Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

514
Views
0
Helpful
2
Replies
Highlighted
Keith Simmons
Cisco Employee
Cisco Employee
‎02-01-2017 04:28 PM
‎02-01-2017 04:28 PM

Can a Sponsor User belonging to more than one Sponsor Portal Group

My Customer is trying to validate that the following use case is possible.

My Customer has two sponsor groups and each are using AD Groups for the matching criteria:

a.      All AD Users – Can see guests created by that user or guests that listed them as a sponsor via guest flow.

          Match AD Group = Domain Users

b.      Admin Users – Helpdesk users that can see any and all guest users for support.

          Match AD Group = Administrators

The problem is if a User logs into the Sponsor Portal and belongs to both the "Domain Users" and "Administrators" AD Groups, that are being used to matched both "All AD Users" and "Admin Users" Sponsor Groups, the "All AD Users"  Sponsor Group is the only Policy that is being matched.

The result is Admin Users are matched to the All AD Users Sponsor Group with limited none administrative Sponsor Portal Privileges

khsieh joelalle

0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Jason Kunst
Cisco Employee
Cisco Employee
‎02-02-2017 06:54 AM
‎02-02-2017 06:54 AM

Yes, a sponsor user can belong to more than one Sponsor Group.    In general, the user belongs to each SG where the matching criteria are satisfied.    If a user belongs to multiple SG’s, that user gets permissions from all of those groups.  This is true in all versions since ISE 1.3

a sponsor that belongs to both AD groups should belong to both Sponsor Groups.  We would need to see the details of the customer’s configuration here to see why it isn’t working. Please open a tac case

View solution in original post

0 Helpful
Reply
2 REPLIES 2
Highlighted
Jason Kunst
Cisco Employee
Cisco Employee
‎02-01-2017 06:19 PM
‎02-01-2017 06:19 PM

What version of ISE are you on?

0 Helpful
Reply
Highlighted
Jason Kunst
Cisco Employee
Cisco Employee
‎02-02-2017 06:54 AM
‎02-02-2017 06:54 AM

Yes, a sponsor user can belong to more than one Sponsor Group.    In general, the user belongs to each SG where the matching criteria are satisfied.    If a user belongs to multiple SG’s, that user gets permissions from all of those groups.  This is true in all versions since ISE 1.3

a sponsor that belongs to both AD groups should belong to both Sponsor Groups.  We would need to see the details of the customer’s configuration here to see why it isn’t working. Please open a tac case

View solution in original post

0 Helpful
Reply
Latest Contents
SSL Certificate on ASA - Missing something?
Created by machine23 on 01-16-2021 11:15 AM
2
0
2
0
Hello All ,  I have added an SSL cert for the ASA - ciscoasa.ladderbar.com (195.36.189.55) and applied the certificate on the SSL settings on the ASA so when users use anyconnect using the DNS name (ciscoasa.ladderbar.com) it works good and no r... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:48 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:46 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 01-15-2021 06:09 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Serious problem with Object Groups + Access Policies in FMC
Created by mhmservice on 01-15-2021 04:31 AM
0
0
0
0
Hi allI've been having a major problem with Object Groups in FMC access policiesIf I have a pre-existing line in a policy with an Object Group which contains a list of IPs, if I add an additional IP to that object group, then deploy, the traffic is still ... view more
Content for Community-Ad