cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
323
Views
0
Helpful
2
Replies

ISE Guest Access email Approval from outside the network

zsmithtek
Level 1
Level 1

Just curious if anyone has done this.  I have the way I think it needs to be configured.  Curious if someone has a different idea.

I currently have a guest network setup which sends an email approval to a sponsor.  They click the approve link in the email and login to the portal and the account is approved and immediately gets network access.  No problem.

Now I want to be able to approve these requests if i'm outside of the network.  Say i'm at home and i get an approval email.  I want to click approve and be able to do this off-net / no vpn.  

My idea is to ensure the sponsor portal is publicly resolvable and setup a NAT translation for the public IP to the private IP.  This IP won't be Gig0 on the ISE server.  I'll setup another nic and NAT to this IP for the sponsor portal.  Allow access from external ANY IP to the destination IP on the specified TCP port for the sponsor portal.  I should then get the portal to load and be able to login as I would if on-net.

Thoughts?  Variations?  

Thanks for your time.

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

When you sending email and approval URL should be FQDN and reachable to Public side to work as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arne Bier
VIP
VIP

It might work, but do you really want your Sponsor Portal to be accessible from anywhere on the internet?  How do you prevent anyone on the internet from accessing this, unless you also configure a Policy to restrict to valid source IP addresses ?

The email contains a pre-formatter URL that is a concatenation of the FQDN and the TCP port on which the Sponsor Portal runs - so the embedded URL in the email looks something like this https://sponsor.mycompany.com:8445/sponsorportal/portalsetup.action?portal=4324234324-3465656-4634545-45435345&oneclickaction-approve

The trick will be to have a public DNS entry for sponsor.mycompany.com that points to your FW, and then the FW will have to NAT that request to the real sponsor portal IP:8445