02-10-2020 10:35 AM
Hi Team,
We have experiencing some problems in ISE deployment, basically about the sponsor mail.
We configured for guests "Person being visited" so its mandatory to add the mail of the sponsored visited.
The issue comes when ISE is permitting send mail to anyone (if its in AD or not), this is a normal behavior? AFAIK ISE checks inside AD if the email address exists, if not exists the mail isn't sended.
How can we force (restrict) that only people inside sponsor group (AD mapped group) have the opportunity of receive mail?
So, i.e the company domain is example1.com, inside AD Group a sponsor with mail account user1@example1.com, if I fill the guest portal with email to person being visited with user2@example2.com, the mail is sended (example2.com is outside our company).
Thank you in advance,
Solved! Go to Solution.
02-10-2020 02:51 PM
No, ISE does not check the email account specified as the person being visited against AD.
You might have a look at the following post for additional options on limiting the email addresses available:
ISE Guest Self-Registration person being visited (sponsor) choose list or assign
Cheers,
Greg
02-10-2020 11:34 AM
02-10-2020 11:43 AM
Hi Parag,
It isn't checked in AD?
Thank you,
02-10-2020 02:51 PM
No, ISE does not check the email account specified as the person being visited against AD.
You might have a look at the following post for additional options on limiting the email addresses available:
ISE Guest Self-Registration person being visited (sponsor) choose list or assign
Cheers,
Greg
02-11-2020 07:13 AM
That's OK, I will apply one of your recommendations,
Thank you!
02-19-2020 01:42 AM
Hi Greg,
I want to add another last question to this topic.
Actually we solve the domain issue, so only mails to company users will be sended.
But, how can limit inside the company who can receive mails?
Regarding these post looks like ISE is checking against AD:
Also this bug:
https://quickview.cloudapps.cisco.com/quickview/bug/CSCve76134
Definetely:
"If the email address for the sponsor is not for a valid sponsor, the approval email is not sent."
(How ISE can validate if isn't valid Sponsor if not check against AD)
So, what do you think?
Thank you,
02-19-2020 12:25 PM
As per Jason Kunst's post, "NO there is no lookup of the person being visited less using single click"
* I expect this is meant to be "unless using single click"
I'm familiar with the enhancement bug you referenced and I'm not aware that this enhancement has been implemented in any current versions of ISE. From prior customer engagements, I have not seen that ISE does a lookup against AD so we have used the 'choose list' option that I referenced in my previous response as a workaround.
@Jason Kunst, can you confirm the current capabilities around AD/LDAP lookups of 'person being visited' for self-registered Guests?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide