Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
2
Replies

ISE Guest Access email Approval from outside the network

zsmithtek
Level 1
Level 1

‎11-15-2023 07:46 AM

Just curious if anyone has done this.  I have the way I think it needs to be configured.  Curious if someone has a different idea.

I currently have a guest network setup which sends an email approval to a sponsor.  They click the approve link in the email and login to the portal and the account is approved and immediately gets network access.  No problem.

Now I want to be able to approve these requests if i'm outside of the network.  Say i'm at home and i get an approval email.  I want to click approve and be able to do this off-net / no vpn.  

My idea is to ensure the sponsor portal is publicly resolvable and setup a NAT translation for the public IP to the private IP.  This IP won't be Gig0 on the ISE server.  I'll setup another nic and NAT to this IP for the sponsor portal.  Allow access from external ANY IP to the destination IP on the specified TCP port for the sponsor portal.  I should then get the portal to load and be able to login as I would if on-net.

Thoughts?  Variations?  

Thanks for your time.

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎11-15-2023 09:11 AM

When you sending email and approval URL should be FQDN and reachable to Public side to work as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Arne Bier
VIP
VIP

‎11-15-2023 10:16 PM

It might work, but do you really want your Sponsor Portal to be accessible from anywhere on the internet?  How do you prevent anyone on the internet from accessing this, unless you also configure a Policy to restrict to valid source IP addresses ?

The email contains a pre-formatter URL that is a concatenation of the FQDN and the TCP port on which the Sponsor Portal runs - so the embedded URL in the email looks something like this https://sponsor.mycompany.com:8445/sponsorportal/portalsetup.action?portal=4324234324-3465656-4634545-45435345&oneclickaction-approve

The trick will be to have a public DNS entry for sponsor.mycompany.com that points to your FW, and then the FW will have to NAT that request to the real sponsor portal IP:8445 

 

0 Helpful
Customers Also Viewed These Support Documents