Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2467
Views
13
Helpful
6
Replies

· Guest portal use for VPN

Go to solution
lnorman
Cisco Employee
Cisco Employee

‎05-03-2017 10:21 AM

Customer has this requirement:

       Every 90 days non-employees  change their password, so we need a self service portal for non employee users of VPN through ACS as we move them to ISE

I would think we can do this through the guest access portal but I'm used to that being around Wireless access. Any reason we can't do this for VPN? Outside of security risks.

Thanks.

Lou

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-03-2017 10:26 AM

Guest accounts will work with wired wireless or VPN connectivity just need to make sure that identity source for VPN includes

However the only way to change guest password is through the guest flow.

The recommendation would be to use this option:

https://communities.cisco.com/thread/73087

Please give me the company name and contact info (offline) so I can put this in our feature request

View solution in original post

6 Replies 6

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-03-2017 10:26 AM

Guest accounts will work with wired wireless or VPN connectivity just need to make sure that identity source for VPN includes

However the only way to change guest password is through the guest flow.

The recommendation would be to use this option:

https://communities.cisco.com/thread/73087

Please give me the company name and contact info (offline) so I can put this in our feature request

Go to solution
paul
Level 10
Level 10

‎05-03-2017 01:21 PM

This should work as you aren't using guest users. You should be using normal local accounts in ISE to authenticate non-AD VPN users. 

Try this:

1) Configure local group in ISE, Allowed_VPN_Users

2) Configure local users in ISE and assign them to Alllowed_VPN_Users group.

3) Build a sponsor group, VPN_Password_Change, and strip away all of its rights to build any accounts.

4) Assign Allowed_VPN_Users to the sponsor group

5) Build sponsor portal, VPN_Password_Change, and strip everything out of it.  You can even use Java script to hid buttons.

6) Assign FQDN so the sponsor portal to make it easily accessible, changemypassword.mycompany.com.

You could even make this accessible over the Internet, but that may be going too far.  If you have never used the sponsor portal to change password it is a bit hidden.  You need click in the upper right corner where it says "Welcome <username>".  I have used this similar method when I was using the local database for TACACS admins.

I can't remember if the API support local user account password changes.  I haven't explored that.

Go to solution
paul
Level 10
Level 10
In response to paul

‎05-03-2017 01:25 PM

Sorry, missed your link Jason. 

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎05-03-2017 01:26 PM

well that answers that!

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎05-03-2017 01:25 PM

paul did you see the scripted portal i shared out? It changes a My devices portal into a UCP password change portal?

Go to solution
startx001
Level 1
Level 1

‎01-16-2024 12:32 AM

And now I have ISE 3.3, can I use the Sponsor portal to create users for Anyconnect VPN Access?

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents