Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
749
Views
10
Helpful
5
Replies

ISE 2.3 - Guest approval per Site

Go to solution
robbyde0100
Level 1
Level 1

‎12-06-2018 04:25 AM

Hello,

 

We have single ISE guest portal where a user can register themselves and an email goes to IT and it gets approved (or not).  This portal is used on all our sites accross the globe.

 

The problem we have a lot of sites and time zone issues where IT arnt always available to approve emails.

 

We're looking at sponsors at each site approving users via the portal (or the sponsor creating users via the portal) but ideally it would be nice if a sponsor of a site could receive a email i.e. if the guest fills out the self registration form then specifies the site then the sponsor at this site will get a email. 

 

Is this possible?

 

Thanks

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎12-06-2018 04:57 AM

There is no need for the guest to fill out the site information. You know what site the guest is at by the AP they are connected to.  On your WLCs if you go to the RADIUS authentication section you will see the RADIUS Called Station ID field.  Change it from AP MAC:SSID to AP Name:SSID.  Then you have to create multiple copies of your guest portal.  Each portal would send the request to the correct sponsor distribution list.  For example, doing a region based model:

 

  1. Guest Portal North America
  2. Guest Portal EMEA
  3. Guest Portal LATAM
  4. Guest Portal APAC

All four portals are identical except the email the guest request is sent to.  Then your redirect rules at the bottom of your guest SSID policy set would say:

 

  1. If RADIUS called station ID contains string for AP in North America then redirect to Guest Portal North America.
  2. If RADIUS called station ID contains string for AP in EMEA then redirect to Guest Portal EMEA
  3. If RADIUS called station ID contains string for AP in LATAM then redirect to Guest Portal LATAM
  4. If RADIUS called station ID contains string for AP in APAC then redirect to Guest Portal APAC

Now if you are trying to break this into 100s of sites this may not work too well.  I have done this for several customers and works perfectly.  Just make sure you have all your guest portal customization done before you start duplicating the portal  

 

I don't think there is a way for ISE to do this based on location codes.  You can define guest locations in ISE and have that be presented as options during registration, but I don't think you can send different approval emails based on that location field.  You could maybe investigate the email server parsing out that location field and routing the request correctly.  

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-06-2018 05:04 AM

Not sure wha is keeping you from doing this today?

Why couldn’t they simply just enter the local site sponsor address?

If this is too cumbersome then perhaps you use the choose sponsor from list on this page?

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId-1898236740

If this is not specific enough then you could make a guest portal per site and make the list of sponsor unique to each site

If you don’t like that and it’s only a specific group of sponsors then each portal could have just a simple email for approval?

Please See https://community.cisco.com/t5/security-documents/ise-single-click-sponsor-approval-faq/ta-p/3637016

View solution in original post

5 Replies 5

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-06-2018 04:53 AM

There is an enhancement request filed already CSCvn18600. Currently there is no provision on ISE to do this.

Go to solution
paul
Level 10
Level 10

‎12-06-2018 04:57 AM

There is no need for the guest to fill out the site information. You know what site the guest is at by the AP they are connected to.  On your WLCs if you go to the RADIUS authentication section you will see the RADIUS Called Station ID field.  Change it from AP MAC:SSID to AP Name:SSID.  Then you have to create multiple copies of your guest portal.  Each portal would send the request to the correct sponsor distribution list.  For example, doing a region based model:

 

  1. Guest Portal North America
  2. Guest Portal EMEA
  3. Guest Portal LATAM
  4. Guest Portal APAC

All four portals are identical except the email the guest request is sent to.  Then your redirect rules at the bottom of your guest SSID policy set would say:

 

  1. If RADIUS called station ID contains string for AP in North America then redirect to Guest Portal North America.
  2. If RADIUS called station ID contains string for AP in EMEA then redirect to Guest Portal EMEA
  3. If RADIUS called station ID contains string for AP in LATAM then redirect to Guest Portal LATAM
  4. If RADIUS called station ID contains string for AP in APAC then redirect to Guest Portal APAC

Now if you are trying to break this into 100s of sites this may not work too well.  I have done this for several customers and works perfectly.  Just make sure you have all your guest portal customization done before you start duplicating the portal  

 

I don't think there is a way for ISE to do this based on location codes.  You can define guest locations in ISE and have that be presented as options during registration, but I don't think you can send different approval emails based on that location field.  You could maybe investigate the email server parsing out that location field and routing the request correctly.  

0 Helpful

Go to solution
robbyde0100
Level 1
Level 1
In response to paul

‎12-13-2018 02:03 AM

Thanks for the response, this was really helpful. I'll try the sponsor list drop down and if that doesnt work for us then this is definatley the option I'll go for.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-06-2018 05:04 AM

Not sure wha is keeping you from doing this today?

Why couldn’t they simply just enter the local site sponsor address?

If this is too cumbersome then perhaps you use the choose sponsor from list on this page?

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId-1898236740

If this is not specific enough then you could make a guest portal per site and make the list of sponsor unique to each site

If you don’t like that and it’s only a specific group of sponsors then each portal could have just a simple email for approval?

Please See https://community.cisco.com/t5/security-documents/ise-single-click-sponsor-approval-faq/ta-p/3637016

Go to solution
robbyde0100
Level 1
Level 1
In response to Jason Kunst

‎12-13-2018 02:05 AM

This is exactly what I need, I didn’t realise I could do a drop down (I'm really new to ISE and my manager hasn’t ponied up for training yet). I'll give it a go.

Thanks very much.
0 Helpful
Customers Also Viewed These Support Documents