topic Re: · Guest portal use for VPN in Network Access Control

· Guest portal use for VPN

lnorman — Wed, 03 May 2017 17:21:13 GMT

Customer has this requirement:

Every 90 days non-employees change their password, so we need a self service portal for non employee users of VPN through ACS as we move them to ISE

I would think we can do this through the guest access portal but I'm used to that being around Wireless access. Any reason we can't do this for VPN? Outside of security risks.

Thanks.

Lou

Re: · Guest portal use for VPN

Jason Kunst — Wed, 03 May 2017 17:26:48 GMT

Guest accounts will work with wired wireless or VPN connectivity just need to make sure that identity source for VPN includes

However the only way to change guest password is through the guest flow.

The recommendation would be to use this option:

https://communities.cisco.com/thread/73087

Please give me the company name and contact info (offline) so I can put this in our feature request

Re: · Guest portal use for VPN

paul — Wed, 03 May 2017 20:21:24 GMT

This should work as you aren't using guest users. You should be using normal local accounts in ISE to authenticate non-AD VPN users.

Try this:

1) Configure local group in ISE, Allowed_VPN_Users

2) Configure local users in ISE and assign them to Alllowed_VPN_Users group.

3) Build a sponsor group, VPN_Password_Change, and strip away all of its rights to build any accounts.

4) Assign Allowed_VPN_Users to the sponsor group

5) Build sponsor portal, VPN_Password_Change, and strip everything out of it. You can even use Java script to hid buttons.

6) Assign FQDN so the sponsor portal to make it easily accessible, changemypassword.mycompany.com.

You could even make this accessible over the Internet, but that may be going too far. If you have never used the sponsor portal to change password it is a bit hidden. You need click in the upper right corner where it says "Welcome <username>". I have used this similar method when I was using the local database for TACACS admins.

I can't remember if the API support local user account password changes. I haven't explored that.

Re: · Guest portal use for VPN

paul — Wed, 03 May 2017 20:25:38 GMT

Sorry, missed your link Jason.

Re: · Guest portal use for VPN

Jason Kunst — Wed, 03 May 2017 20:25:50 GMT

paul did you see the scripted portal i shared out? It changes a My devices portal into a UCP password change portal?

Re: · Guest portal use for VPN

Jason Kunst — Wed, 03 May 2017 20:26:08 GMT

well that answers that!

Re: · Guest portal use for VPN

startx001 — Tue, 16 Jan 2024 08:32:08 GMT

And now I have ISE 3.3, can I use the Sponsor portal to create users for Anyconnect VPN Access?