Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

740
Views
0
Helpful
2
Replies
Keith Simmons
Cisco Employee
Cisco Employee
‎02-01-2017 04:28 PM
‎02-01-2017 04:28 PM

Can a Sponsor User belonging to more than one Sponsor Portal Group

My Customer is trying to validate that the following use case is possible.

My Customer has two sponsor groups and each are using AD Groups for the matching criteria:

a.      All AD Users – Can see guests created by that user or guests that listed them as a sponsor via guest flow.

          Match AD Group = Domain Users

b.      Admin Users – Helpdesk users that can see any and all guest users for support.

          Match AD Group = Administrators

The problem is if a User logs into the Sponsor Portal and belongs to both the "Domain Users" and "Administrators" AD Groups, that are being used to matched both "All AD Users" and "Admin Users" Sponsor Groups, the "All AD Users"  Sponsor Group is the only Policy that is being matched.

The result is Admin Users are matched to the All AD Users Sponsor Group with limited none administrative Sponsor Portal Privileges

khsieh joelalle

0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee
Cisco Employee
‎02-02-2017 06:54 AM
‎02-02-2017 06:54 AM

Yes, a sponsor user can belong to more than one Sponsor Group.    In general, the user belongs to each SG where the matching criteria are satisfied.    If a user belongs to multiple SG’s, that user gets permissions from all of those groups.  This is true in all versions since ISE 1.3

a sponsor that belongs to both AD groups should belong to both Sponsor Groups.  We would need to see the details of the customer’s configuration here to see why it isn’t working. Please open a tac case

View solution in original post

0 Helpful
2 REPLIES 2
Jason Kunst
Cisco Employee
Cisco Employee
‎02-01-2017 06:19 PM
‎02-01-2017 06:19 PM

What version of ISE are you on?

0 Helpful
Jason Kunst
Cisco Employee
Cisco Employee
‎02-02-2017 06:54 AM
‎02-02-2017 06:54 AM

Yes, a sponsor user can belong to more than one Sponsor Group.    In general, the user belongs to each SG where the matching criteria are satisfied.    If a user belongs to multiple SG’s, that user gets permissions from all of those groups.  This is true in all versions since ISE 1.3

a sponsor that belongs to both AD groups should belong to both Sponsor Groups.  We would need to see the details of the customer’s configuration here to see why it isn’t working. Please open a tac case

View solution in original post

0 Helpful
Latest Contents
Configuring IPsec IKEv2 Remote Access VPN with Cisco Secure ...
Created by Marvin Rhoads on 10-13-2021 03:54 AM
0
20
0
20
  Whitepaper - Configuring IPsec IKEv2 Remote Access VPN with Cisco Secure Firewall Marvin Rhoads 10-13-2021         Abstract / Introduction............................ 1 Problem Statement............................ view more
Cisco Survey: Seeking active Cisco Secure Firewall users
Created by aprata on 10-11-2021 02:12 PM
0
0
0
0
Hi everyone,    The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th... view more
Cisco ISE (Identity Services Engine) IPv6 support
Created by howon on 10-05-2021 06:58 PM
0
5
0
5
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn... view more
VPN Site-to-Site with dynamic IP
Created by meddane on 09-17-2021 04:03 PM
0
5
0
5
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P... view more
Site-to-Site FlexVPN IOS router
Created by meddane on 09-17-2021 04:00 PM
0
0
0
0
On R1, configure a key ring that defines the peer R3:Address: 23.0.0.3Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 23.0.0.3R1(config-ikev2-keyring-pee... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Event
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel