Re: ISE 2.3 Sponsor Portal Control

Fabio Bustamante · ‎03-08-2018

It seems an easy thing but I haven't been able to accomplish our objective:

We created 2 Guest-Portals and 2 Sponsor-Portals, each one will be managed by 2 different administrators, of course each one is associated to 2 different SSIDs. Everything is fine but:

We want specific users (locally configured) to be able to login ONLY to sponsor portal 1. Those same users should NOT be able to login to sponsor portal 2. And vice versa. We need independency between those Sponsors, and they should only manage accounts for their SSID.

We can only see Identity Source Sequence options, but nothing can be customized. It seems that any local user configured on ISE can access all Sponsor Portals.

Besides, any GUEST user created by Sponsor 1, can authenticate on Portal2!!

Portals have "authentication method", but as I said, the only options available are InternalUsers, and it refers to ALL of them; we would like to control this.

Thanks!!!

ajc · ‎03-08-2018

The Guest DB on ISE is just one and the only parameter that could help you is the Guest Type. That means when you access the sponsor portal with an specific AD credentials, you are allowed to create a certain type Guest account. Once that Guest Account is created, then you can force those Guest Type to connect only to the specific SSID. Next what I am talking about.

IMPORTANT: Those 2 administrators CANNOT be part of the same AD Group used in the Sponsor Group configuration.

Fabio Bustamante · ‎03-09-2018

Hi Abraham, thank you so much for that detailed explanation.

Would you believe me if I told you that I had already done exactly what you have mentioned?

And, indeed, Sponsor1 can only create users of Guest-type 1 (I created a custom guest-type) and Sponsor2 can only create users of Guest-type 2. I also created a customized Endpoint Group, different from GuestEndpoints, and I can see each machine falls into the corresponding group.

The problem is that Sponsor1 can login to Sponsor-Portal2 with his credentials, and vice versa. And when Sponsor1 creates an account of Guess-type 1, that account authenticates on SSID 2!. (I block them afterwards with an Authorization Rule, the same that you mentioned, but authentication is successfull, since ISE looks for GuestUsers database, and i think that's a common database for all Sponsor-Portals)

I don't think there's an option like a ruleset to control Sponsor Authentication. Neither a way to control Guest Authentication on each GuestPortal. (Authorization Rules can block them afterwards, but user will see a sucessfull authentication message)

Thanks anyway.

ajc · ‎03-09-2018

Hi Fabio,

In the majority of the cases the authentication always passes no matter what guest type you are because the Guest DB is the same for all the Guest accounts, the KEY control point is the authorization part where you can build/customize the policies that would allow network access as you mentioned.

I checked if something else can be done at the authc (authentication) level to avoid guest2 connecting to guest1SSID but I could not find anything.