Solved: Re: How To: ISE Web Portal Customization Options

c.fuller1 · ‎07-23-2019

Has anyone come up with any solution for this requirement?

The capability within ISE to customize the type and number of fields in the form that comes up when you are creating/sponsoring guest accounts.

and/or

Second, ability to auto-fill the fields in this form with AD attributes when using SSO/SAML authentication. Correct?

Specific Customer Comments:

We would like to require all employees to use the portal to self-sponsor themselves for BYOD internet access from their phones.

Right now there is a big list of fields we collect per user when sponsoring a guest, and employees have to manually fill out all of those fields for themselves.

If we could customize what fields are shown, we could maybe ensure the only field was “email address” or something and lifetime.

Or alternatively if we could auto-populate fields then the fact that there are 10 fields wouldn’t matter because we would auto-populate when someone is self-sponsoring a byod device from their AD attributes…and they would just select the account lifetime and click submit.

howon · ‎07-30-2019

Yes, you got it.

Guest portal could be self-registered/sponsored, sponsored or hotspot. Guest or employees can login via the same portal. In your example we are talking about guest portal == self-registered/sponsored.

Sponsor portal is where employee would login to create guest accounts.

View solution in original post

Jason Kunst · ‎07-23-2019

Can you please move this to it’s own topic

howon · ‎07-30-2019

It is already possible. You will need to go to the sponsor portal page, click ‘Portal Page Customization’, then select ‘Create Account for Known Guests’ page. Lastly, select ‘Settings tab’ in the preview on the right and you will be presented with options to add/remove fields. The ‘Custom fields’ can be added by going to Work Centers > Guest Access > Settings > Custom Fields.

Currently, there is no way to auto fill the guest fields based on the sponsor login user information.

c.fuller1 · ‎07-30-2019

This is good news. Is there a specific version if ISE that is needed for this functionality? According to TAC this was not possible so they asked the customer to reach out to Account team to request this feature.

Below from TAC:

Hello Joseph,

We were doing some test in the lab and we concluded that both options are not possible on ISE.

The application does not have mechanism to associate the guest type with the information displayed in the fields.
The application does not have mechanism to take AD attributes retrieved by SAML and put them in the guest user fields automatically.

We believe the options are good ideas so we encourage you to reach you account manager and propose an enhancement request, this is the right channel to address the request and get attention from Cisco development team.

howon · ‎07-30-2019

#1 is possible, you simply need to select the guest type during creation with pull down menu. TAC may be saying it is not based on the fields, which is technically true. See sample page below. This feature has been available since 1.3.

c.fuller1 · ‎07-30-2019

This seems promising however the only thing I see being an issue is the fact that the changes you make in that page affect *all* guest types, you can’t specifically say you want these fields for a daily guest versus these fields for an employee personal device.

That is what the customer looking to do specifically with this feature. Is that possible?

Thanks!

Chuck

howon · ‎07-30-2019

No, but this page is for creating guest accounts. If your customer wants to register BYOD endpoints then my devices portal would be what they are looking for.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/mydevices/b_mydevices_2x.html

c.fuller1 · ‎07-30-2019

Thanks Hosuk -

Yeah so the customer requirements are as follows:

1. They want to provide a seamless, simple and secure service for staff to self-sponsor access to the network for Internet-only.

2. They want visibility into who is using the network (thus the AD authentication)

3. They want simplicity (they don't want portal page with too many fields to fill in, they use the default page for regular guest access)

4. They do not want an agent to be installed on the mobile device

5. They are ok with using certificates if needed. But if they can avoid they'd like to.

There are legacy cultural forces driving these unique requirements.

Does ISEPB integrate with AD and would it provide an AD authenticated service?

Any thoughts on your part on how to leverage ISE to accommodate this for them would be appreciated.

Chuck

howon · ‎07-30-2019

Maybe I missed it but why not just let the user login with his/her AD account in the first place?

c.fuller1 · ‎07-30-2019

They want to use the portal interface and segment the traffic (tunnel it off to an anchor wireless controller) for Internet access only.

They want to keep this traffic off local network.

But I see your point, why not just use separate SSID along with the anchor WLC splash page (can customize these) for the portal and isolate it that way.

howon · ‎07-30-2019

No, I was suggesting use same portal as guest. But, assign any employees logging in to the guest portal with Internet only access like real guest. This will meet customer requirement for segmentation, visibility in to the username as well as simplicity.

c.fuller1 · ‎07-30-2019

They do not want to use the same portal as guest because it has too many fields that the user will have to fill out.

That’s what started the request. They either want to modify those fields in the form so there are much fewer for this guest type (employee self-sponsored vs. non-employee guest) or have the fields auto-populate with AD attributes so the user doesn’t have to fill them out (undermining the user experience).

Thus the request for the customization of form based on guest type.

howon · ‎07-30-2019

I am talking about the guest portal not the sponsor portal. Since employee already has an account (AD in this case), there is no need to fill out anything in the guest portal. Just need to login using the employee credential without registration. The portal authenticate users from both guest database as well as AD as a default.

c.fuller1 · ‎07-30-2019

Ok. Thanks for the input it’s helpful.

So according to the customer they are using the guest portal already for regular guest without an AD account. This guest portal has a number of default fields that they would rather not have shown. You are saying they can just enter AD credentials and login that way without registration and/or filling out the other fields?

What is the difference between guest portal and self-sponsor portal?

Thanks!

howon · ‎07-30-2019

Yes, you got it.

Guest portal could be self-registered/sponsored, sponsored or hotspot. Guest or employees can login via the same portal. In your example we are talking about guest portal == self-registered/sponsored.

Sponsor portal is where employee would login to create guest accounts.