topic Re: Single Click Guest Questions in Network Access Control

Single Click Guest Questions

paul — Tue, 21 Mar 2017 14:22:20 GMT

I am working on a large international ISE install. We are deploying 2.2 to get single click guest acceptance and have a couple questions. I am working on their APAC deployment now. They have PSNs in the various countries in APAC and the Admin/M&Ts are in their Singapore datacenter. Here are my questions:

How does Single Click Guest choose what PSN to encode in the URL. I was assuming it would use the PSN that authenticated the guest session. In our testing that doesn't seem to be the case. The have the in country PSN as the primary RADIUS servers for guests in that country and would like it to be used for the single click guest as well for the sponsors in that country. Not sure if we have enough control to do that.
In the URL that gets sent to the sponsor, ISE is putting the IP address of the PSN. Is there a spot to make is use a DNS name? I know there is a spot to tie in a sponsor portal. Is that what would drive the FQDN in the link?
In our testing my user from Singapore is getting the following message when he clicks on the tokenized link."Sponsor does not have enough privilege to approve/deny guests." That tells me it must be matching some AD account, but how do I tell which one? I have it setup to allow all Domain Users to sponsor accounts for their own guests. If this user goes directly to the sponsor portal and signs in with his AD credentials he can see the guest in a pending state. So it seems to be matching a different account in AD. Maybe he has more than one account in AD with that email.

Thanks for the help.

Re: Single Click Guest Questions

Jason Kunst — Mon, 03 Apr 2017 16:02:56 GMT

How does Single Click Guest choose what PSN to encode in the URL. I was assuming it would use the PSN that authenticated the guest session. In our testing that doesn't seem to be the case. The have the in country PSN as the primary RADIUS servers for guests in that country and would like it to be used for the single click guest as well for the sponsors in that country. Not sure if we have enough control to do that.

JAK - the URL returned is that of the portal test url on the 1st sponsor portal it matched.

In the URL that gets sent to the sponsor, ISE is putting the IP address of the PSN. Is there a spot to make is use a DNS name? I know there is a spot to tie in a sponsor portal. Is that what would drive the FQDN in the link?

JAK - You would need to use the EASY URL (FQDN) option in the sponsor portal settings to have control on what PSNs

Example: sponsorportal.domain.com maps to psn1,psn2 in DNS as CNAME alias records

In our testing my user from Singapore is getting the following message when he clicks on the tokenized link."Sponsor does not have enough privilege to approve/deny guests." That tells me it must be matching some AD account, but how do I tell which one? I have it setup to allow all Domain Users to sponsor accounts for their own guests. If this user goes directly to the sponsor portal and signs in with his AD credentials he can see the guest in a pending state. So it seems to be matching a different account in AD. Maybe he has more than one account in AD with that email.

JAK - paul opened bug - CSCvd29533