cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

623
Views
0
Helpful
3
Replies
Beginner

ISE 2.2 - Guest Approval & Deny Link Settings - Validation of Person being visited

Dear all,

 

Does anyone know what kind of restrictions can be placed for Self-Registration guest portal running on ISE2.2 in a way to utilize "SimpleClick" (tokenized) feature and validity of the "Person being visited" mail address?

 

In scenario, where visitor enter self-registration portal, it is mandatory to enter "Person being visited" mail address who then receives an e-mail from ISE with Approve/Deny links. And I'm seeking an option where ISE validates it is a really "valid" mail address.

 

I've seen something in ISE2.3 and 2.4 here:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01111.pdf

- page 29 on the top is noted "Considerations,... If you chose person being visited, the contents of that field, which are provided by the self-registering guest, must be the email address of a sponsor....When the user clicks the Register button, ISE verifies that the person being visited is a valid sponsor, and has an email address. If ISE can't find an email address for that sponsor in the identity source, then ISE displays an error message, and self-registration fails."

 

Can I configure this in ISE 2.2 and is it possible to check one additional attribute in AD on the sponsor objects?

 

I can't imagine how this can work, because with SimpleClick we are talking just about a tokenized link, whoever click on guest account is created. Therefore "validation" process must be in the step, where visitor is doing selfregistration and once he enter "person being visited" mail address and click on "Register" ISE should evaluate if enter sponsor mail address is eligible to receive approval mail or not, and in case of not to trigger an error message to visitor.

 

Is there such mechanism in place?

 

Hope question is clear :-/

Thank you

 

Martin

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE 2.2 - Guest Approval

There is no way to validate (look up a sponsor) outside of what is built in.

If the guest enters an email address of a valid sponsor that has access to a sponsor group

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html#task_98E4813C8CB74908A03296F088FC98B5

Step 9

Approve and view requests from self-registering guests—Sponsors who are included in this Sponsor Group can either view all pending account requests from self-registering guests (that require approval), or only the requests where the user entered the Sponsor's email address as the person being visited. This feature requires that the portal used by the Self-registering guest has Require self-registered guests to be approved checked, and the Sponsor's email is listed as the person to contact.

· Any pending accounts—A sponsor belonging to this group an approve and review accounts that were created by any sponsor.

· Only pending accounts assigned to this sponsor—A sponsor belonging to this group can only view and approve accounts that they created.

What is your concern?


Some other references
https://community.cisco.com/t5/security-documents/ise-single-click-sponsor-approval-faq/ta-p/3637016
https://community.cisco.com/t5/identity-services-engine-ise/ise-2-2-single-click-sponsor-approval-with-email-alias/td-p/3530803

View solution in original post

Highlighted
Cisco Employee

Re: ISE 2.2 - Guest Approval

If a guest enters the wrong email address then it will simply be lost and the guest will not have access

To restrict entry to a certain domain there is an example on how to do that
Http://cs.co/ise-community > deploy > guest and web auth page

On that page under customization look for self registration page options

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: ISE 2.2 - Guest Approval

There is no way to validate (look up a sponsor) outside of what is built in.

If the guest enters an email address of a valid sponsor that has access to a sponsor group

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html#task_98E4813C8CB74908A03296F088FC98B5

Step 9

Approve and view requests from self-registering guests—Sponsors who are included in this Sponsor Group can either view all pending account requests from self-registering guests (that require approval), or only the requests where the user entered the Sponsor's email address as the person being visited. This feature requires that the portal used by the Self-registering guest has Require self-registered guests to be approved checked, and the Sponsor's email is listed as the person to contact.

· Any pending accounts—A sponsor belonging to this group an approve and review accounts that were created by any sponsor.

· Only pending accounts assigned to this sponsor—A sponsor belonging to this group can only view and approve accounts that they created.

What is your concern?


Some other references
https://community.cisco.com/t5/security-documents/ise-single-click-sponsor-approval-faq/ta-p/3637016
https://community.cisco.com/t5/identity-services-engine-ise/ise-2-2-single-click-sponsor-approval-with-email-alias/td-p/3530803

View solution in original post

Highlighted
Beginner

Re: ISE 2.2 - Guest Approval

Hi Jason,

 

What I'm trying to achieve is fact that our ISE is being globally used, however for guest self-registration couple of our countries have concern with misuse of guest creation and rather to live without self-registration then to have it, but in contrary other countries welcome this very much. But system is global and I cannot define self-registration be available in country X but not in country Y.

From network point of view, ISE runs in regional datacenter, and therefore access to the portal is obvious for anyone connected to global guest wireless network, so here I have no chance to block access.

 

Also we want to keep "SimpleClick" option in place, therefore authentication to ISE by sponsor (person being visited) is also no-go.

 

How else to achieve it is fact, that visitor has to enter "Person being visited" and kind of validation on the background would be very nice and usefull. Also fact that user can enter whatever e-mail address the ISE sends approval mail to it (it can be gmail, yahoo,...) and I will have to restrict this on the Exchange side, where I would expect this won't be possible.

 

Therefore it looks to me that with SimpleClick there is no real control, who is defined as "Person being visited" as it can be even personal mail address and neither further option to validate "approvals".

 

Is that correct assumption?

 

Thank you 

Martin

Highlighted
Cisco Employee

Re: ISE 2.2 - Guest Approval

If a guest enters the wrong email address then it will simply be lost and the guest will not have access

To restrict entry to a certain domain there is an example on how to do that
Http://cs.co/ise-community > deploy > guest and web auth page

On that page under customization look for self registration page options

View solution in original post