
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 10:21 AM
Customer has this requirement:
Every 90 days non-employees change their password, so we need a self service portal for non employee users of VPN through ACS as we move them to ISE
I would think we can do this through the guest access portal but I'm used to that being around Wireless access. Any reason we can't do this for VPN? Outside of security risks.
Thanks.
Lou
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 10:26 AM
Guest accounts will work with wired wireless or VPN connectivity just need to make sure that identity source for VPN includes
However the only way to change guest password is through the guest flow.
The recommendation would be to use this option:
https://communities.cisco.com/thread/73087
Please give me the company name and contact info (offline) so I can put this in our feature request

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 10:26 AM
Guest accounts will work with wired wireless or VPN connectivity just need to make sure that identity source for VPN includes
However the only way to change guest password is through the guest flow.
The recommendation would be to use this option:
https://communities.cisco.com/thread/73087
Please give me the company name and contact info (offline) so I can put this in our feature request

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 01:21 PM
This should work as you aren't using guest users. You should be using normal local accounts in ISE to authenticate non-AD VPN users.
Try this:
1) Configure local group in ISE, Allowed_VPN_Users
2) Configure local users in ISE and assign them to Alllowed_VPN_Users group.
3) Build a sponsor group, VPN_Password_Change, and strip away all of its rights to build any accounts.
4) Assign Allowed_VPN_Users to the sponsor group
5) Build sponsor portal, VPN_Password_Change, and strip everything out of it. You can even use Java script to hid buttons.
6) Assign FQDN so the sponsor portal to make it easily accessible, changemypassword.mycompany.com.
You could even make this accessible over the Internet, but that may be going too far. If you have never used the sponsor portal to change password it is a bit hidden. You need click in the upper right corner where it says "Welcome <username>". I have used this similar method when I was using the local database for TACACS admins.
I can't remember if the API support local user account password changes. I haven't explored that.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 01:25 PM
Sorry, missed your link Jason.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 01:26 PM
well that answers that!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 01:25 PM
paul did you see the scripted portal i shared out? It changes a My devices portal into a UCP password change portal?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2024 12:32 AM
And now I have ISE 3.3, can I use the Sponsor portal to create users for Anyconnect VPN Access?
