Showing results for 
Search instead for 
Did you mean: 

ISE Sponsor & My Devices Authorization on Secondary Attributes (LDAP)


ISE 1.2 supported the authorization of users to Sponsor and MyDevices portals based on Identity Group membership and other attributes accessible in identity stores. ISE 1.3 introduced numerous enhancements including the simplification of sponsor and user authorization.  However, the new logic limits authorization to group membership.  This guide shows two different workarounds for leveraging group membership AND optionally secondary attributes for portal authorization in ISE 1.3-2.1 through the creation of either a RADIUS loopback function or through the creation of a special LDAP identity store which maps attributes of your choice to group membership objects.


ISE 2.2 brings back Sponsor Portal attributes but doesn't address My Devices. This document would also be used for My Devices Authorization for any ISE release >1.3. 

VIP Advocate

Are there plans to simplify this in future releases to work like the old ISE releases?

I just read your document (thanks for making it so detailed) and the process looks intricate and potentially requires a lot of explaining to the unsuspecting ISE user.   Also, if you have more than one ISE, how does the configuration look, also considering there may be some F5 LTM's doing load balancing?


This same question was answered earlier today here:

Access to sponsor portal only for certain AD groups

Each ISE deployment should have its own set of VIPs.  Should not share between ISE deployments.  For additional questions, please post to general community as it will get better visibility there.

Regards, Craig