Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2172
Views
1
Helpful
4
Replies

Multiple sponsor portals while limiting pending guest viewing

Go to solution
paul
Level 10
Level 10

‎03-03-2017 09:15 AM

I have an international customer that is doing a self-registered sponsor approval required guest portal for their AsiaPac region.  They have PSNs in the different countries in the region and want to customize the guest portal and sponsor portal per region.  All that is no problem.  I can key off the PSN that is authenticating the guest users to direct the guest user to the desired portal.  Something like this:

Sponsor Portals

Sponsor-China- run on port 8445 with FQDN of sponsor-china.company.com.

Sponsor-Japan- run on port 8446 with FQDN of sponsor-japan.company.com.

Guest Portals

Guest-China- self register guest portal with sponsor approval email.  The sponsor gets an email pointing them to https://sponsor-china.company.com to approve the guest.

Guest-Japan- self register guest portal with sponsor approval email.  The sponsor gets an email pointing them to https://sponsor-japan.company.com to approve the guest.

I am running ISE 2.1 and this setup is all easy.  The one issue they have is everyone can view all the pending guest requests.  So any of the sponsors in Japan can see and approve the pending requests for China.  Once the request is approved and moved to a Managed Account then the users will no longer be able to see anything but their own accounts, but I don't see a way to limit the viewing of the Pending Accounts.

I am testing this setup in my lab and can see everything in the pending requests.

Am I missing a way to do this?

Thanks.

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-03-2017 09:36 AM

For ISE 2.0

https://communities.cisco.com/docs/DOC-68210

ISE 2.1 added the ability to filter pending accounts

Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco

  • Sponsor Approval Filtering —A sponsor can be limited to approving accounts based on the sponsor’s email address, or all pending accounts. Currently this feature is supported only for internal sponsors and SAML SSO sponsors.

ISE 2.2 Added the ability to filter off AD

Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco

  • Sponsor access to pending accounts—Access to all or only the Sponsor's accounts is now supported for Active Directory and LDAP.

here is the Sponsor Group setting to Use. The email account would need to present in the store you are using and this must match the person being visited field that the user enters on the self-reg page

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Guest Access [Cisco Identity Services Engin…

  •   Approve and view requests from self-registering guests—Sponsors who are included in this Sponsor Group can either view all pending account requests from self-registering guests (that require approval), or only the requests where the user entered the Sponsor's email address as the person being visited. This feature requires that the portal used by the Self-registering guest has Require self-registered guests to be approved checked, and the Sponsor's email is listed as the person to contact.

 

  •   Any pending accounts—A sponsor belonging to this group an approve and review accounts that were created by any sponsor.

 

  •   Only pending accounts assigned to this sponsor—A sponsor belonging to this group can only view and approve accounts that they created.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-03-2017 09:36 AM

For ISE 2.0

https://communities.cisco.com/docs/DOC-68210

ISE 2.1 added the ability to filter pending accounts

Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco

  • Sponsor Approval Filtering —A sponsor can be limited to approving accounts based on the sponsor’s email address, or all pending accounts. Currently this feature is supported only for internal sponsors and SAML SSO sponsors.

ISE 2.2 Added the ability to filter off AD

Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco

  • Sponsor access to pending accounts—Access to all or only the Sponsor's accounts is now supported for Active Directory and LDAP.

here is the Sponsor Group setting to Use. The email account would need to present in the store you are using and this must match the person being visited field that the user enters on the self-reg page

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Guest Access [Cisco Identity Services Engin…

  •   Approve and view requests from self-registering guests—Sponsors who are included in this Sponsor Group can either view all pending account requests from self-registering guests (that require approval), or only the requests where the user entered the Sponsor's email address as the person being visited. This feature requires that the portal used by the Self-registering guest has Require self-registered guests to be approved checked, and the Sponsor's email is listed as the person to contact.

 

  •   Any pending accounts—A sponsor belonging to this group an approve and review accounts that were created by any sponsor.

 

  •   Only pending accounts assigned to this sponsor—A sponsor belonging to this group can only view and approve accounts that they created.
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Jason Kunst

‎03-03-2017 10:40 AM

Thanks for the quick response Jason. I can best summarize it up as “RTFM Paul!” ☺

I was missing the obvious checkbox on the sponsor group.

Have a great weekend!

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎03-03-2017 10:42 AM

Only because I know you ☺

0 Helpful

Go to solution
angusr
Level 1
Level 1
In response to Jason Kunst

‎05-10-2023 11:55 AM

This is not a viable solution to restricting sponsor management of pending accounts.  Cisco is relying on a self-registering guest to enter a sponsor's email address to restrict sponsor management of said guest's pending account.  That's like the tail wagging the dog.  This also requires that the sponsor's account exists in the ISE internal database with an email address as an attribute.  This is infeasible with external authentication of sponsor accounts.  We are dealing with this same situation at work with ISE 3.1, and there is no way via ISE GUI configuration to make this work.

Does Cisco have something in the works to use sponsor group membership be the controlling factor on what pending accounts a sponsor can manipulate?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents