Solved: Sponsor Portal question

darnorri · ‎03-27-2018

Guy's,

got a question from a customer on the sponsor portal. This customer site has 3 different contractors that work at the site, my customer maintains the network and ISE at this site. What they are wondering is if they can have a sponsor with each customer proactively put in the mac-addresses for their particular devices through the sponsor portal and then have those mac-addresses based on the sponsor for that contractor added to a profile that then would have an authen/author policy within ISE.

I hope this makes sense, please let me know what you think.

Thanks

paul · ‎03-27-2018

Are you looking to avoid the guests having to come to the guest portal and enter credentials? Obviously the sponsor can create accounts for their guests. The guest would have to log in with those credentials to get the MAC address associated with their guest ID. You can then control how often the guests have to see the guest portal via your purge policy.

If you want to put in MAC addresses and have the guest avoid the guest portal all together you could do it a couple ways:

Setup MyDevices portal that the sponsors can log into. Each MyDevice portal can map to a different endpoint identity group. Then you can use those endpoint identity groups in your guest wireless rules to allow access without going through the portal.
Create custom admin roles in ISE to allow sponsors to log into the ISE Admin GUI but only manipulate their relevant endpoint identity group.

View solution in original post

paul · ‎03-27-2018

Are you looking to avoid the guests having to come to the guest portal and enter credentials? Obviously the sponsor can create accounts for their guests. The guest would have to log in with those credentials to get the MAC address associated with their guest ID. You can then control how often the guests have to see the guest portal via your purge policy.

If you want to put in MAC addresses and have the guest avoid the guest portal all together you could do it a couple ways:

Setup MyDevices portal that the sponsors can log into. Each MyDevice portal can map to a different endpoint identity group. Then you can use those endpoint identity groups in your guest wireless rules to allow access without going through the portal.
Create custom admin roles in ISE to allow sponsors to log into the ISE Admin GUI but only manipulate their relevant endpoint identity group.

Jason Kunst · ‎03-27-2018

Correct, or even use the API to have the controller make their own portal

darnorri · ‎03-27-2018

Thanks Paul, so this would work with wired/wireless I would guess as well.

Thanks So Much!!!

Darren

Darren Norris

SYSTEMS ENGINEER.SALES

darnorri@cisco.com<mailto:darnorri@cisco.com>

Phone: +1 865 671 5602

Mobile: +1 423 802 8487

CCIE – 4883

Jabber Guest Call Me<https://reachme.cisco.com/call/88952293@cisco.com?name=Darren%20Norris>

Browser-based video chat. Cisco ACE users, get your Jabber Guest link here<https://ace.cisco.com/atbx/#signature>.

Cisco Systems, Inc.

10850 Murdock Drive

37932-3232

Knoxville

United States

Cisco.com<http://www.cisco.com/>

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html

Jason Kunst · ‎03-27-2018

Yes it would work for both

paul · ‎03-27-2018

Yes. Any of the guest solutions will utilize endpoint identity groups that either indicate a guest has gone through the portal process or indicate MAC addresses that are allowed to bypass the guest portal. You can use the techniques I outlined or the API as Jason referenced to populate the endpoint identity groups that allow MAC addresses to bypass the guest portal.