Solved: Sponsor mail and AD Existence

nanu · ‎02-10-2020

Hi Team,

We have experiencing some problems in ISE deployment, basically about the sponsor mail.

We configured for guests "Person being visited" so its mandatory to add the mail of the sponsored visited.

The issue comes when ISE is permitting send mail to anyone (if its in AD or not), this is a normal behavior? AFAIK ISE checks inside AD if the email address exists, if not exists the mail isn't sended.

How can we force (restrict) that only people inside sponsor group (AD mapped group) have the opportunity of receive mail?

So, i.e the company domain is example1.com, inside AD Group a sponsor with mail account user1@example1.com, if I fill the guest portal with email to person being visited with user2@example2.com, the mail is sended (example2.com is outside our company).

Thank you in advance,

Greg Gibbs · ‎02-10-2020

No, ISE does not check the email account specified as the person being visited against AD.

You might have a look at the following post for additional options on limiting the email addresses available:

ISE Guest Self-Registration person being visited (sponsor) choose list or assign

Cheers,

Greg

View solution in original post

Parag Mahajan · ‎02-10-2020

https://community.cisco.com/t5/security-documents/ise-guest-self-registration-restrict-validate-the-person-being/ta-p/3637001

nanu · ‎02-10-2020

Hi Parag,

It isn't checked in AD?

Thank you,

Greg Gibbs · ‎02-10-2020

No, ISE does not check the email account specified as the person being visited against AD.

You might have a look at the following post for additional options on limiting the email addresses available:

ISE Guest Self-Registration person being visited (sponsor) choose list or assign

Cheers,

Greg

nanu · ‎02-11-2020

That's OK, I will apply one of your recommendations,

Thank you!

nanu · ‎02-19-2020

Hi Greg,

I want to add another last question to this topic.

Actually we solve the domain issue, so only mails to company users will be sended.

But, how can limit inside the company who can receive mails?

Regarding these post looks like ISE is checking against AD:

https://community.cisco.com/t5/identity-services-engine-ise/ise-2-2-guest-features-quot-supported-with-internal-ad-ldap/td-p/3601338

Also this bug:

https://quickview.cloudapps.cisco.com/quickview/bug/CSCve76134

Definetely:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html

"If the email address for the sponsor is not for a valid sponsor, the approval email is not sent."

(How ISE can validate if isn't valid Sponsor if not check against AD)

So, what do you think?

Thank you,

Greg Gibbs · ‎02-19-2020

As per Jason Kunst's post, "NO there is no lookup of the person being visited less using single click"

* I expect this is meant to be "unless using single click"

I'm familiar with the enhancement bug you referenced and I'm not aware that this enhancement has been implemented in any current versions of ISE. From prior customer engagements, I have not seen that ISE does a lookup against AD so we have used the 'choose list' option that I referenced in my previous response as a workaround.

@Jason Kunst, can you confirm the current capabilities around AD/LDAP lookups of 'person being visited' for self-registered Guests?