Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
3
Replies

ISE Wired Central Web Authentication - sponsor choose the access level of the guest

Go to solution
adriano.pub91
Level 1
Level 1

‎05-16-2018 08:47 AM

Hello to all,

Somebody put a question...and somehow ( i do not know how precisely) we've got  involved in finding a solution and trying to answer to this question : there is a way to give to the sponsor the "ability"  to decide the access level of the guest users ?

Situation: the "guest" users which connect to the wired/wireless infrastructure are redirected to a captive portal . Here, they insert some minimial information (name, email etc) . The approval is made by the sponsor which via email or sponsor portal, approve or decline the request. After that, the guest get internet access and minimal access to the internal resources.

Problem: we have different types of guests people: some need only internet access, others internet + minimal internal resources and the last type of guest need almost full access to the internal resources (based on location). And unfortunately, only one "enter point" which is the switch port (in case of the wired infrastructure).

Question: is it possible to "raise" somehow the sponsor capabilities in order to  be able not only to accept or decline the request, but also, on the same time , to decide and assign the level of access (let's say level 1 visitor, level 2 contractor, level 3  VIP) ?

Let's say that the only thing which is not a variable, is the fact that the responsibility for approving the access should be on the sponsor.  For the rest...any kind of compromise would be good :-)

In case of the wireless infrastructure we have thinking to work on "the enter point" which would be a different SSID for each type of guest. However, on the wired side (which is the one that we are interested to achieve ) we don't have this possibility.

We have thinking also on the wired side to have something like "a variable based portal" in which we would ask to the guest user during the enrollment to choose also the account type (visitor, contractor etc) and use that variable on the authorization policies. But even if we're able to do it, this is not exactly what we should achieved since would not be the sponsor who assigned the access level...

Thanks in advance for any idea on this matter.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-16-2018 09:12 AM

When a sponsor creates a guest they can choose a guest type. This guest type could be mapped to an authorization rule that would provide a differentiated type of access.

Since these guests are registering for themselves there is no way to change the guest type after the account is created.

You could have different levels of access perhaps by having one portal link to another portal?

  • If you click hotspot you get a base level of access

  • If you click self-registration another level, this portal might have an access code given by someone at the company

  • Sponsored gives you another level

https://communities.cisco.com/docs/DOC-64018#jive_content_id_Guest

Look at the linking one guest portal to another

Will think about some more

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-16-2018 09:12 AM

When a sponsor creates a guest they can choose a guest type. This guest type could be mapped to an authorization rule that would provide a differentiated type of access.

Since these guests are registering for themselves there is no way to change the guest type after the account is created.

You could have different levels of access perhaps by having one portal link to another portal?

  • If you click hotspot you get a base level of access

  • If you click self-registration another level, this portal might have an access code given by someone at the company

  • Sponsored gives you another level

https://communities.cisco.com/docs/DOC-64018#jive_content_id_Guest

Look at the linking one guest portal to another

Will think about some more

0 Helpful

Go to solution
adriano.pub91
Level 1
Level 1
In response to Jason Kunst

‎05-16-2018 09:21 AM

Hello Jason,

i have modified the initial question content in order to give more info,  indeed we are looking on the portal for finding the solution...

I understand your point about "not self enrollment" and you right, this would work well in case is the sponsor who creates the accounts. We need to understand if the customer would be open to this compromise...

Also thank you for looking further on this

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to adriano.pub91

‎05-16-2018 09:51 AM

As stated you can setup different portals with different guest types mapped to the self-registration process (if you wanted to restrict them you can use a passcode as part of the registration page)

I also saw an option to change the guest type in the sponsor portal. This could also be used.

Please send me a PM and we can work together as well offline to discuss

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents