Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1135
Views
5
Helpful
6
Replies
Leoni Wartung
Beginner
Beginner
‎06-24-2021 01:46 AM
‎06-24-2021 01:46 AM

ISE Sponsor Groups with different privileges

Hello Community, 

 

we are operation a ISE deployment for all of our sites araund the world. At the moment we are chanign our Guest Workflow to a Sponsor based deployment. 

Originally it was planned that every user can sponsor guest accounts but the requirements chagened. 

 

Now we have the the requirement that we have to controll it on a country basis.

 

We need for every country a Admin Sponsor group which can see all Accounts which are created in that Area. And the User should only see his Accounts. 

 

When i create a new sponsor group on a country Basis everybody how is in the group can see all accounts. Is it possible to solve that problem?

 

Regards Stefan 

0 Helpful
6 REPLIES 6
NiTech
Beginner
Beginner
‎06-24-2021 03:17 PM
‎06-24-2021 03:17 PM

As per my understanding all sponsor users can saw all the guest account.

Leoni Wartung
Beginner
Beginner
‎06-25-2021 02:23 AM
‎06-25-2021 02:23 AM

Yes that is possible, but i want, that the Manager of a Region can see all Guest Accounts from that Region. But the Sponsors should only see there created Accounts. 

 

Lets say, i have only one region, than its not a problem. But i have lets say 20 Regions. 

 

Regards Stefan 

0 Helpful
Milos_Jovanovic
VIP Collaborator VIP Collaborator
VIP Collaborator
In response to Leoni Wartung
‎06-25-2021 04:18 AM
‎06-25-2021 04:18 AM

Hi Leoni,

Maybe you could try to create multiple standard sponsor groups, in which each user would be able to see only his own accounts. You would achieve this by creating and configuring multiple locations, and option Sponsor Can Manage: Only accounts sponsor has created.

You would then create manager sponsor group, which would be combination of local location, and option Sponsor Can Manage: Accounts created by members of this sponsor group. Main idea is to use combination of Location and "Sponsor Can Manage" options.

I never used this combination, but logically, it might work.

BR,

Milos

0 Helpful
hslai
Cisco Employee
Cisco Employee
In response to Milos_Jovanovic
‎07-05-2021 11:55 AM
‎07-05-2021 11:55 AM

Leoni Wartung, Milos has the right idea. Below is an example:

 

User Identity Groups

  • us-sponsors
  • us-managers
  • uk-sponsors
  • uk-managers
  • cn-sponsors
  • cn-managers

Network Access Users

For each region, sponsors will be in the sponsors group of that region but managers will be in both the sponsors and the managers groups of the region.

 

Sponsor Groups

  • us-sponsors : Duplicate of OWN_ACCOUNTS (default) but mapped us-sponsors as the only member
  • us-managers: Duplicate of GROUP_ACCOUNTS (default) but mapped us-managers as the only member
  • uk-sponsors : Duplicate of OWN_ACCOUNTS (default) but mapped uk-sponsors as the only member
  • uk-managers: Duplicate of GROUP_ACCOUNTS (default) but mapped uk-managers as the only member
  • cn-sponsors : Duplicate of OWN_ACCOUNTS (default) but mapped cn-sponsors as the only member
  • cn-managers: Duplicate of GROUP_ACCOUNTS (default) but mapped cn-managers as the only member

 

 

 

0 Helpful
thomas
Cisco Employee
Cisco Employee
‎06-27-2021 02:44 PM
‎06-27-2021 02:44 PM

Create your sponsor accounts for each country and be sure to select:

 

⦿ 

0 Helpful
Leoni Wartung
Beginner
Beginner
In response to thomas
‎07-01-2021 01:38 AM
‎07-01-2021 01:38 AM

Hello Thomas, 

 

yes, i know that option but than all users see the guest accounts and not only the Manager of the region. 

 

 

0 Helpful
Latest Contents
Understanding IP Layer Enforcement on Cisco Umbrella
Created by Meddane on 05-17-2022 03:10 AM
0
0
0
0
Cisco Umbrella is a big DNS service that provides not only the DNS resolution but also if the hosted website is trust or malicious, the idea behind the Layer DNS Security is that the modern attacks uses the DNS in the first step either to redirect the use... view more
Cisco ISE Integration With F5 BIG-IP LTM Load Balancer for G...
Created by Meddane on 05-15-2022 02:24 AM
0
0
0
0
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.   The method used for Guest Access is the Self-Registration. Healt Monitor using HTTP... view more
Cisco ASA 9.714 version SNMP not working in EVE-NG LAB Envir...
Created by waqas.muhammad49 on 05-10-2022 06:56 AM
0
0
0
0
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the... view more
ISE Integration with Eduroam External Server
Created by deepuvarghese1 on 05-09-2022 08:31 PM
3
20
3
20
The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and resea... view more
SSL Decryption with Decrypt-Resign On Cisco FTD In-depth lec...
Created by Meddane on 05-05-2022 04:44 AM
0
0
0
0
On Cisco Firepower Threat Defense there are two ways to do SSL Decryption (two actions in the SSL Policy).Decrypt-Resign: for outbound connection (from an inside PC to an external server).Decrypt-Known-Key: for inbound connection (from an external PC to y... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube