Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
2
Replies

ISE - Sponsor Portal - Delegate

Go to solution
stucke01
Level 1
Level 1

‎08-29-2018 08:38 AM

Today we have deployed guest wireless to all of our facilities using ISE - Sponsor Portal.  Our steps are as followed:

1.) User connects their device to our guest SSID.  They are presented with a username and password, which they do not have yet.

2.) They click on the hyperlink that says, "Register for guest access"

3.) The Visitor has to fill out the following:

First Name*

Last Name*

Email address*

Phone Number

Company*

Time Zone*(provided drop down list)

Person being visited (email) Not your own*

Reason for visit

Then they click register

 

4.) An email is then sent to the person's e-mail that the visitor stated above.

5.) Employee receives the e-mail and either accepts or denies.  If accepted, the employee is re-directed to our company Sponsor Portal page requesting the employee's LAN credentials to approve.

6.) Then the visitor recieves their username and password to their e-mail account.

 

 

Here is where I need help.  All of our sites are using this system, except for our WHQ.  Our executive staff is not going to want to allow or deny visitors as they arrive, they are going to want their AA (administrative assistance) to handle that for them.  Is there a way in ISE to re-direct the Guest Approval Request e-mail to go to the administrative staff instead of the Executive member, without the visitor specifying that it must go to the AA?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RichardAtkin
Level 3
Level 3

‎08-29-2018 11:18 AM

In the portal you can make it send all of the access reqeust e-mails to a particular account (ie, your Administrative staff), but you can't enable that at the same time as having the e-mail get sent to a nominated individual.  The solution is to spin up (duplicate) a second portal, that is identical in every way apart from that one setting.  Once you have the portal setup, you can direct Users to it by creating a new condition/authorisation policy that looks for AP Group as well as SSID in the called-station-ID.

 

You may need to update the RADIUS Authentication Called-Station-ID format in the WLC for this to work as it does not default to including the AP Group...

 

Job done.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
RichardAtkin
Level 3
Level 3

‎08-29-2018 11:18 AM

In the portal you can make it send all of the access reqeust e-mails to a particular account (ie, your Administrative staff), but you can't enable that at the same time as having the e-mail get sent to a nominated individual.  The solution is to spin up (duplicate) a second portal, that is identical in every way apart from that one setting.  Once you have the portal setup, you can direct Users to it by creating a new condition/authorisation policy that looks for AP Group as well as SSID in the called-station-ID.

 

You may need to update the RADIUS Authentication Called-Station-ID format in the WLC for this to work as it does not default to including the AP Group...

 

Job done.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-01-2018 03:56 PM

Adding to Richard's...

Many email systems let us set delegation and inbox rules to organize or forward based on conditions. You might want to consider such, as an alternative.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents