returned to the AP to change their VLAN. If they are not in both, then network access won't be possible.
No comments:
Post a Comment