Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1742
Views
5
Helpful
7
Replies

Separation between Sponsor and Guest Portal

Go to solution
martucci
Cisco Employee
Cisco Employee

‎02-13-2017 06:05 AM

Hello,

I have a customer who is looking to implement sponsored access for the guests, with an anchor controller in the DMZ.

They would like to though to have full separation of access for the guest portal and sponsor portal, not having them on the same box, but on different PSN.

I am wondering if there is any pest practice or you know any customer that had the same request.

Thanks

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to martucci

‎02-14-2017 09:06 AM

This one might have some potentials is to separate them to two deployments -- Guest-Deployment (G) and Sponsor-Deployment (S) -- and then have G to use S as RADIUS token server to authenticate guest users, instead of using G's internal guest users.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-13-2017 10:00 AM

Both sponsor and guest portals are part of ISE guest services and currently there is no option to separate them on different ISE nodes.

I would suggest to configure a different TCP port for ISE sponsor portal and, if needed, a different interface, from those for ISE guest portal. Then, use firewall or ACL to differentiate their accesses.

0 Helpful

Go to solution
martucci
Cisco Employee
Cisco Employee
In response to hslai

‎02-13-2017 10:53 AM

Thanks,

Customer IT security doesn't want to share box, so double interface or different ports would not work.

Was suggested to engineer separation blocking access to sponsors portal on the PSN in which they will redirect the guests, and viceversa, but I was looking for alternatives

Sent from my iPhone

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to martucci

‎02-13-2017 11:17 AM

Isn't it possible to have another psn with separate interface and port running sponsor port only and then guest running on another psn?

This way even though sponsor and guest services are still running on same box they can be firewalled and access on different boxes?

0 Helpful

Go to solution
martucci
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎02-13-2017 12:49 PM

Hi Jason,

I am not sure I follow you, I guess both PSn would have both portals, but you mean to allow only PSN1 for example to be accessed over the Sponsor portal (block sponsor portal on PSN2) and then block Guest access on PSN1, but direct and allow only guests from PSN 2 correct?

Thanks was my idea, just looking to see if there was something else possible

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to martucci

‎02-13-2017 01:42 PM

Yes that should work

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to martucci

‎02-14-2017 09:06 AM

This one might have some potentials is to separate them to two deployments -- Guest-Deployment (G) and Sponsor-Deployment (S) -- and then have G to use S as RADIUS token server to authenticate guest users, instead of using G's internal guest users.

0 Helpful

Go to solution
martucci
Cisco Employee
Cisco Employee
In response to hslai

‎02-14-2017 09:10 AM

Thanks Hsing,

This is the solution I think that this will do for them.

Thanks

Francesca

0 Helpful
Customers Also Viewed These Support Documents