Hi All,
I have a customer that wants to deploy sponsored guest access with ISE. They have one tricky requirement though: the guest facing PSNs must not contain any user (guest nor sponsor) credentials.
I believe this can be done only by separating the sponsor facing ISE and the guest facing ISE, so two ISE deployments. The sponsor ISE has the sponsor and the guest information, the guest ISE acts as a Radius proxy between the NADs and the sponsor ISE:
NAD <-> Guest ISE (no network user database) <-> Sponsor ISE (guest user database)
Sponsors create guest users on the Sponsor ISE as usual, guest users get authenticated to the network via the Guest ISE proxying all authentication requests to the Sponsor ISE.
Question #1: Does this make sense or is there a better way to do it in ISE alone?
Question #2: Sponsor ISE should need only base licenses (required for guest management) and Guest ISE should need base and plus licenses, the latter if required for authorization policies for example. Is this right?
Regards,
Panos