cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1048
Views
1
Helpful
3
Replies
VIP Advocate

Multiple sponsor portals while limiting pending guest viewing

I have an international customer that is doing a self-registered sponsor approval required guest portal for their AsiaPac region.  They have PSNs in the different countries in the region and want to customize the guest portal and sponsor portal per region.  All that is no problem.  I can key off the PSN that is authenticating the guest users to direct the guest user to the desired portal.  Something like this:

Sponsor Portals

Sponsor-China- run on port 8445 with FQDN of sponsor-china.company.com.

Sponsor-Japan- run on port 8446 with FQDN of sponsor-japan.company.com.

Guest Portals

Guest-China- self register guest portal with sponsor approval email.  The sponsor gets an email pointing them to https://sponsor-china.company.com to approve the guest.

Guest-Japan- self register guest portal with sponsor approval email.  The sponsor gets an email pointing them to https://sponsor-japan.company.com to approve the guest.

I am running ISE 2.1 and this setup is all easy.  The one issue they have is everyone can view all the pending guest requests.  So any of the sponsors in Japan can see and approve the pending requests for China.  Once the request is approved and moved to a Managed Account then the users will no longer be able to see anything but their own accounts, but I don't see a way to limit the viewing of the Pending Accounts.

I am testing this setup in my lab and can see everything in the pending requests.

Am I missing a way to do this?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Multiple sponsor portals while limiting pending guest viewing

For ISE 2.0

https://communities.cisco.com/docs/DOC-68210

ISE 2.1 added the ability to filter pending accounts

Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco

  • Sponsor Approval Filtering —A sponsor can be limited to approving accounts based on the sponsor’s email address, or all pending accounts. Currently this feature is supported only for internal sponsors and SAML SSO sponsors.

ISE 2.2 Added the ability to filter off AD

Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco

  • Sponsor access to pending accounts—Access to all or only the Sponsor's accounts is now supported for Active Directory and LDAP.

here is the Sponsor Group setting to Use. The email account would need to present in the store you are using and this must match the person being visited field that the user enters on the self-reg page

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Guest Access [Cisco Identity Services Engin…

  •   Approve and view requests from self-registering guests—Sponsors who are included in this Sponsor Group can either view all pending account requests from self-registering guests (that require approval), or only the requests where the user entered the Sponsor's email address as the person being visited. This feature requires that the portal used by the Self-registering guest has Require self-registered guests to be approved checked, and the Sponsor's email is listed as the person to contact.

 

  •   Any pending accounts—A sponsor belonging to this group an approve and review accounts that were created by any sponsor.

 

  •   Only pending accounts assigned to this sponsor—A sponsor belonging to this group can only view and approve accounts that they created.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: Multiple sponsor portals while limiting pending guest viewing

For ISE 2.0

https://communities.cisco.com/docs/DOC-68210

ISE 2.1 added the ability to filter pending accounts

Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco

  • Sponsor Approval Filtering —A sponsor can be limited to approving accounts based on the sponsor’s email address, or all pending accounts. Currently this feature is supported only for internal sponsors and SAML SSO sponsors.

ISE 2.2 Added the ability to filter off AD

Release Notes for Cisco Identity Services Engine, Release 2.2 - Cisco

  • Sponsor access to pending accounts—Access to all or only the Sponsor's accounts is now supported for Active Directory and LDAP.

here is the Sponsor Group setting to Use. The email account would need to present in the store you are using and this must match the person being visited field that the user enters on the self-reg page

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Guest Access [Cisco Identity Services Engin…

  •   Approve and view requests from self-registering guests—Sponsors who are included in this Sponsor Group can either view all pending account requests from self-registering guests (that require approval), or only the requests where the user entered the Sponsor's email address as the person being visited. This feature requires that the portal used by the Self-registering guest has Require self-registered guests to be approved checked, and the Sponsor's email is listed as the person to contact.

 

  •   Any pending accounts—A sponsor belonging to this group an approve and review accounts that were created by any sponsor.

 

  •   Only pending accounts assigned to this sponsor—A sponsor belonging to this group can only view and approve accounts that they created.

View solution in original post

Highlighted
VIP Advocate

Re: Multiple sponsor portals while limiting pending guest viewing

Thanks for the quick response Jason. I can best summarize it up as “RTFM Paul!” ☺

I was missing the obvious checkbox on the sponsor group.

Have a great weekend!

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Highlighted
Cisco Employee

Re: Multiple sponsor portals while limiting pending guest viewing

Only because I know you ☺