Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1915
Views
0
Helpful
6
Replies

ISE Guest Self-Registration and different guest type based on email domain

Go to solution
Mats Nilson
Level 1
Level 1

‎09-11-2018 03:56 AM - edited ‎09-11-2018 04:20 AM

Hi fellow Guest portal builders.

 

In the registration form part of the Self-registration guest portal  you can allow or restrict guest users based on email address suffix. I want to allow different access based on the email of the client.

 

Example - if the guest users is having av email address of "userxxx@company-X.com these clients will be given access with guest type=contractor and default one month access, but any other user mail addresses is limited to guest-type=daily and 8 hours.

 

Is it manageble in the portal or do I have find other ways of restricting allowing access based on the guests email address?

1 person had this problem
Preview file
18 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-11-2018 04:40 AM

You would have to setup different portals for this and restrict email address on each portal

For example use the link one portal to another portal code


https://community.cisco.com/t5/identity-services-engine-ise/linking-one-guest-portal-to-another-guest-portal/td-p/3467537


Have one portal where they choose the type of guest they are and that links to another portal that would restrict what emails they put in . Keep in mind multiple redirects with guest might be problematic using the Apple mini browser aka Captive network assistant


Or require everyone to be same level and if someone needs longer access then use the sponsor portal to create an account


Or have sponsor change access after they get account


Another feature request you could ask your sales team for would be to allow sponsor to choose type of account when they approve the account using self registration with approval flow

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-11-2018 04:40 AM

You would have to setup different portals for this and restrict email address on each portal

For example use the link one portal to another portal code


https://community.cisco.com/t5/identity-services-engine-ise/linking-one-guest-portal-to-another-guest-portal/td-p/3467537


Have one portal where they choose the type of guest they are and that links to another portal that would restrict what emails they put in . Keep in mind multiple redirects with guest might be problematic using the Apple mini browser aka Captive network assistant


Or require everyone to be same level and if someone needs longer access then use the sponsor portal to create an account


Or have sponsor change access after they get account


Another feature request you could ask your sales team for would be to allow sponsor to choose type of account when they approve the account using self registration with approval flow
0 Helpful

Go to solution
Mats Nilson
Level 1
Level 1
In response to Jason Kunst

‎09-11-2018 10:15 AM

Hi Jason.

 

Thanks, I suspected as much but I rather use one single portal.

The only possible solution is then to use the primary portal open for everyone, and the secondary restricted to the "companyZ.com". If they are denied to the primary portal they aren't able to access the secondary either...

 

Sincere Regards

/Mats

0 Helpful

Go to solution
paul
Level 10
Level 10

‎09-11-2018 12:29 PM

Are you doing any approval of the self-registration or just granting access based on whatever they type in?  I rarely if ever do straight up self-registration because what the point.  They can type in garbage and get access.  If you are doing self-registration with sponsor approval then you can allow general domain users to single-click approve accounts into the 1 day of access guest type (the whole 8 hour concept doesn't really work with the new guest setup).  Then  you can allow a certain set of sponsors to change the guest type to month long guests.

0 Helpful

Go to solution
Mats Nilson
Level 1
Level 1
In response to paul

‎09-12-2018 05:32 AM

Hi Paul.

Well, due to security considerations the ISE for the guest authoriation isn't allowed to have AD connectivity. Instead I would require the guest users to have a valid email address and not before they log in with the proper credentials they are allowed access.
Having sponsors authorizing the users isn't an option

Regards
/Mats
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Mats Nilson

‎09-12-2018 09:07 AM

Understood, but must be aware of the chicken an egg problem you are forcing on the guest users. You are requiring them to register with a valid email address to get Internet access. They need to get their credentials from the registered email. They need Internet access to get their email.... Okay now we are stuck. Granted users with smart phones and cellular signal aren't a problem, but I am assuming you are going to have guests on laptops. You could enabling SMS paging of credentials as well, but then you really aren't validating the email the guest input during self-registration.






0 Helpful

Go to solution
Adrienled
Level 1
Level 1

‎06-16-2022 02:48 AM - edited ‎06-16-2022 02:55 AM

Hi,

 

I know this is an old post but I'd like to know if with version 3 of ISE there is a feature to do this without doing different portals ?

 

If not I will try using script and API

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents