Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
1
Helpful
4
Replies

Sponsor Group Merge

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎05-25-2017 06:17 PM

Hi Experts,

I know that when a sponsor user maps to multiple sponsor groups access rights get merged from all the matching groups.

However, I'm running into an issue with Self-Registration approval.

I have one Sponsor Group that has privileges to approve only accounts assigned to the sponsor. This group is mapped to Domain Users

Another Sponsor Group has the rights to approve All pending accounts. This group is mapped to a specific AD group.

What I'm finding is that the elevated sponsors wind up getting downgraded to the Sponsor Group mapped to Domain Users and only see guests assigned to themselves.

As soon as I remove the mapping of Domain Users to to limited sponsor groups, elevated sponsors can see all the pending accounts as expected.

In ISE 2.2, i found a workaround to add memberof NOT EQUALS CN=FullSponsor, ... attribute condition to the limited group. This prevents the elevated sponsor accounts from matching the limited group.

However, a customer is running ISE 2.1. Is this the expected behavior? Any workarounds?

Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-25-2017 08:02 PM

Known issue -- CSCve01635

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-25-2017 07:55 PM

I have heard of this before and asked them to open tac case as it's a bug from what development told me

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-25-2017 08:02 PM

Known issue -- CSCve01635

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to hslai

‎05-25-2017 10:42 PM

The obvious workaround is to create a third group - domain sponsors - and use that as the restricted sponsor group and ensure the elevated sponsors aren't a member of that group. It's probably not a good idea to remove Domain Users as a workaround :).

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

0 Helpful

Go to solution
vibobrov
Cisco Employee
Cisco Employee
In response to gbekmezi-DD

‎05-26-2017 06:03 AM

You got it, avoiding using Domain Users for regular sponsors create a whole new admin problem in order to maintain a group that's 99.99% identical to Domain Users.

One workaround may to use RBAC to allow elevated sponsors to use the admin portal to manage accounts. I will try it out today

0 Helpful
Customers Also Viewed These Support Documents