Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1706
Views
0
Helpful
3
Replies

Cisco ISE and Shadow Accounts

Go to solution
MasterOfDis
Level 1
Level 1

‎12-04-2019 02:08 AM

Dear,

We are about to implement Cisco ISE to authenticate our Wifi users and give them access to the internet, but we have a special requirements. I will explain this with a example:

 

Assume we have a Active Directory domain of: xyz.com, all our Wifi users are within this domain. Also we have a Wifinetwerk with SSID: abc

I would like to authenticate our Wifi users for SSID: abc via Cisco ISE connected to xyz.com Active Directory. So far the configuration is straight forward, but the organisation want the following:

 

Users within the xyz.com AD domain need to go to portal X where they can request a shadow wifi account (anonymous account), which they can use to authenticate to SSID: abc. But we need to keep track on which Active DIrectory users is using which shadow account.

 

Can we achieve such a configuration with the help of the Cisco ISE portal functionality of the API's within Cisco ISE?

 

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
CarlCarlson1234
Level 1
Level 1

‎12-04-2019 09:21 AM

If you treat the ssid like a guest network, using central web login.  Then you could create a sponsor portal that users log into using their ad accounts.  There is an option that only allows users to view and manage their own accounts within the sponsor portal (As of 2.2ish?)  They could log into there to create an "anonymous" account.  Then the account would be tied to the account that created it.  Without looking up Guest APIs to confirm, you can pull guest info out using API's but I don't know off hand if it gives you the account sponsor.  But you can create a sponsor admin account that can view all accounts in the sponsor portal.

 

This sort of explains sponsor portal and accounts: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/sponsor_guide/b_spons_SponsorPortlUserGuide_24/b_spons_SponsorPortlUserGuide_22_chapter_00.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
CarlCarlson1234
Level 1
Level 1

‎12-04-2019 09:21 AM

If you treat the ssid like a guest network, using central web login.  Then you could create a sponsor portal that users log into using their ad accounts.  There is an option that only allows users to view and manage their own accounts within the sponsor portal (As of 2.2ish?)  They could log into there to create an "anonymous" account.  Then the account would be tied to the account that created it.  Without looking up Guest APIs to confirm, you can pull guest info out using API's but I don't know off hand if it gives you the account sponsor.  But you can create a sponsor admin account that can view all accounts in the sponsor portal.

 

This sort of explains sponsor portal and accounts: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/sponsor_guide/b_spons_SponsorPortlUserGuide_24/b_spons_SponsorPortlUserGuide_22_chapter_00.html

0 Helpful

Go to solution
MasterOfDis
Level 1
Level 1
In response to CarlCarlson1234

‎12-08-2019 02:43 PM

Thank you for your reply CarlCarlson!

Is this setup also possible with a WPA2 enterprise  protection?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to CarlCarlson1234

‎12-09-2019 09:04 AM

@CarlCarlson1234 wrote:

If you treat the ssid like a guest network, using central web login.  Then you could create a sponsor portal that users log into using their ad accounts.  There is an option that only allows users to view and manage their own accounts within the sponsor portal (As of 2.2ish?)  They could log into there to create an "anonymous" account.  Then the account would be tied to the account that created it.  Without looking up Guest APIs to confirm, you can pull guest info out using API's but I don't know off hand if it gives you the account sponsor.  But you can create a sponsor admin account that can view all accounts in the sponsor portal.

 

This sort of explains sponsor portal and accounts: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/sponsor_guide/b_spons_SponsorPortlUserGuide_24/b_spons_SponsorPortlUserGuide_22_chapter_00.html

yes good point and if they wanted further controls they could use the self-registration as a kiosk flow listed on https://cs.co/ise-guest

the user could create account and have someone else approve it (as a sponsor flow)

Login page auto-redirect to create an account page - This script is used for providing guests direct access to self-registration page.

  • For a kiosk that might be in a lobby
  • guest flow is usually going to create an account first (and not needing the login page)
  • Meraki LWA where they want to link customer directly to self-reg portal from the splash page
0 Helpful
Customers Also Viewed These Support Documents