cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1509
Views
0
Helpful
10
Replies

ISE 1.3 Identity Group

Leoni Wartung
Level 1
Level 1

Hello,

 

in the old ISE 1.2 my guest users (created by the sponors portal) where put into a own created identity group called RU2_id_grp.

How can I realize this on ISE 1.3. In ISE 1.3 the users fall always into the GuestType_Group which was created by the ISE.

I need the sepearete groups for my authorization policy.

 


Regards

filip

10 Replies 10

Charlie Moreton
Cisco Employee
Cisco Employee

Leoni,

These settings are found by going to Guest Access > Configure.  Select Sponsor Portals and choose the Sponsor Portal in which you are working.  Click Portal Page Customization

Once there, select your Guest Type.  I chose Create Account for Known Guests.  Then choose Settings over the preview image.  From here select Allow sponsor to tag accounts as belonging to a group.  Of course, you must ensure the group exists (Administration > Identity Management > Groups)

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Hello charles,

thanks for your reply.

Okay I found this option. In this configuration the sponsor user must set the group tag always manually. I'd like to have a automatic solution.

What I'd like to have is my old ISE 1.2 configuration.

In our company we have several locations with different sponsors. If a sponsor create a user, the created user should have access to the guest portal only on his location (the right location).

We do not want is that a created user is able to use the guest access on a other plant.

In ISE 1.2 we used for this Identity groups like LAS_id_grp or MLB_id_grp.

Is there a solution?

OK, then DESELECT the option above and do this:

Navigate to Guest Access > Settings > Guest Locations and SSIDs.  Enter the locations to which your sponsors will assign guests:

Remember to Save.

Now to Guest Access > Configure > Sponsor Groups.  Click Create:

Once you place your cursor in the text box for Select the locations that guests will be visiting, you will see the locations you created in the last step.

Now assign the User Group to be associated with this Sponsor Group by clicking the Members... button:

Click OK, then Save.

This should do it for you.

 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

 

Hello,

thanks for your assistance.

 

I configured the ISE like you told me. But my guest user go into the wrong Identity Group. The screenshots are attached.

 

 

Regards

filip

Try to create the Guest Type that matches your need and add that to the Sponsor Group Permissions:

Yes this will work for me.

But unfortunately we are using two time profiles for our sponsors in the company. One profile for a guest access about 12 hours and the 2nd profile about 1 week. In this solution we have to create for each plant (we have around 40) two guest types?

 

Regards

filip

You should be able to create a total of 2 guest types.  This, along with the Location, SHOULD fit your needs.

 

You may have to tweak your policies, though

Well, okay then I have to tweak my policies. But how. What I'd like to have is:

Different locations with different sponsor users. And If sponsor A from location A creates a user the user should just have access on location A and not on location B.

In my current configuration it doens't which sponsor creates the user. The guest user have access to the wifi network on all locations.

 

Regards

filip

Leoni,

 

I tried to create the scenario that you want and couldn't.  So I reached out to the Business Unit for ISE and here is the response:

What I see is that you would create different sponsor groups.  Different groups can create different guest types and then base authz policies off these guest types?

Which seems to be the best option for your needs.

Hello charles,

 

what we like to do is that:

We have serveral locations. On this locations we have some users which have access to the sponsors portal.

We want that only sponsors on a location (e.g. location A) can create users for location A. The created user guest accounts should only be able to login on the wireless controller on location A.

 

In my current configuration I can create users on different plants but the users can use their account on all locations.

In my old ISE 1.2 configurtion I used for that own created identity groups. And I created a authorization policy which asked in which identity group the user is.

If I create different Guest Types I can match them in the policy. But this is a bad configuration for us because we will provide each location 2 different guest types.

 

Regards

filip