cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1151
Views
13
Helpful
5
Replies
Highlighted
Cisco Employee

· Guest portal use for VPN

Customer has this requirement:

       Every 90 days non-employees  change their password, so we need a self service portal for non employee users of VPN through ACS as we move them to ISE

I would think we can do this through the guest access portal but I'm used to that being around Wireless access. Any reason we can't do this for VPN? Outside of security risks.

Thanks.

Lou

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Guest accounts will work with wired wireless or VPN connectivity just need to make sure that identity source for VPN includes

However the only way to change guest password is through the guest flow.

The recommendation would be to use this option:

https://communities.cisco.com/thread/73087

Please give me the company name and contact info (offline) so I can put this in our feature request

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Guest accounts will work with wired wireless or VPN connectivity just need to make sure that identity source for VPN includes

However the only way to change guest password is through the guest flow.

The recommendation would be to use this option:

https://communities.cisco.com/thread/73087

Please give me the company name and contact info (offline) so I can put this in our feature request

View solution in original post

Highlighted
VIP Advocate

This should work as you aren't using guest users. You should be using normal local accounts in ISE to authenticate non-AD VPN users. 

Try this:

1) Configure local group in ISE, Allowed_VPN_Users

2) Configure local users in ISE and assign them to Alllowed_VPN_Users group.

3) Build a sponsor group, VPN_Password_Change, and strip away all of its rights to build any accounts.

4) Assign Allowed_VPN_Users to the sponsor group

5) Build sponsor portal, VPN_Password_Change, and strip everything out of it.  You can even use Java script to hid buttons.

6) Assign FQDN so the sponsor portal to make it easily accessible, changemypassword.mycompany.com.

You could even make this accessible over the Internet, but that may be going too far.  If you have never used the sponsor portal to change password it is a bit hidden.  You need click in the upper right corner where it says "Welcome <username>".  I have used this similar method when I was using the local database for TACACS admins.

I can't remember if the API support local user account password changes.  I haven't explored that.

Highlighted

Sorry, missed your link Jason. 

Highlighted

well that answers that!

Highlighted

paul did you see the scripted portal i shared out? It changes a My devices portal into a UCP password change portal?

Content for Community-Ad