cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10610
Views
3
Helpful
3
Comments
Craig Hyps
Level 10
Level 10

ISE 1.2 supported the authorization of users to Sponsor and MyDevices portals based on Identity Group membership and other attributes accessible in identity stores. ISE 1.3 introduced numerous enhancements including the simplification of sponsor and user authorization.  However, the new logic limits authorization to group membership.  This guide shows two different workarounds for leveraging group membership AND optionally secondary attributes for portal authorization in ISE 1.3-2.1 through the creation of either a RADIUS loopback function or through the creation of a special LDAP identity store which maps attributes of your choice to group membership objects.

 

ISE 2.2 brings back Sponsor Portal attributes but doesn't address My Devices. This document would also be used for My Devices Authorization for any ISE release >1.3. 

Comments
Arne Bier
VIP
VIP

Are there plans to simplify this in future releases to work like the old ISE releases?

I just read your document (thanks for making it so detailed) and the process looks intricate and potentially requires a lot of explaining to the unsuspecting ISE user.   Also, if you have more than one ISE, how does the configuration look, also considering there may be some F5 LTM's doing load balancing?

Craig Hyps
Level 10
Level 10

This same question was answered earlier today here:

Access to sponsor portal only for certain AD groups

Each ISE deployment should have its own set of VIPs.  Should not share between ISE deployments.  For additional questions, please post to general community as it will get better visibility there.

Regards, Craig

LukaszC
Level 1
Level 1

Hi, Does it work with My Devices in ISE 2.4 ? Cannot match provided solution to 2.4 version.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: