cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8972
Views
20
Helpful
3
Comments
Jason Kunst
Cisco Employee
Cisco Employee

ISE 2.7 Guest Access Management Features

 

The following document explains the guest features of ISE 2.7. For more detail of what ISE 2.7 has to offer please check the associated documentation.

 

Auto Login on Sponsor Approval 

 

What are we solving?

When a guest enters self-registration that requires approval they should be presented with a page that indicates the status of their approval and allow easy login.

How do we solve it?

Now after going through self—registration the user is presented with a status page awaiting approval. Once denied or approved the user will receive a status update. If approved they will be logged in automatically and notified via email or SMS of their credentials.

 

What settings are needed?

Workcenters > Guest Access > Portals & Components > Guest portal settings

 

sponsor-autologin.png

New flow diagram preview seen on the portal preview page has the Auto-Login option.

sponsor-autologin2.png

How does the feature look?

sponsor-autologin5.png

Phone number as User ID with number validation 

What are we solving?

End Users wish to use their phone number as their identity/user ID.  Additionally organization may need a way to audit any end user on their network which means they need a way to uniquely identify end users. This allows them to tie the user with the unique phone number of their phone.

How do we solve it?

Allowing end users to register with their phone numbers as their username and provide flow ability to manage/validate the number. ISE will do E.164 validation and give user a country code pulldown. This is available to the guest during self-registration and also the sponsor when creating known accounts.

What happens if the numbers already exists when creating another account?

  • The expired guest accounts will be allowed re-register through self registration portal
  • Active accounts will be notified to recover their password if needed

What settings are needed?

Workcenters > Guest Access > Portals & Components >Sponsor portal

 

phone-userid-sponsorportal.png

Workcenters > Guest Access > Portals & Components > Guest portal settings

phone-userid-guestportal.png

How does the feature look?

Sponsor portal 

phone-userid2.png

 Guest portal

phone-userid2.png

 

Guest - Password recovery 

What are we solving?

End users have no way to retrieve forgotten passwords.

How do we solve it?

Add a “Forgot my password” link where end users can enter an email ID or phone number for an account that is still active and retrieve a new password.  Then use this password to gain guest access as before.

What settings are needed?

Workcenters > Guest Access > Portals & Components > Guest Portal settings > Login Page Settings > Allow password reset

ise27-passwordreset2.pngise27-passwordreset3.png

How does the feature look?

ise27-passwordreset.png

Sponsor Approval Grace Access

What are we solving?

While awaiting sponsor approval the user is unable to access the internet

How do we solve it?

Add a flow that allows the user internet access until the sponsor approves/denies access or the system times out

  1. Users registers for account, sponsor notified
  2. Guest has temporary internet until expires or sponsor approves account.
  3. Once approved guest has immediate guest access.
  4. Credentials sent via email or SMS to the guest

What settings are needed?

Work Centers > Guest Access > Portal & Components > Portal Settings > Registration Form Settings

 

ise27sponsorapprovalgradeaccess.png

 

How does the feature look?

 

ise27sponsorapprovalgradeaccess2.png

ise27sponsorapprovalgradeaccess3.png

ise27sponsorapprovalgradeaccess4.png

Comments

Hello Jason,

using the Phone number as username (self-registered by enduser), running ISE 2.7 patch 6

Context of issue :

when guest account (using phone number) is created for let's say 5 days, it will expire at the same hour of creation (eg 17h32) => on the 5th day after creation at 17h32, guest account will be set to expired.

We have set a guest account purge running each day at night (eg 23:59)

 

1. when guest account is set to expired at 17h32, and still not purged by ISE at 23h59 : we are not allowed to re-register using the same phone number (says "user already exists") : it looks like it is not working as you explain (" What happens if the numbers already exists when creating another account? The expired guest accounts will be allowed re-register through self registration portal ")

User is stuck with existing user, but cannot create/re-enable same phone number

Note : Customer has no "sponsor portal" person to extend user account (hospital)

 

2. Another issue : when account is still active, using the reset password/forgot password link : when using phone number 004176XXXXXXX (Switzerland phone number) to receive the new password : says : "email or phone number is invalid", even if user account exists with this username and phone number.

 

Thanks for your feedbacks if any ...

 

KevinR99
Level 1
Level 1

Hi

Does this feature need an additional ISE policy or WLC config to permit the timed access during the grace period?  I've tried to use this and when I initially connect I do indeed get internet access and a pending approval page.  When, as a test, I get the sponsor to deny the request via the email link I find my user still has internet access.  Additionally when I test this and wait until the grace period timer expires I expect my internet access to stop.  It doesn't.  My pings to the internet continue and my internet access is still working.

Thanks, Kev.

KevinR99
Level 1
Level 1

I tested this again and it actually works perfectly.  I don't know what happened with the initial grace period test where it expired but this time on two different clients when it expires internet access stops as expected.  Also, when I get the sponsor to click deny it also stops internet access but I didn't wait long enough last time.  The grace period still applies and you have internet access until it expires even though your browser is updated to say access denied.  I see in the ISE logs that the client is again redirected to the portal.  So whatever grace period you give always applies even when the sponsor denies the session.

Kev.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: