ISE Sponsor & My Devices Authorization on Secondary Attributes (LDAP)

Craig Hyps · ‎01-12-2016

ISE 1.2 supported the authorization of users to Sponsor and MyDevices portals based on Identity Group membership and other attributes accessible in identity stores. ISE 1.3 introduced numerous enhancements including the simplification of sponsor and user authorization. However, the new logic limits authorization to group membership. This guide shows two different workarounds for leveraging group membership AND optionally secondary attributes for portal authorization in ISE 1.3-2.1 through the creation of either a RADIUS loopback function or through the creation of a special LDAP identity store which maps attributes of your choice to group membership objects.

ISE 2.2 brings back Sponsor Portal attributes but doesn't address My Devices. This document would also be used for My Devices Authorization for any ISE release >1.3.

Arne Bier · ‎07-12-2017

Are there plans to simplify this in future releases to work like the old ISE releases?

I just read your document (thanks for making it so detailed) and the process looks intricate and potentially requires a lot of explaining to the unsuspecting ISE user. Also, if you have more than one ISE, how does the configuration look, also considering there may be some F5 LTM's doing load balancing?

Craig Hyps · ‎07-12-2017

This same question was answered earlier today here:

Access to sponsor portal only for certain AD groups

Each ISE deployment should have its own set of VIPs. Should not share between ISE deployments. For additional questions, please post to general community as it will get better visibility there.

Regards, Craig

LukaszC · ‎09-22-2020

Hi, Does it work with My Devices in ISE 2.4 ? Cannot match provided solution to 2.4 version.