cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2676
Views
5
Helpful
9
Replies

ISE sponsor portal, restrict domain for the guest email address

HOLGER HAHN
Beginner
Beginner

In 2018 the user dongill asked "Is it possible to do a email validation for “Known Guest” account creation in the sponsor portal?

We have a need to prevent sponsors creating guest accounts with their corporate email addresses?"

https://community.cisco.com/t5/network-access-control/ise-guest-sponsor-portal-restrict-email-address-domain-for-the/td-p/3736892

 

Jason Kunst crated a script to solve this:

https://community.cisco.com/t5/security-documents/ise-sponsor-portal-create-known-accounts-page-customization/ta-p/3636414#toc-hId--1080596999

The part Script will allow only the domains ("domain1","domain2","domain3") is functional.

But the part Script will allow all the other domains except the domains("domain1","domain2","domain3") isn't.

 

The user grabonlee has already pointed this out in the comments and Jason has asked him to open a new one thread.

Because I didn't find such a thread or anything else to solve this problem I asked this again.

 

How can I ristrict domains for the guest email adress?

Our ISE is version 3.0 Patch 4.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Try changing the line with the regex of Restrict the email address entered when creating a known account as below:

from 

return /^(\w+\.?)+@(domain1|domain2|domain3)\.com$/.test( value );

to 

return /^(\w+\.?)+@((?!(domain[1-3])).)*\.com$/.test( value );

 

 

 

View solution in original post

9 Replies 9

HOLGER HAHN
Beginner
Beginner

Now one who can help me?

Jason???

thomas
Cisco Employee
Cisco Employee

Did you  Enable Portal Customization with HTML and JavaScript ?

Did you make any other changes to the script?

Do you get errors on the web console? What are the errors?

 

You need to do some JavaScript troubleshooting.

Hi Thomas,

 

First at all... Why has anyone marked your post as "Accept as Solution"?

I reversed it.

 

Your questions:

 

- Did you  Enable Portal Customization with HTML and JavaScript ?

Of course. Otherwise I couldn't said "The part Script will allow only the domains ("domain1","domain2","domain3") is functional." in my initial description...

 

- Did you make any other changes to the script?

The only thing I've changed was the entry for "var domains (line 5) and the alert output (line 13).

 

- Do you get errors on the web console? What are the errors?

I don't get any errors.

 

How can I troubleshoot JavaScript. Is there any possibility to some kind of step-by-step-debug?

I marked my answer as the Solution because I was the first person to respond in over 1 month and "You need to do some JavaScript troubleshooting"  is The Solution even though you didn't like it.

There are 1000's - maybe 1000000's - of JavaScript resources on the Internet. However, the ISE/NAC community probably isn't the best place to find it.

If you want people's help - especially with custom scripting / programming - you need to include the HTML+JS code you are using so people can easily try to use it,  reproduce your problem, and potentially suggest a fix for the problem you are seeing.

See How to Ask The Community for Help .

 


@thomas wrote:

...

"You need to do some JavaScript troubleshooting"  is The Solution even though you didn't like it.

...

 


That's a joke...

A solution is only a solution which will fix the problen not investigate it!

It's the same if I open a case and the TAC engineer closes it with the words: "You have to do troubleshooting."

 


@thomas wrote:

...

There are 1000's - maybe 1000000's - of JavaScript resources on the Internet. However, the ISE/NAC community probably isn't the best place to find it.

...

 


Of course this community is the best place because it't an ISE related thing!

hslai
Cisco Employee
Cisco Employee

Try changing the line with the regex of Restrict the email address entered when creating a known account as below:

from 

return /^(\w+\.?)+@(domain1|domain2|domain3)\.com$/.test( value );

to 

return /^(\w+\.?)+@((?!(domain[1-3])).)*\.com$/.test( value );

 

 

 

That's from the script which will allow only the domains ("domain1","domain2","domain3").

But this is functional!!!

 

I'm talking about the second script which will allow all the other domains except the domains("domain1","domain2","domain3")!!!

 

<script> 
    $(document).on("pageshow", function(){ 
        setTimeout(function() {
            $('.personBeingVisited').val("");
            var domains = ["domain1","domain2","domain3"];
 
            function validateDomain(me){
                var idx1 = me.target.value.indexOf("@");
                if(idx1>-1){
                    var splitStr = me.target.value.split("@");
                    var sub = splitStr[1].split(".");
                    if(domains.indexOf(sub[0])>-1){
                        me.target.value="";
                        alert("Enter a valid email address.");
                        return false;
                    }
                }
            }
 
            $(function () {
                $('.personBeingVisited').blur(function (ele) {
                    validateDomain(ele);
                });
            });
        }, 5000);
    }); 
</script>

 

 

Did you not test it? It's exactly because the other script already working for you and because it's easier to tweak the regex to do the opposite.

Ahhh...

Now I understand.

Instead of tweaking the original exclusion script you tweaked the "Allow only" script.

I've already had the idea to make it negativ with the exclamation mark but I guess I did it the wrong way (I'm not a programmer...).

 

And because I want to exclude our company domain from the guest email address field and to allow only our company domain in the person being visited email address field I had to change the field name in the exclusion script from .personBeingVisited to .email

Also I had to make the rule name (customemailvalidator) in both scripts unique because I implemented both in one form.

In the exclusion script I changed it to visitoremailvalidator and in the allow only script to visitoremailvalidator.

 

Here is the complete script (domain1|domain2|domain3 and .com should be changed to the needed values):

 

<script> 
    $(document).on("pageshow", function(){ 
        setTimeout(function() {
            $('.form-horizontal').validate();
            $(".email").rules("add",{visitoremailvalidator:true});
            $.validator.addMethod("visitoremailvalidator", function(value, element) {
                if(value == ''){
                    return true;
                }
                return /^(\w+\.?)+@((?!(domain1|domain2|domain3)).)*\.com$/.test( value );
            }, 'Enter a valid email address.');
                         
            $(".email").on("input", function (){
                $(".email").validate();
            });
        }, 5000);
    }); 
</script>
<script> 
    $(document).on("pageshow", function(){ 
        setTimeout(function() {
            $('.form-horizontal').validate();
            $(".personBeingVisited").rules("add",{visitedemailvalidator:true});
            $.validator.addMethod("visitedemailvalidator", function(value, element) {
                if(value == ''){
                    return true;
                }
                return /^(\w+\.?)+@(domain1|domain2|domain3)\.com$/.test( value );
            }, 'Enter a valid email address.');
                         
            $(".personBeingVisited").on("input", function (){
                $(".personBeingVisited").validate();
            });
        }, 5000);
    }); 
</script>

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers