- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2019 11:51 AM
Has anyone come up with any solution for this requirement?
The capability within ISE to customize the type and number of fields in the form that comes up when you are creating/sponsoring guest accounts.
and/or
Second, ability to auto-fill the fields in this form with AD attributes when using SSO/SAML authentication. Correct?
Specific Customer Comments:
We would like to require all employees to use the portal to self-sponsor themselves for BYOD internet access from their phones.
Right now there is a big list of fields we collect per user when sponsoring a guest, and employees have to manually fill out all of those fields for themselves.
If we could customize what fields are shown, we could maybe ensure the only field was “email address” or something and lifetime.
Or alternatively if we could auto-populate fields then the fact that there are 10 fields wouldn’t matter because we would auto-populate when someone is self-sponsoring a byod device from their AD attributes…and they would just select the account lifetime and click submit.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 12:15 PM
Yes, you got it.
Guest portal could be self-registered/sponsored, sponsored or hotspot. Guest or employees can login via the same portal. In your example we are talking about guest portal == self-registered/sponsored.
Sponsor portal is where employee would login to create guest accounts.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2019 06:17 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 09:35 AM
It is already possible. You will need to go to the sponsor portal page, click ‘Portal Page Customization’, then select ‘Create Account for Known Guests’ page. Lastly, select ‘Settings tab’ in the preview on the right and you will be presented with options to add/remove fields. The ‘Custom fields’ can be added by going to Work Centers > Guest Access > Settings > Custom Fields.
Currently, there is no way to auto fill the guest fields based on the sponsor login user information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 09:42 AM
This is good news. Is there a specific version if ISE that is needed for this functionality? According to TAC this was not possible so they asked the customer to reach out to Account team to request this feature.
Below from TAC:
Hello Joseph,
We were doing some test in the lab and we concluded that both options are not possible on ISE.
- The application does not have mechanism to associate the guest type with the information displayed in the fields.
- The application does not have mechanism to take AD attributes retrieved by SAML and put them in the guest user fields automatically.
We believe the options are good ideas so we encourage you to reach you account manager and propose an enhancement request, this is the right channel to address the request and get attention from Cisco development team.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 09:51 AM - edited 07-30-2019 09:59 AM
#1 is possible, you simply need to select the guest type during creation with pull down menu. TAC may be saying it is not based on the fields, which is technically true. See sample page below. This feature has been available since 1.3.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 10:41 AM
This seems promising however the only thing I see being an issue is the fact that the changes you make in that page affect *all* guest types, you can’t specifically say you want these fields for a daily guest versus these fields for an employee personal device.
That is what the customer looking to do specifically with this feature. Is that possible?
Thanks!
Chuck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 10:54 AM
No, but this page is for creating guest accounts. If your customer wants to register BYOD endpoints then my devices portal would be what they are looking for.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/mydevices/b_mydevices_2x.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 11:08 AM
Thanks Hosuk -
Yeah so the customer requirements are as follows:
1. They want to provide a seamless, simple and secure service for staff to self-sponsor access to the network for Internet-only.
2. They want visibility into who is using the network (thus the AD authentication)
3. They want simplicity (they don't want portal page with too many fields to fill in, they use the default page for regular guest access)
4. They do not want an agent to be installed on the mobile device
5. They are ok with using certificates if needed. But if they can avoid they'd like to.
There are legacy cultural forces driving these unique requirements.
Does ISEPB integrate with AD and would it provide an AD authenticated service?
Any thoughts on your part on how to leverage ISE to accommodate this for them would be appreciated.
Chuck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 11:23 AM
Maybe I missed it but why not just let the user login with his/her AD account in the first place?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 11:30 AM
They want to keep this traffic off local network.
But I see your point, why not just use separate SSID along with the anchor WLC splash page (can customize these) for the portal and isolate it that way.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 11:34 AM
No, I was suggesting use same portal as guest. But, assign any employees logging in to the guest portal with Internet only access like real guest. This will meet customer requirement for segmentation, visibility in to the username as well as simplicity.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 11:39 AM
That’s what started the request. They either want to modify those fields in the form so there are much fewer for this guest type (employee self-sponsored vs. non-employee guest) or have the fields auto-populate with AD attributes so the user doesn’t have to fill them out (undermining the user experience).
Thus the request for the customization of form based on guest type.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 11:45 AM
I am talking about the guest portal not the sponsor portal. Since employee already has an account (AD in this case), there is no need to fill out anything in the guest portal. Just need to login using the employee credential without registration. The portal authenticate users from both guest database as well as AD as a default.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 12:03 PM
So according to the customer they are using the guest portal already for regular guest without an AD account. This guest portal has a number of default fields that they would rather not have shown. You are saying they can just enter AD credentials and login that way without registration and/or filling out the other fields?
What is the difference between guest portal and self-sponsor portal?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 12:15 PM
Yes, you got it.
Guest portal could be self-registered/sponsored, sponsored or hotspot. Guest or employees can login via the same portal. In your example we are talking about guest portal == self-registered/sponsored.
Sponsor portal is where employee would login to create guest accounts.
