Solved: Re: Guests Auto-Enrolment via SMTP : Mail sent... Then What ?

Charly · ‎04-26-2018

Hi,

I am working on ISE V2.3. We implemented SMTP on ISE in order for Guests to create an account: Then, Access-Code generated is sent by mail to the Guest's E-Mail address : This works fine !

My question is : What now ? If poeple have no smartphone with DATA via 3G/4G, how can my Guest access his E-Mails (POP/ POPS / IMAP / IMAPS / HTTPS-Webmail) to get the code ?

- Do I need to allow temporaly (Like 5 min) Guests to access Internet using this protocols only ? --> How to proceed ?

- What are the best practices recommanded by Cisco, and how to implement that ?

Thanks for your help !

Jason Kunst · ‎04-26-2018

We don’t have an option for this today without some advanced customization scripting and more thought. I am sure something could be built but again not easy to do. We have this on our feature roadmap request. Please reach out through sales channel to our Product Manager, Ameet Kulkarni

For example here is a way to provide quick internet access. Perhaps you can provide a link on the success page of this flow?

Users gets quick internet access

On success page you explain they will need to register and check their email. You can provide a link to self-reg portal don’t have an account as shown in next option

After 15 min they are kicked out and required to login to self-registration guest portal

https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configure-ISE-Guest-Short-Time-Hotspot-Access-then-Require/ta-p/893198

Or you provide a kiosk where they can register and check their email? Or even print?

https://communities.cisco.com/docs/DOC-64018

check the mention of the kiosk under Guest section

Or provide an SMS text option

View solution in original post

Jason Kunst · ‎04-26-2018

We don’t have an option for this today without some advanced customization scripting and more thought. I am sure something could be built but again not easy to do. We have this on our feature roadmap request. Please reach out through sales channel to our Product Manager, Ameet Kulkarni

For example here is a way to provide quick internet access. Perhaps you can provide a link on the success page of this flow?

Users gets quick internet access

On success page you explain they will need to register and check their email. You can provide a link to self-reg portal don’t have an account as shown in next option

After 15 min they are kicked out and required to login to self-registration guest portal

https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configure-ISE-Guest-Short-Time-Hotspot-Access-then-Require/ta-p/893198

Or you provide a kiosk where they can register and check their email? Or even print?

https://communities.cisco.com/docs/DOC-64018

check the mention of the kiosk under Guest section

Or provide an SMS text option

Charly · ‎04-26-2018

Hi,

I have no access to https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configure-ISE-Guest-Short-Time-Hotspot-Access-then-Require/ta…, can you please send me another link ?

Thanks !

Jason Kunst · ‎04-26-2018

Working on having it published, please wait a couple days.

What do you think about other comments?

Jason Kunst · ‎05-02-2018

Hoping to publish in next week

https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configure-ISE-Guest-Short-Time-Hotspot-Access-then-Require/ta…

Jason Kunst · ‎05-08-2018

published Configure ISE Guest Short Time Hotspot Access then Require Registration - Cisco

paul · ‎04-26-2018

Charly,

I know what I am posting here doesn't help in pure self-registration with no sponsor approval, but you have identified one of the main issues with email guests their credentials, i.e. they have to be able to get the email.

My default self-registration these days is self-registration with single click sponsor approval and the email with the guest credentials is sent to the sponsor. The sponsor then gives the guest their credentials.

You could also explore SMS texting the credentials. There are plenty of low cost SMS providers.

Jason Kunst · ‎04-26-2018

Another option maybe to allow them to login directly on the self reg success page (no need for creds until later), hide the credentials, they can then access their email to grab the credentials.

This won’t work if you want to make sure they are tied to an email address but what security is that? SMS message is more secure as tied to a number.

This won’t work as all if you’re going to grant guest access off endpoint group (remember me) because they will login and be registered for at least a day

Charly · ‎04-30-2018

We do not want to use SMS (For the moment) as we did not provisionned budget for it... We Sould be around 500 SMS/Day...

As well we do not want to use a single Sponsor to approuve all accesses (500 Calls a day!!)

We are trying to find a passthrough solution using Self registration with credentials sent by mail to "User's E-Mail " & "Person beiing visited"

--> In the case User enters the e-Mail address of the person beiing visited, can the credential be sent to User's Mail + Person visited's mail ?

How can we implement that ?

Thanks for helping !

Jason Kunst · ‎04-30-2018

The only solution we have now is to send to the sponsor (paul came up with option) or the guest. There is no way to send to both out of the box.

You could write your own syslog interface perhaps to parse and email to your liking and email others

Please reach out through sales team to Ameet Kulkarni

Btw clickatell service I believe is on order of a penny or less for an SMS message, not sure about other providers

You will likely spend more trying to workaround where sms is fairly prevalent

Charly · ‎04-30-2018

Thank you for your answer...

Isn't there any way to add a script able to concatenate "User'sMail; PersonVisitedEMail" for example ?

If nothing entered in field Person Visited, we should have "User'sMail; " ?

Unfortunatelly, For SMS,the cost wil not be approuved... For sure...

This is why I need to find a solution with Mails.

Jason Kunst · ‎04-30-2018

We don’t allow more than 1 email address to be sent to at one time in one field

You can send to either the person being visited or the guest, not one or the other

Jason Kunst · ‎05-01-2018

have you thought about providing a kiosk to register, check their email and maybe print their credentials?