03-03-2017 09:15 AM
I have an international customer that is doing a self-registered sponsor approval required guest portal for their AsiaPac region. They have PSNs in the different countries in the region and want to customize the guest portal and sponsor portal per region. All that is no problem. I can key off the PSN that is authenticating the guest users to direct the guest user to the desired portal. Something like this:
Sponsor Portals
Sponsor-China- run on port 8445 with FQDN of sponsor-china.company.com.
Sponsor-Japan- run on port 8446 with FQDN of sponsor-japan.company.com.
Guest Portals
Guest-China- self register guest portal with sponsor approval email. The sponsor gets an email pointing them to https://sponsor-china.company.com to approve the guest.
Guest-Japan- self register guest portal with sponsor approval email. The sponsor gets an email pointing them to https://sponsor-japan.company.com to approve the guest.
I am running ISE 2.1 and this setup is all easy. The one issue they have is everyone can view all the pending guest requests. So any of the sponsors in Japan can see and approve the pending requests for China. Once the request is approved and moved to a Managed Account then the users will no longer be able to see anything but their own accounts, but I don't see a way to limit the viewing of the Pending Accounts.
I am testing this setup in my lab and can see everything in the pending requests.
Am I missing a way to do this?
Thanks.
Solved! Go to Solution.
03-03-2017 09:36 AM
For ISE 2.0
https://communities.cisco.com/docs/DOC-68210
ISE 2.1 added the ability to filter pending accounts
Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco
ISE 2.2 Added the ability to filter off AD
Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco
here is the Sponsor Group setting to Use. The email account would need to present in the store you are using and this must match the person being visited field that the user enters on the self-reg page
03-03-2017 09:36 AM
For ISE 2.0
https://communities.cisco.com/docs/DOC-68210
ISE 2.1 added the ability to filter pending accounts
Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco
ISE 2.2 Added the ability to filter off AD
Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco
here is the Sponsor Group setting to Use. The email account would need to present in the store you are using and this must match the person being visited field that the user enters on the self-reg page
03-03-2017 10:40 AM
Thanks for the quick response Jason. I can best summarize it up as “RTFM Paul!” ☺
I was missing the obvious checkbox on the sponsor group.
Have a great weekend!
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
03-03-2017 10:42 AM
Only because I know you ☺
05-10-2023 11:55 AM
This is not a viable solution to restricting sponsor management of pending accounts. Cisco is relying on a self-registering guest to enter a sponsor's email address to restrict sponsor management of said guest's pending account. That's like the tail wagging the dog. This also requires that the sponsor's account exists in the ISE internal database with an email address as an attribute. This is infeasible with external authentication of sponsor accounts. We are dealing with this same situation at work with ISE 3.1, and there is no way via ISE GUI configuration to make this work.
Does Cisco have something in the works to use sponsor group membership be the controlling factor on what pending accounts a sponsor can manipulate?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide