Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2022
Views
0
Helpful
2
Replies

How to secure a Sponsor Portal from unauthorized access

Go to solution
NightLight
Level 1
Level 1

‎06-29-2021 06:25 AM

Hello all,
I have set up a demo lab and am trying to learn how best to secure ISE. Now I am wondering how to secure the access to the Sponsor Portal.

I use interface 0 I for management. Interface 2 and 3 I have bundled for the data. If I would manage the portal myself now, everything would be ok. In most companies, however, I know that you always get vouchers for the guest WLAN via the reception. That means the reception would have to get access rights to the PAN or PSN node to reach the portal.
Is there a way to outsource the portal to its own interface?

 

Best regards

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Octavian Szolga
Level 4
Level 4

‎07-01-2021 05:14 AM

Hi NightLight,

 

The sponsor portal itself is not on PAN, but rather on PSN. It's a different portal than the admin (GUI) portal.

Secondly, it listens on a specific port and has to have a specific FQDN.
The FQDN is basically what tell ISE that instead of going to https://sponsor.mycompany.com (443) you want to actually go to the webserver hosted on port 8443 (as an example; default sponsor portal port) that is used solely for sponsor portal.

 

You can 'secure' this portal:

- by allowing reception personnel to contact ISE PSN only on 8443 (you have to check if FQDN:8443 connection method works or ISE PSN needs to initially receive the request on 443 and redirect it afterwards to 8443)

- by using a load balancer and some WAF services in order to inspect web traffic going to this portal

 

BR,
Octavian

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Sri Harsha Dasari
Spotlight
Spotlight

‎06-29-2021 07:06 PM

You can have all the users who creates accounts in an AD group, then have restricted access to that AD group. You can customize on which menu users can see and what functions they can do under Administration -- System -- Admin Access -- Authorization(Here create a specific Policy for a group).
Now Under Administrators -- Admin Groups -- Pick the policy you created and add the AD group to this policy

Thanks, Sri.
0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4

‎07-01-2021 05:14 AM

Hi NightLight,

 

The sponsor portal itself is not on PAN, but rather on PSN. It's a different portal than the admin (GUI) portal.

Secondly, it listens on a specific port and has to have a specific FQDN.
The FQDN is basically what tell ISE that instead of going to https://sponsor.mycompany.com (443) you want to actually go to the webserver hosted on port 8443 (as an example; default sponsor portal port) that is used solely for sponsor portal.

 

You can 'secure' this portal:

- by allowing reception personnel to contact ISE PSN only on 8443 (you have to check if FQDN:8443 connection method works or ISE PSN needs to initially receive the request on 443 and redirect it afterwards to 8443)

- by using a load balancer and some WAF services in order to inspect web traffic going to this portal

 

BR,
Octavian

0 Helpful
Customers Also Viewed These Support Documents