cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the new Identity Services Engine (ISE) Community!

Choose one of the topics below to help you on your journey with ISE

 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

 

58
Views
0
Helpful
3
Replies
Beginner

ISE Wired Central Web Authentication - sponsor choose the access level of the guest

Hello to all,

Somebody put a question...and somehow ( i do not know how precisely) we've got  involved in finding a solution and trying to answer to this question : there is a way to give to the sponsor the "ability"  to decide the access level of the guest users ?

Situation: the "guest" users which connect to the wired/wireless infrastructure are redirected to a captive portal . Here, they insert some minimial information (name, email etc) . The approval is made by the sponsor which via email or sponsor portal, approve or decline the request. After that, the guest get internet access and minimal access to the internal resources.

Problem: we have different types of guests people: some need only internet access, others internet + minimal internal resources and the last type of guest need almost full access to the internal resources (based on location). And unfortunately, only one "enter point" which is the switch port (in case of the wired infrastructure).

Question: is it possible to "raise" somehow the sponsor capabilities in order to  be able not only to accept or decline the request, but also, on the same time , to decide and assign the level of access (let's say level 1 visitor, level 2 contractor, level 3  VIP) ?

Let's say that the only thing which is not a variable, is the fact that the responsibility for approving the access should be on the sponsor.  For the rest...any kind of compromise would be good :-)

In case of the wireless infrastructure we have thinking to work on "the enter point" which would be a different SSID for each type of guest. However, on the wired side (which is the one that we are interested to achieve ) we don't have this possibility.

We have thinking also on the wired side to have something like "a variable based portal" in which we would ask to the guest user during the enrollment to choose also the account type (visitor, contractor etc) and use that variable on the authorization policies. But even if we're able to do it, this is not exactly what we should achieved since would not be the sponsor who assigned the access level...

Thanks in advance for any idea on this matter.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE Wired Central Web Authentication - sponsor choose the access level of the guest

When a sponsor creates a guest they can choose a guest type. This guest type could be mapped to an authorization rule that would provide a differentiated type of access.

Since these guests are registering for themselves there is no way to change the guest type after the account is created.

You could have different levels of access perhaps by having one portal link to another portal?

  • If you click hotspot you get a base level of access

  • If you click self-registration another level, this portal might have an access code given by someone at the company

  • Sponsored gives you another level

https://communities.cisco.com/docs/DOC-64018#jive_content_id_Guest

Look at the linking one guest portal to another

Will think about some more

3 REPLIES
Cisco Employee

Re: ISE Wired Central Web Authentication - sponsor choose the access level of the guest

When a sponsor creates a guest they can choose a guest type. This guest type could be mapped to an authorization rule that would provide a differentiated type of access.

Since these guests are registering for themselves there is no way to change the guest type after the account is created.

You could have different levels of access perhaps by having one portal link to another portal?

  • If you click hotspot you get a base level of access

  • If you click self-registration another level, this portal might have an access code given by someone at the company

  • Sponsored gives you another level

https://communities.cisco.com/docs/DOC-64018#jive_content_id_Guest

Look at the linking one guest portal to another

Will think about some more

Highlighted
Beginner

Re: ISE Wired Central Web Authentication - sponsor choose the access level of the guest

Hello Jason,

i have modified the initial question content in order to give more info,  indeed we are looking on the portal for finding the solution...

I understand your point about "not self enrollment" and you right, this would work well in case is the sponsor who creates the accounts. We need to understand if the customer would be open to this compromise...

Also thank you for looking further on this

Cisco Employee

Re: ISE Wired Central Web Authentication - sponsor choose the access level of the guest

As stated you can setup different portals with different guest types mapped to the self-registration process (if you wanted to restrict them you can use a passcode as part of the registration page)

I also saw an option to change the guest type in the sponsor portal. This could also be used.

Please send me a PM and we can work together as well offline to discuss

CreatePlease to create content
Ask the Expert- Firepower configuration & troubleshooting