Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3344
Views
8
Helpful
9
Replies

ISE Single Click Approval

Go to solution
MattPS
Cisco Employee
Cisco Employee

‎06-29-2017 07:25 AM

Hello Experts,

After an extended discussion with one of our customers about guest access with ISE, and exploring a number of guest registration options, it seemed that self-registration with sponsor approval would be the way to go for them.

However, we would like to clarify one thing before going further.

My understanding is, ISE needs access to AD/LDAP on the network (to check sponsor e-mail credentials, this bit is obvious) before sending out the approval e-mail(s)… the question is, does the approver have to be on the corporate network (or VPN) to approve the request?

I believe so, as the link in the e-mail leads to the ISE node… is this correct? And if so, is there any way around this?

The customer would like to be able to approve or deny requests even when they are not on the corporate network/VPN.

Thank you very much in advance!

Kind Regards,
Matt

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎06-29-2017 08:01 AM

The approve/deny links are encoded with the sponsor's email address and a link to the sponsor portal matched by the Guest Portal.  At the time the sponsor clicks the encoded approve/deny link a call is then made to the sponsor portal running on the PSN referenced in the URL. 

Normally the sponsor link would be the FQDN of the PSN that was matched by the guest portal.  You can override that by setting up the FQDNs for the sponsor portals.  If those FQDNs are resolvable externally and the portal is accessible externally you could in theory allow approval from anywhere.

I am not saying I would do this but you could do something like this (theory crafting here):

  1. Have two PSNs that you are going to run the guest portal/sponsor portal on.  Ensure the WLCs only use these two PSNs for the Guest SSID.
  2. Have second interfaces on those PSNs attached to a DMZ
  3. Allow 8443 for guest and 8445 for sponsor portal access into those PSNs.
  4. Setup certs and DNS records to support guest1.mycompany.com, guest2.mycompany.com, sponsor1.mycompany.com, sponsor2.mycompany.com.  You technically don't need two sponsor names but I like to keep things consistent.
  5. Setup two sponsor portals on 8445, one with FQDN of sponsor1.mycompany.com and one with sponsor2.mycompany.com.
  6. Setup two guest portals on 8443, one that maps only to Sponsor1 and one that is only mapped to Sponsor2.  You control the mapping in the sponsor approval section.  It is hidden (collapsed) field but you can specify exactly what sponsor portals the guest portal maps to.  The guest portals are identical in every other way.
  7. Write rules and results to say if PSN #1 authenticated the guest then use guest portal #1 and if PSN #2 authenticated the guest then use guest portal #2.  In your rules make sure to put in static FQDNs for guest redirect of guest1.mycompany.com and guest2.mycompany.com.

It should work.  I am sure Jason will correct me if this won't hehe

View solution in original post

9 Replies 9

Go to solution
paul
Level 10
Level 10

‎06-29-2017 08:01 AM

The approve/deny links are encoded with the sponsor's email address and a link to the sponsor portal matched by the Guest Portal.  At the time the sponsor clicks the encoded approve/deny link a call is then made to the sponsor portal running on the PSN referenced in the URL. 

Normally the sponsor link would be the FQDN of the PSN that was matched by the guest portal.  You can override that by setting up the FQDNs for the sponsor portals.  If those FQDNs are resolvable externally and the portal is accessible externally you could in theory allow approval from anywhere.

I am not saying I would do this but you could do something like this (theory crafting here):

  1. Have two PSNs that you are going to run the guest portal/sponsor portal on.  Ensure the WLCs only use these two PSNs for the Guest SSID.
  2. Have second interfaces on those PSNs attached to a DMZ
  3. Allow 8443 for guest and 8445 for sponsor portal access into those PSNs.
  4. Setup certs and DNS records to support guest1.mycompany.com, guest2.mycompany.com, sponsor1.mycompany.com, sponsor2.mycompany.com.  You technically don't need two sponsor names but I like to keep things consistent.
  5. Setup two sponsor portals on 8445, one with FQDN of sponsor1.mycompany.com and one with sponsor2.mycompany.com.
  6. Setup two guest portals on 8443, one that maps only to Sponsor1 and one that is only mapped to Sponsor2.  You control the mapping in the sponsor approval section.  It is hidden (collapsed) field but you can specify exactly what sponsor portals the guest portal maps to.  The guest portals are identical in every other way.
  7. Write rules and results to say if PSN #1 authenticated the guest then use guest portal #1 and if PSN #2 authenticated the guest then use guest portal #2.  In your rules make sure to put in static FQDNs for guest redirect of guest1.mycompany.com and guest2.mycompany.com.

It should work.  I am sure Jason will correct me if this won't hehe

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎06-29-2017 08:08 AM

Nice help thanks Paul! The actual validation of the sponsor is done when the user self-registers. It will do the lookup then and if the sponsor email address doesn't match AD/LDAP then it will fail.

Yes you could expose your PSNs to the public internet if you like just have to buy well known certs for your guest and sponsor portal.

Go to solution
MattPS
Cisco Employee
Cisco Employee

‎06-29-2017 08:11 AM

Brilliant, thank you both for your replies - helps out a lot.

Cheers,
Matt

0 Helpful

Go to solution
eric.lessard
Level 1
Level 1

‎07-06-2017 01:28 PM

Hello Guys,

am looking to enable this link ( if i understood correclty ) i cannot find where

My sponsor receive the email asking to approve or deny request but no link to the sponsor portal.

my email template is it french, maybe its missing. hard to try in English for now.

but i suspect that the link is not display or enable.

sponsor.jpg

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to eric.lessard

‎07-06-2017 01:31 PM

You need to add a link to the sponsor portal in the customization. The Approve/Deny link will be there but if you want to direct them to the sponsor portal add it in the customization.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
eric.lessard
Level 1
Level 1
In response to paul

‎07-06-2017 02:18 PM

hey Paul,

i meant a link in the email received by the sponsor

i cannot even find the text of the email

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to eric.lessard

‎07-06-2017 02:25 PM

Yes that is what I was referring to.

If you go into your Guest portal that is doing single click approval. Click on the Portal Page Customization tab. In the Notifications section you will see “Approval Request Email”. That is what you customize for the sponsor email. In there you can add a link (click the chain button) to your sponsor portal. You will need to use the long URL for the sponsor portal if you haven’t assigned an FQDN to it. If you have defined an FQDN use http://<FQDN<http://%3cFQDN>> do not use https://<FQDN<https://%3cFQDN>> or you will most likely get a cert error depending on how your certs are setup.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Preview file
57 KB

Go to solution
eric.lessard
Level 1
Level 1
In response to paul

‎07-06-2017 02:32 PM

wow!

i need a break! Thx!!! really appreciated

i was NOT able to find that... i gues a picture worth a thousand word

all good now

Thx again

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-09-2017 01:31 PM

Also Would rely on a global load balancer or intelligent DNS to resolve to nearest, most available, or simply pingable host.  Also possible to return multiple entries and let client figure it out.

0 Helpful
Customers Also Viewed These Support Documents