cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1739
Views
7
Helpful
9
Replies
MattPS
Cisco Employee

ISE Single Click Approval

Hello Experts,

After an extended discussion with one of our customers about guest access with ISE, and exploring a number of guest registration options, it seemed that self-registration with sponsor approval would be the way to go for them.

However, we would like to clarify one thing before going further.

My understanding is, ISE needs access to AD/LDAP on the network (to check sponsor e-mail credentials, this bit is obvious) before sending out the approval e-mail(s)… the question is, does the approver have to be on the corporate network (or VPN) to approve the request?

I believe so, as the link in the e-mail leads to the ISE node… is this correct? And if so, is there any way around this?

The customer would like to be able to approve or deny requests even when they are not on the corporate network/VPN.

Thank you very much in advance!

Kind Regards,
Matt

1 ACCEPTED SOLUTION

Accepted Solutions
paul
Advocate

The approve/deny links are encoded with the sponsor's email address and a link to the sponsor portal matched by the Guest Portal.  At the time the sponsor clicks the encoded approve/deny link a call is then made to the sponsor portal running on the PSN referenced in the URL. 

Normally the sponsor link would be the FQDN of the PSN that was matched by the guest portal.  You can override that by setting up the FQDNs for the sponsor portals.  If those FQDNs are resolvable externally and the portal is accessible externally you could in theory allow approval from anywhere.

I am not saying I would do this but you could do something like this (theory crafting here):

  1. Have two PSNs that you are going to run the guest portal/sponsor portal on.  Ensure the WLCs only use these two PSNs for the Guest SSID.
  2. Have second interfaces on those PSNs attached to a DMZ
  3. Allow 8443 for guest and 8445 for sponsor portal access into those PSNs.
  4. Setup certs and DNS records to support guest1.mycompany.com, guest2.mycompany.com, sponsor1.mycompany.com, sponsor2.mycompany.com.  You technically don't need two sponsor names but I like to keep things consistent.
  5. Setup two sponsor portals on 8445, one with FQDN of sponsor1.mycompany.com and one with sponsor2.mycompany.com.
  6. Setup two guest portals on 8443, one that maps only to Sponsor1 and one that is only mapped to Sponsor2.  You control the mapping in the sponsor approval section.  It is hidden (collapsed) field but you can specify exactly what sponsor portals the guest portal maps to.  The guest portals are identical in every other way.
  7. Write rules and results to say if PSN #1 authenticated the guest then use guest portal #1 and if PSN #2 authenticated the guest then use guest portal #2.  In your rules make sure to put in static FQDNs for guest redirect of guest1.mycompany.com and guest2.mycompany.com.

It should work.  I am sure Jason will correct me if this won't hehe

View solution in original post

9 REPLIES 9
paul
Advocate

The approve/deny links are encoded with the sponsor's email address and a link to the sponsor portal matched by the Guest Portal.  At the time the sponsor clicks the encoded approve/deny link a call is then made to the sponsor portal running on the PSN referenced in the URL. 

Normally the sponsor link would be the FQDN of the PSN that was matched by the guest portal.  You can override that by setting up the FQDNs for the sponsor portals.  If those FQDNs are resolvable externally and the portal is accessible externally you could in theory allow approval from anywhere.

I am not saying I would do this but you could do something like this (theory crafting here):

  1. Have two PSNs that you are going to run the guest portal/sponsor portal on.  Ensure the WLCs only use these two PSNs for the Guest SSID.
  2. Have second interfaces on those PSNs attached to a DMZ
  3. Allow 8443 for guest and 8445 for sponsor portal access into those PSNs.
  4. Setup certs and DNS records to support guest1.mycompany.com, guest2.mycompany.com, sponsor1.mycompany.com, sponsor2.mycompany.com.  You technically don't need two sponsor names but I like to keep things consistent.
  5. Setup two sponsor portals on 8445, one with FQDN of sponsor1.mycompany.com and one with sponsor2.mycompany.com.
  6. Setup two guest portals on 8443, one that maps only to Sponsor1 and one that is only mapped to Sponsor2.  You control the mapping in the sponsor approval section.  It is hidden (collapsed) field but you can specify exactly what sponsor portals the guest portal maps to.  The guest portals are identical in every other way.
  7. Write rules and results to say if PSN #1 authenticated the guest then use guest portal #1 and if PSN #2 authenticated the guest then use guest portal #2.  In your rules make sure to put in static FQDNs for guest redirect of guest1.mycompany.com and guest2.mycompany.com.

It should work.  I am sure Jason will correct me if this won't hehe

View solution in original post

Nice help thanks Paul! The actual validation of the sponsor is done when the user self-registers. It will do the lookup then and if the sponsor email address doesn't match AD/LDAP then it will fail.

Yes you could expose your PSNs to the public internet if you like just have to buy well known certs for your guest and sponsor portal.

MattPS
Cisco Employee

Brilliant, thank you both for your replies - helps out a lot.

Cheers,
Matt

eric.lessard
Beginner

Hello Guys,

am looking to enable this link ( if i understood correclty ) i cannot find where

My sponsor receive the email asking to approve or deny request but no link to the sponsor portal.

my email template is it french, maybe its missing. hard to try in English for now.

but i suspect that the link is not display or enable.

sponsor.jpg

You need to add a link to the sponsor portal in the customization. The Approve/Deny link will be there but if you want to direct them to the sponsor portal add it in the customization.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

hey Paul,

i meant a link in the email received by the sponsor

i cannot even find the text of the email

Yes that is what I was referring to.

If you go into your Guest portal that is doing single click approval. Click on the Portal Page Customization tab. In the Notifications section you will see “Approval Request Email”. That is what you customize for the sponsor email. In there you can add a link (click the chain button) to your sponsor portal. You will need to use the long URL for the sponsor portal if you haven’t assigned an FQDN to it. If you have defined an FQDN use http://<FQDN<http://%3cFQDN>> do not use https://<FQDN<https://%3cFQDN>> or you will most likely get a cert error depending on how your certs are setup.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

wow!

i need a break! Thx!!! really appreciated

i was NOT able to find that... i gues a picture worth a thousand word

all good now

Thx again

Jason Kunst
Cisco Employee

Also Would rely on a global load balancer or intelligent DNS to resolve to nearest, most available, or simply pingable host.  Also possible to return multiple entries and let client figure it out.

Content for Community-Ad