cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

623
Views
0
Helpful
9
Replies
Bilal Nawaz
Engager

ISE - sponsor guest portal with smartcard authentication

Team, any support for sponsor guest portal authentication with the smartcard?

If not then can someone plese create feature request to Cisco, smartcards are being rolled out more and more.

 

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
9 REPLIES 9
jan.nielsen
Rising star

Are you asking about having someone login to the sponsor portal with a smartcard, or using a smartcard to authenticate yourself as a guest ?

The first one. Someone logging in to the sponsor portal with a smartcard.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

I doubt thats supported, i personally don't see smartcards anywhere except for thin-client based environments, i doubt support for it is gonna happen.anytime soon.

I know this is old, but I wanted to reply to the above. If you work in the private sector you won't often see smart cards. If you work on a DoD base or other federal agencies you'd realize how HUGE the use case is. :)

Stephen,

Your correct, this is huge in Federal Agencies especially after the OPM Breach.  We have it working with the ASA 5540 checking PIV Cert and then allowing the user to access a bookmark which auto-logs them into the Sponsor Portal by sending there "UPN, SAN" whatever attribute matches the username.  Inside the conditions we have the AD identity set to false therefore its only looking for the Username as the user doesn't have a pw.

We are testing ISE 1.4 now and are going to see if SSO works correctly for the Sponsor Portal.  This will suffice for our PIV integration requirements.

Ryan Coombs
Beginner

We've got it working in our agency.  It's front ended by an 5540 ASA that sends the users attributes to ISE and then loops ISE to authenticate via AD. I've got a pretty sweet write up on it from our advanced services rep.  The guys are legit when it comes to work around and I just finished testing this with ISE 1.3. If you guys are interested I'll attach it tomorrow. 

 

 

Attached configuration guide.   Note for 1.3 the Sponsor Group Policy has been removed.  Just make sure the Sponsor Group is configured and add the store to locate the user.  In our case its AD.

 

If you have questions just PM me and Ill be glad to assist.

-Ryan 

Hi Ryan, if you could share it, I'd be very grateful!

Thank you

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Configuration Guide below.

Could you please share it? thanks

Content for Community-Ad