In case of Guest Wireless Internet Access involving Self-Registration with Sponsor Approval workflow, currently a Sponsor can VIEW and APPROVE ALL self-registered guest requests.
Currently in the default sponsor portal, a sponsor will be able to see & approve all guest registrations whether the guest has come to visitor that particular sponsor or not. There was no configuration to LIMIT a sponsor to view only the guests who has come to meet that particular sponsor.
ISE 2.1 For SAML and ISE built-in users you can filter off the person being visited
Approve and view requests from self-registering guests—Sponsors who are included in this Sponsor Group can either view all pending account requests from self-registering guests (that require approval), or only the requests where the user entered the Sponsor's email address as the person being visited. This feature requires that the portal used by the Self-registering guest has Require self-registered guests to be approved checked, and the Sponsor's email is listed as the person to contact.
Any pending accounts—A sponsor belonging to this group an approve and review accounts that were created by any sponsor.
Only pending accounts assigned to this sponsor—A sponsor belonging to this group can only view and approve accounts that they created.
There is no direct workaround. A special workaround can be creating your own Sponsor portal using ISE REST APIs
PLEASE NOTE THAT THE PORTAL CUSTOMIZATION AND CUSTOM PORTALS USING REST APIs ARE NOT SUPPORTED BY TAC. THE REST API ITSELF WILL BE SUPPORTED BY TAC.
There is a Rest API call which will enable a sponsor to see all the guest requests. The same API call allows filters to be crafted on certain fixed parameters provided by the guest during his registration request. This article describes the workaround using this API call. In this article I am giving the minimum necessary steps and REST calls in this article and not the code to create the portal itself. The idea is that the System Integrator can build the sponsor portal himself as needed using the language of his choice. In the backend that will make the REST calls to ISE.
Step 1: Navigate to ISE -> Guest Access -> Settings -> Custom Fields to create the new custom field “CompanyName”
Step 2: Navigate to ISE -> Guest Access -> Configure -> Guest Portals -> Select the Portal Name -> In the Portal Behavior and Flow Settings Tab -> Click on Self-Registration Page Settings select the newly added Custom Field
Step 3: Navigate to ISE -> Guest Access -> Configure -> Guest Portals -> Select the Portal Name -> In the Portal Page Customization Tab -> Click on Self-Registration to add some cosmetic details
Below screenshots show the building of a filter to see only the guests coming to meet particular sponsor. Note in the screenshot that we are passing the email id of the sponsor in the COMPANY field as explained earlier.
Hello, I have a customer who wants to make the CDA work in their environment. CDA Version:<hostname>/admin# sh ver
Cisco Application Deployment Engine OS Release:
ADE-OS Build Version:
ADE-OS System Architecture: i386
Copyright (c) 2005-...
Hello, I have questions regarding Admin Access, if the Admin user that i created is based on External AD.and If i tick the read only or apply an rbac-read only policy.It is not affecting the admin account. Once i Login, i can still write on ISE. ...
Dear community,I have implemented two nat types and am able to achieve the same result. The nat types are static and port forward nat as below: natsnat (inside,outside) source static R1 ASA102nat (inside,outside) source static static R1 ASA102 ...
Hi, We are deploying ISE 2.6 with patch 2. We deployed one site to work with Anyconnect 4.5 and Anyconnect 4.7, it worked fine with EAP-FAST, AD and Posture (only Anyconnect 4.7). End customer needs time to upgrade Anyconnect 4.5 to 4.7, that is the ...