Solved: Cisco ISE Guest Self Register and sponsor approve

jsalazar1 · ‎09-08-2023

On self registration sequence. Guest fill out the form and request approve to sponsor. Sponsor receives an email with Approve/Deny link. Sponsor click Approve link. After that Sponsor portal page pop up for sponsor to log in.

In this scenario is it possible that sponsor approves the guest request only clicking Approve link that he/she received by email?. Can we avoid asking the sponsor log in to sponsor portal page?.

Arne Bier · ‎09-10-2023

Hello @jsalazar1

You sure can. Cisco calls this One-Click approval (or single-click approval). Jason Kunst wrote up a very nice step-by-step guide on this.

The key to this is that the AD Account of the approver (the one whose email is used) must be a member of the Sponsor Group that you're using. The details are in the link above.

I implemented this recently and it worked flawlessly.

View solution in original post

Arne Bier · ‎09-10-2023

Hello @jsalazar1

You sure can. Cisco calls this One-Click approval (or single-click approval). Jason Kunst wrote up a very nice step-by-step guide on this.

The key to this is that the AD Account of the approver (the one whose email is used) must be a member of the Sponsor Group that you're using. The details are in the link above.

I implemented this recently and it worked flawlessly.

jsalazar1 · ‎09-10-2023

Arne, Thanks for your response. It was very helpful.

jack.warmya · ‎12-20-2023

I'am trying to implement the One-Click approval solution with the guide provided by Jason Kunst. However it is not working for me.

My AD is registered in ISE, and is a part of the identity source sequence. The users are also part of AD.
• Sponsor user AD Domain: D01.company.local
• Sponsor email address: firstname.lastname@company.com
• Sponsor user in AD has the email attribute that matches with the email “person being visited”

First issue:

When the guest user self registers, the sponsor receives the email to Approve or Deny. The sponsor clicks "Approve", however it still brings the sponsor to the sponsor portal and ask the sponsor to authenticate in order to validate the user request.

Second issue:

Once the sponsor does authenticate, the guest sees the approval go through on their screen. After accepted the AUP and it redirects them to our company page.

However, the sponsor receives a web page that says, "Link is invalid. Please sign on to the sponsor portal to approve/deny guests."; even though the guest has already been approved.

Arne Bier · ‎12-20-2023

I know that feeling when you follow a guide, but then the result is still not as expected.

One thing that tripped me up when I set this up for a large customer, was that my email address was assigned to more than one AD user account, but in the same domain. Perhaps it was pure misfortune that in my case, usernameB was matched by ISE (and then caused one-click to fail) because usernameB had the matching email address of the sponsor - when in fact, I wanted to match usernameA instead. The solution was to change the email address of my 2nd user account (usernameB) to something that did not resemble my email address, and then ISE was happy.

In summary, go looking in your AD to see whether the sponsor email address appears in more than one AD account. I can't recall how I did this - I think I used the Search function in AD Users and Computers.

And for what it's worth, I am using ISE 3.2 p4. But I think this feature has existed for a long time.

As for the second issue, I don't know. Perhaps once the first issue is resolved, it will fix the second issue too.