Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1654
Views
5
Helpful
3
Replies

Write Guest Portal Information into an Endpoint Identity Group

Go to solution
christian.faessler
Level 1
Level 1

‎08-24-2021 06:15 AM

Hi folks,

 

In the portal builder for the 'Self-Registered Guest Portal' under BYOD Settings is an option to 'allow employees to use personal devices on the network' and just below that, an Endpoint Identity Group can be chosen (see attached pic). Can someone explain, what this setting is used for?

 

Is it possible to write the 'guest user information' from the selfregistration portal into an Endpoint Identity Group?

 

Thans for any feedback.

 

Christian

Preview file
11 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-24-2021 06:54 AM

FYSA there are some really good resources here: Cisco ISE & NAC Resources - Cisco Community

 

Is it possible to write the 'guest user information' from the selfregistration portal into an Endpoint Identity Group?

-Yes, those settings are defining how the registered endpoint will get added in an ISE identity group, and the purge rule declares when ISE will automagically purge registered endpoints from the group.  For example, you could setup purging to ensure that certain BYOD devices are only allowed on the network in a given window (5 days, etc.).  The identity group you decide to use can then be referenced in authz policies so that you can steer these types of devices into the respective network and add restrictions etc.  HTH!

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to christian.faessler

‎08-26-2021 03:29 PM - edited ‎08-26-2021 03:30 PM

Guest endpoints are deleted as part of the default Endpoint Purge Policy found at Administration > Identity Management > Settings Endpoint Purge.

Screen Shot 2021-08-27 at 8.26.37 am.png

You can modify the policy to purge the endpoints after 365 days.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-24-2021 06:54 AM

FYSA there are some really good resources here: Cisco ISE & NAC Resources - Cisco Community

 

Is it possible to write the 'guest user information' from the selfregistration portal into an Endpoint Identity Group?

-Yes, those settings are defining how the registered endpoint will get added in an ISE identity group, and the purge rule declares when ISE will automagically purge registered endpoints from the group.  For example, you could setup purging to ensure that certain BYOD devices are only allowed on the network in a given window (5 days, etc.).  The identity group you decide to use can then be referenced in authz policies so that you can steer these types of devices into the respective network and add restrictions etc.  HTH!

Go to solution
christian.faessler
Level 1
Level 1
In response to Mike.Cifelli

‎08-26-2021 02:01 AM

Hi Mike

 

Thanks for your reply. After thorough testing and with your input I finally understand how the mechanism works.

 

One question keeps me busy. I would like to keep the MAC address of the registered devices for a longer period than the guest user account is valid.

 

Background: We want the clients to be registered for one year but the user account should only be valid for 1 week because no one will remember the password for a year. Do you have a solution for this situation?

 

Cheers, Christian

 

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to christian.faessler

‎08-26-2021 03:29 PM - edited ‎08-26-2021 03:30 PM

Guest endpoints are deleted as part of the default Endpoint Purge Policy found at Administration > Identity Management > Settings Endpoint Purge.

Screen Shot 2021-08-27 at 8.26.37 am.png

You can modify the policy to purge the endpoints after 365 days.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents