Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2123
Views
0
Helpful
11
Replies

ISE guest sponsor portal, restrict email address domain for the guest

Go to solution
dongill
Level 1
Level 1

‎10-31-2018 03:07 PM - edited ‎02-21-2020 11:02 AM

Hi, very helpful post!

 

Is it possible to do this email validation for “Known Guest” account creation in the sponsor portal (and can it be applied to the form and bulk upload?)

 

we have a need to prevent sponsors creating guest accounts with their corporate email addresses (sometimes, despite guidance the users can’t be trusted ;-) )

 

...any help/guidance is appreciated!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dongill

‎11-01-2018 12:19 PM

Replied inline


Our users are creating sponsored guest accounts for themselves and others with their corporate email address, despite information and notices. I'd like to validate the input to prevent the form submission unless they enter a non-corporate email address; much like the self resgitration guest portal.

JAK > it doesn’t sound like they are creating any account for guests? Why not just restrict them from using the sponsor portal altogether? You can enable them to use the guest portal themselves using their AD credentials and have them access the internet just like a guest.



It's relevant because we're also planning on utilising the guest portal this applies to for corporate BYOD onboarding, whereby employees can log into the guest portal with their corpoprate email [AD creds or similar] and then be provisioned and onboarded to an employee BYOD network.

JAK > this has nothing to do with the BYOD flow. The sponsor portal is not utilized for this.

I've had a dig around the sponsor portal page elements after watching your videos and reading through the various guides, but as a complete portal / javascript novice I'm looking for some pointers on how it can be acheived.

JAK > will investigate if still needed.

CSV upload is not too much of a problem for our situation as the sponsor groups that have this ablity are lets say, more trusted to do it properly!

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-01-2018 10:25 AM

 

 

So basically you want to restrict your sponsors from mistakenly entering their own email address as the guest users?

 

It might be possible for the page but not sure if that can be done with the import of a CSV.

0 Helpful

Go to solution
dongill
Level 1
Level 1
In response to Jason Kunst

‎11-01-2018 10:56 AM

yes, thats right Jason. Thanks for the quick reply!

 

Our users are creating sponsored guest accounts for themselves and others with their corporate email address, despite information and notices. I'd like to validate the input to prevent the form submission unless they enter a non-corporate email address; much like the self resgitration guest portal.

 

It's relevant because we're also planning on utilising the guest portal this applies to for corporate BYOD onboarding, whereby employees can log into the guest portal with their corpoprate email [AD creds or similar] and then be provisioned and onboarded to an employee BYOD network.

 

I've had a dig around the sponsor portal page elements after watching your videos and reading through the various guides, but as a complete portal / javascript novice I'm looking for some pointers on how it can be acheived.

 

CSV upload is not too much of a problem for our situation as the sponsor groups that have this ablity are lets say, more trusted to do it properly!

 

thanks

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dongill

‎11-01-2018 12:19 PM

Replied inline


Our users are creating sponsored guest accounts for themselves and others with their corporate email address, despite information and notices. I'd like to validate the input to prevent the form submission unless they enter a non-corporate email address; much like the self resgitration guest portal.

JAK > it doesn’t sound like they are creating any account for guests? Why not just restrict them from using the sponsor portal altogether? You can enable them to use the guest portal themselves using their AD credentials and have them access the internet just like a guest.



It's relevant because we're also planning on utilising the guest portal this applies to for corporate BYOD onboarding, whereby employees can log into the guest portal with their corpoprate email [AD creds or similar] and then be provisioned and onboarded to an employee BYOD network.

JAK > this has nothing to do with the BYOD flow. The sponsor portal is not utilized for this.

I've had a dig around the sponsor portal page elements after watching your videos and reading through the various guides, but as a complete portal / javascript novice I'm looking for some pointers on how it can be acheived.

JAK > will investigate if still needed.

CSV upload is not too much of a problem for our situation as the sponsor groups that have this ablity are lets say, more trusted to do it properly!
0 Helpful

Go to solution
dongill
Level 1
Level 1
In response to Jason Kunst

‎11-01-2018 12:38 PM

I thought you may come back with those points...

 

JAK > it doesn’t sound like they are creating any account for guests? Why not just restrict them from using the sponsor portal altogether? You can enable them to use the guest portal themselves using their AD credentials and have them access the internet just like a guest.

 

DG >> the business has a scenario where 3rd party contractors are given corporate email addresses for use with applications, and it is this that is causing confusion. The same contractors use a guest network for their own devices to access the internert, but not our internal systems.  

Their sponsors are business users [non IT], and it seems there is no amount of sponsor user guidance /notices that will stop them from making this email mistake. The sponsors still need the ability to create guest accounts for their visitors, and also the said contractors but not use the guest portal themselves.

 

 

JAK > this has nothing to do with the BYOD flow. The sponsor portal is not utilized for this.

 

DG >> Indeed - the reason it is relevant is due to the Identity Store used for user auth on the portal log in page. Our plan was to use the same Guest portal for both Guest and Corp BYOD onboarding - the coporate user would connect to the Guest SSID, redirect to portal, log in with their corporate email address and then go through provisioning flow [as per some of the Cisco byod guides].

 

 

AK > will investigate if still needed.

 

DG >> if you could, that would be most helpful! [I've managed to make some nice tweaks already, such as the removal of the unused buttons etc :-) but this one is proving a little more challenging].

 

thanks

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dongill

‎11-01-2018 12:44 PM

I will look at seeing if we can get a script

DG >> Indeed - the reason it is relevant is due to the Identity Store used for user auth on the portal log in page. Our plan was to use the same Guest portal for both Guest and Corp BYOD onboarding - the coporate user would connect to the Guest SSID, redirect to portal, log in with their corporate email address and then go through provisioning flow [as per some of the Cisco byod guides].

JAK > again nothing to do with guest accounts or sponsor portal. BYOD dual SSID uses the users internal AD account
0 Helpful

Go to solution
dongill
Level 1
Level 1
In response to Jason Kunst

‎11-01-2018 01:10 PM

Great, thanks a lot - hopefully it's possible and not too tricky.

Re AD account - sorry I probably wasnt clear. For dual SSID, I was under the impression that if the users AD UPN was the same as their email address, and one existed in AD and their was also an ISE Internal guest account with the same name [email address], when logging into the guest portal for the first time this would cause a conflict [both AD and Internal Users in the ID Store sequence]? Hence the need to prevenet the creation of ISE internal guest accounts with corporate email address. Or am I tottally off the mark here?

thanks
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dongill

‎11-01-2018 02:03 PM

OK I understand could be a problem I’ve never tried it. User should just login with their username

If you going to use the my devices portal then you’ll probably want to go test it out as well
0 Helpful

Go to solution
dongill
Level 1
Level 1
In response to Jason Kunst

‎11-05-2018 03:17 AM

Hi Jason - did you manage to look into getting a script?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dongill

‎11-05-2018 11:48 AM - edited ‎11-20-2018 10:45 AM

hoping to have an update shortly sorry for the wait

0 Helpful

Go to solution
dongill
Level 1
Level 1
In response to Jason Kunst

‎11-20-2018 03:37 PM

No problem at all! thanks for the update / appreciate the help!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dongill

‎11-26-2018 12:21 PM

please check out the option here. if you have any more questions open a new thread

https://community.cisco.com/t5/security-documents/ise-sponsor-portal-create-known-accounts-page-customization/ta-p/3636414#toc-hId--1080596999

0 Helpful
Customers Also Viewed These Support Documents