https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472788#M520006 <HTML><HEAD></HEAD><BODY><P>I don’t see a way to do what you’re looking for unfortunately without creating your own customizations with api which is a lot of work</P><P></P><P>I suggested that link solution so that you can create a different sponsor portal and only allow certain groups to use it</P><P></P><P>This ways sponsor group x can only use sponsor portal x</P></BODY></HTML> Fri, 10 Nov 2017 22:07:45 GMT Jason Kunst 2017-11-10T22:07:45Z https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472785#M519999 <HTML><HEAD></HEAD><BODY><P>Hi Guest Sponsor experts,</P><P></P><P>My customer ISE deployment currently runs on one Guest Sponsor portal. </P><P></P><P>I have various Sponsor Groups based on AD Group membership.</P><P></P><P>Customer asked me today whether we can present a customised Sponsor Portal <EM><STRONG>per AD Group</STRONG></EM>, specifically for one reason:&nbsp; When notifying guests via email, they want to be able to specify a custom .png file, depending on the AD Group that the Sponsor belongs to.&nbsp; The logo on the email needs to represent the Group that sent it.</P><P></P><P>I thought about this.&nbsp; If I created a new Sponsor Portal (which also runs on port 8445), I could perhaps use the Identity Source Sequence to differentiate Portal A from Portal B - but the Identity Source Sequence doesn't work at the AD Group level <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P><STRONG>The only option I can see right now is to create a new Portal, on port 8446, using a new FQDN, new cert, and then I can customise it however I need.&nbsp; Is there a better way?</STRONG></P><P></P><P>cheers</P></BODY></HTML> Fri, 10 Nov 2017 05:43:47 GMT https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472785#M519999 Arne Bier 2017-11-10T05:43:47Z https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472786#M520000 <HTML><HEAD></HEAD><BODY><P>Craig Hyps has a document that is used for granting access to a sponsor portal depending on LDAP grouping this was used before</P><P></P><P>This may work</P><P></P><P>https://communities.cisco.com/docs/DOC-64526?mobileredirect=true</P><P></P><P></P><P>Point ISE to itself for the different portals and have an fqdn for each</P></BODY></HTML> Fri, 10 Nov 2017 15:04:44 GMT https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472786#M520000 Jason Kunst 2017-11-10T15:04:44Z https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472787#M520003 <HTML><HEAD></HEAD><BODY><P>Hi Jason</P><P></P><P><STRONG>The notification functionalities like SMS and email are tied to the Sponsor Portal definition, and not to the Sponsor Group definitions.&nbsp; I don't think Mr Craig's docoment addresses that use case</STRONG></P><P></P><P>My Use case 1: Sponsors print account emails with Logo X</P><P>My Use case 2: Sponsors print account emails with Logo Y</P><P>Therefore I have to create a new Sponsor Portal where I can tinker around with that Notification stuff. </P><P>My intuition tells me that the Sponsor Portal look and feel should be tied to Sponsor Group definitions, then this would work.&nbsp; Currently there is a lot of "shared/central" Portal config that is share by all the Sponsor Groups.</P><P></P><P>Maybe I need to rephrase my question</P><P><SPAN>I don't see a way of keeping my existing </SPAN><A class="jive-link-external-small" href="https://sponsor.company.com" rel="nofollow" target="_blank">https://sponsor.company.com</A><SPAN> FQDN that can service both types of use cases above, because in order to produce two different looking account emails, I need to invoke a Specific Sponsor Portal - and how are those enumerated in any logic?</SPAN></P><P>I believe I need to create a new Sponsor Portal Y, and use the existing Sponsor Group concept to restrict access to that AD Group.&nbsp; New Sponsor Portal would have different TCP port and FQDN, and new cert etc.</P><P>It would be handy to make the Sponsor Portal look and feel dependent on the AD Groups somehow (kind of like how Guest Portals are enumerated for Authorization Profiles - same&nbsp; TCP port, but separate virtual https servers).</P><P></P><P>I'll try this out in the lab if I get time</P></BODY></HTML> Fri, 10 Nov 2017 20:47:53 GMT https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472787#M520003 Arne Bier 2017-11-10T20:47:53Z https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472788#M520006 <HTML><HEAD></HEAD><BODY><P>I don’t see a way to do what you’re looking for unfortunately without creating your own customizations with api which is a lot of work</P><P></P><P>I suggested that link solution so that you can create a different sponsor portal and only allow certain groups to use it</P><P></P><P>This ways sponsor group x can only use sponsor portal x</P></BODY></HTML> Fri, 10 Nov 2017 22:07:45 GMT https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472788#M520006 Jason Kunst 2017-11-10T22:07:45Z https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472789#M520007 <HTML><HEAD></HEAD><BODY><P>The ask here is a bit different in that you are NOT looking for authorization to portal based on AD, but rather AD-based portal/notification content per user (i.e. content changes AFTER auth based on AD membership) which is not something built into ISE today.&nbsp; Mr Kunst has proposed variable-based portal content (in this case, the Sponsor Group is variable), but that would require requests from customers to help prioritize.&nbsp; I suggest work with your Cisco account/partner SE to provide use case and impact to help with prioritization.</P><P></P><P>Craig</P></BODY></HTML> Sat, 11 Nov 2017 12:44:26 GMT https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472789#M520007 Craig Hyps 2017-11-11T12:44:26Z https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472790#M520010 <HTML><HEAD></HEAD><BODY><P>Exactly Craig</P><P></P><P>My proposal is to create a portal per customization and to restrict who can login that portal based off your document</P></BODY></HTML> Sat, 11 Nov 2017 13:05:58 GMT https://community.cisco.com/t5/network-access-control/ise-sponsor-portal-per-ad-group-possible/m-p/3472790#M520010 Jason Kunst 2017-11-11T13:05:58Z