07-23-2019 11:51 AM
Has anyone come up with any solution for this requirement?
The capability within ISE to customize the type and number of fields in the form that comes up when you are creating/sponsoring guest accounts.
and/or
Second, ability to auto-fill the fields in this form with AD attributes when using SSO/SAML authentication. Correct?
Specific Customer Comments:
We would like to require all employees to use the portal to self-sponsor themselves for BYOD internet access from their phones.
Right now there is a big list of fields we collect per user when sponsoring a guest, and employees have to manually fill out all of those fields for themselves.
If we could customize what fields are shown, we could maybe ensure the only field was “email address” or something and lifetime.
Or alternatively if we could auto-populate fields then the fact that there are 10 fields wouldn’t matter because we would auto-populate when someone is self-sponsoring a byod device from their AD attributes…and they would just select the account lifetime and click submit.
Solved! Go to Solution.
07-30-2019 12:15 PM
Yes, you got it.
Guest portal could be self-registered/sponsored, sponsored or hotspot. Guest or employees can login via the same portal. In your example we are talking about guest portal == self-registered/sponsored.
Sponsor portal is where employee would login to create guest accounts.
07-23-2019 06:17 PM
07-30-2019 09:35 AM
It is already possible. You will need to go to the sponsor portal page, click ‘Portal Page Customization’, then select ‘Create Account for Known Guests’ page. Lastly, select ‘Settings tab’ in the preview on the right and you will be presented with options to add/remove fields. The ‘Custom fields’ can be added by going to Work Centers > Guest Access > Settings > Custom Fields.
Currently, there is no way to auto fill the guest fields based on the sponsor login user information.
07-30-2019 09:42 AM
This is good news. Is there a specific version if ISE that is needed for this functionality? According to TAC this was not possible so they asked the customer to reach out to Account team to request this feature.
Below from TAC:
Hello Joseph,
We were doing some test in the lab and we concluded that both options are not possible on ISE.
We believe the options are good ideas so we encourage you to reach you account manager and propose an enhancement request, this is the right channel to address the request and get attention from Cisco development team.
07-30-2019 09:51 AM - edited 07-30-2019 09:59 AM
#1 is possible, you simply need to select the guest type during creation with pull down menu. TAC may be saying it is not based on the fields, which is technically true. See sample page below. This feature has been available since 1.3.
07-30-2019 10:41 AM
This seems promising however the only thing I see being an issue is the fact that the changes you make in that page affect *all* guest types, you can’t specifically say you want these fields for a daily guest versus these fields for an employee personal device.
That is what the customer looking to do specifically with this feature. Is that possible?
Thanks!
Chuck
07-30-2019 10:54 AM
No, but this page is for creating guest accounts. If your customer wants to register BYOD endpoints then my devices portal would be what they are looking for.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/mydevices/b_mydevices_2x.html
07-30-2019 11:08 AM
Thanks Hosuk -
Yeah so the customer requirements are as follows:
1. They want to provide a seamless, simple and secure service for staff to self-sponsor access to the network for Internet-only.
2. They want visibility into who is using the network (thus the AD authentication)
3. They want simplicity (they don't want portal page with too many fields to fill in, they use the default page for regular guest access)
4. They do not want an agent to be installed on the mobile device
5. They are ok with using certificates if needed. But if they can avoid they'd like to.
There are legacy cultural forces driving these unique requirements.
Does ISEPB integrate with AD and would it provide an AD authenticated service?
Any thoughts on your part on how to leverage ISE to accommodate this for them would be appreciated.
Chuck
07-30-2019 11:23 AM
Maybe I missed it but why not just let the user login with his/her AD account in the first place?
07-30-2019 11:30 AM
07-30-2019 11:34 AM
No, I was suggesting use same portal as guest. But, assign any employees logging in to the guest portal with Internet only access like real guest. This will meet customer requirement for segmentation, visibility in to the username as well as simplicity.
07-30-2019 11:39 AM
07-30-2019 11:45 AM
I am talking about the guest portal not the sponsor portal. Since employee already has an account (AD in this case), there is no need to fill out anything in the guest portal. Just need to login using the employee credential without registration. The portal authenticate users from both guest database as well as AD as a default.
07-30-2019 12:03 PM
07-30-2019 12:15 PM
Yes, you got it.
Guest portal could be self-registered/sponsored, sponsored or hotspot. Guest or employees can login via the same portal. In your example we are talking about guest portal == self-registered/sponsored.
Sponsor portal is where employee would login to create guest accounts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide