cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
984
Views
0
Helpful
1
Replies

Sponsor Portal - Sponsor access POC

Northy
Level 1
Level 1

Hi all, 

 

I have a bit query to understand if my PoC is possible. 

 

We are in the middle of deploying AnyConnect, i have managed to successfully create a User under the sponsor portal and login to the VPN after getting over some initial understanding logic issues.

 

However, I'm thinking that i am not going to easily be able to achieve what i need from the sponsor portal.

 

Our use case is this, We have contractors who are allowed access to the business via VPN to specific resources. The contractors have to speak with there internal sponsor when they need access so that they can have their account enabled. They will contact us (Networking team) who in turn enable the account for a set period, usually a couple of days. 

 

I was hoping that with the sponsor portal, i would be able to allow the sponsor to have a self-service style system where they could reenable the account as desired and it would be disabled after the duration that was set has passed. But the sponsor should only have access to the accounts that were created for that Sponsor and Network admins could access all user accounts.

 

Something like below

 

 

Admin

|

|

|-----Sponsor1

|               |----- Contractor1

|

|-----Sponsor2

|               |----- Contractor2

 

 

I have not been able to make this work so far with my current setup. Which looks similar to below

 

Admin (Sponsor group - SG_NetAdmin)

|

|

|-----Sponsor1 (Sponsor group - SG_Contractor1)

|               |----- Contractor1 (Guest Type - GT_Contractor1)

|

|-----Sponsor1 (Sponsor group - Contractor2)

|               |----- Contractor1 (Guest Type - GT_Contractor2)

 

 

SG_Contractor1 has the configuration of;

Can create accounts only in GT_Contractor1

Sponsor can manage "Accounts created by members of this sponsor group"

Members are network admins AD group and sponsor1 AD group

 

SG_Contractor2 has the configuration of;

Can create accounts only in GT_Contractor2

Sponsor can manage "Accounts created by members of this sponsor group"

Members are network admins AD group and sponsor2 AD group

 

 

However when I as a network admin create an account it is visible to Sponsor1 and Sponsor2, we need it so that only each sponsor can see and manage their own sponsor groups but network admins can create and add to any. I'm sure it is because the network admins AD group is present in both sponsor groups and because of the sponsor can manage setting in each.

 

We also need to restrict creating users but that is a different issue, which I've seen could be remedied by some javascript.

 

Sorry for the long post just wanted to ensure I painted a proper picture of what I'm looking to achieve.

 

ISE version 2.4 patch 5

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
It seems as you understand your issue.

I see proper separation. Taking place. Network admin can’t choose which group for the account to show as there is no mechanism to do that.

You’d need to change your process flow or ask for enhancement to allow a higher level user ability to create in a specific group

View solution in original post

1 Reply 1

Jason Kunst
Cisco Employee
Cisco Employee
It seems as you understand your issue.

I see proper separation. Taking place. Network admin can’t choose which group for the account to show as there is no mechanism to do that.

You’d need to change your process flow or ask for enhancement to allow a higher level user ability to create in a specific group