Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
5
Helpful
4
Replies

Self-Sponsored guest - varied access time

Go to solution
VVVENKAT
Cisco Employee
Cisco Employee

‎10-31-2018 07:53 PM

Hi All,

 

One of my customer is deploying self-sponsored guests. They would like to have 1 hr as the access time for the guest users. However for certain employees they would like the access time to be little longer like 4 hrs. 

 

Any thoughts on how to achieve this in a single self-sponsored page? If we provide varied time options in the portal then it would be visible to all the users.

 

Many Thanks

V.Venkata Manikandan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-01-2018 07:17 AM

Not really something easily done but maybe possible

Guest accounts can be restricted to a certain amount of time when you setup their access. This is using the self registration portal settings and guest type. However this doesn’t keep them from creating more accounts unless you lock them down with other methods

Examples here

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224


https://community.cisco.com/message/215678

Since employees already have accounts they will automatically be granted access to the CWA portal. You could however restrict them By requiring them to create accounts for themselves but hard to differentiate on endpoint group. This is difficult regardless as you will likely put them in certain endpoint groups. Are these machines corporate machines? If they are it’s trouble as you won’t be able to switch there access around and likely best to use dot1x regardless

If they are personal devices and only allowed guest access then you might be able to work it somehow with combination of portals

Setup hotspotportalRESTRICTED with a special endpoint group. You would use in above example how to restrict access for certain amount of time as a combination with this

For full access employees
Setup a special EndpointGroup, assign to a special guest type and on the portal settings where employees inherit options from use that guest type

example authorization rules

Keep in mind the logic is from top down and maybe needs to be tweaked

If guest flow and endpointFULLACCESS then permit access

If endpointgroupRESTRICT and AUP is less than 4 then permit access
If endpointgroupRESTRICT and AUP is less than 12 then block access
>> tweak to your liking

If guest flow and adgroupRESTRICT then redirect them to hotspotportalX >> This is where the employees endpoint are moved to another group

If guest endpoint group and AUP < 1 hr then permit access
If guest endpoint group and AUP < 12 hrs then redirect to html page blocked access
>> This will Only allow them to register once a day on that endpoint

If mab then redirect to guest portal
>> everyone logins here . Guests will register themselves and be put into guest endpoint group

This flow should work but please understand how it all flows and test it out and treat her the way you want

View solution in original post

4 Replies 4

Go to solution
ramkchel
Cisco Employee
Cisco Employee

‎11-01-2018 12:26 AM

In a single self-registered guest portal we cannot assign multiple access time.

 

The portal registration form settings allows  only one guest type to be selected by dropdown.

 

I am not sure what you mean by "varied time option" in portals.

 

Could you please provide more details, since you have mentioned guest users and employees. Are the employees trying to login to self-registered guest portal?

0 Helpful

Go to solution
VVVENKAT
Cisco Employee
Cisco Employee
In response to ramkchel

‎11-01-2018 03:36 AM

Thanks for the quick response. I meant multiple access time by varied times.

 

Many Thanks

V.Venkata Manikandan

0 Helpful

Go to solution
ramkchel
Cisco Employee
Cisco Employee
In response to VVVENKAT

‎11-01-2018 05:37 AM

The only way to assign access time is by creating Guest Types.

 

There is a option in self registered guest portal where Guest and Employees can be mapped to different guest types.

 

For Guest:

For Self registered Guest users access time is provided based on the guest type to which they are assigned.

 

So, for providing access to guest for 1 hour, a guest type can be created and assigned with Account Expiry duration as 1 hour and the guest type can be mapped to Self-Registered guest portal "Registration form settings"

 

For Employees:

In Self-registered Guest Portal > Portal Settings, we can map Guest Types to "Employees using this portal as guests inherit login options from"

 

But the only attribute inherited from the Guest Type assigned is "Endpoint identity Group".

 

For employee's we cannot restrict their access time in network even though they login as guest.

 

"Employees using this portal as guests inherit login options from—Choose the Guest Type that employees are assigned when they log on to this portal. The employee's endpoint data is stored in the endpoint identity group configured in that guest type for the attribute Store device information in endpoint identity group. No other attributes from the associated guest type are inherited."

 

https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_011100.html#reference_D12B1BBE9C7645488A95FE149DBE10E0

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-01-2018 07:17 AM

Not really something easily done but maybe possible

Guest accounts can be restricted to a certain amount of time when you setup their access. This is using the self registration portal settings and guest type. However this doesn’t keep them from creating more accounts unless you lock them down with other methods

Examples here

https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224


https://community.cisco.com/message/215678

Since employees already have accounts they will automatically be granted access to the CWA portal. You could however restrict them By requiring them to create accounts for themselves but hard to differentiate on endpoint group. This is difficult regardless as you will likely put them in certain endpoint groups. Are these machines corporate machines? If they are it’s trouble as you won’t be able to switch there access around and likely best to use dot1x regardless

If they are personal devices and only allowed guest access then you might be able to work it somehow with combination of portals

Setup hotspotportalRESTRICTED with a special endpoint group. You would use in above example how to restrict access for certain amount of time as a combination with this

For full access employees
Setup a special EndpointGroup, assign to a special guest type and on the portal settings where employees inherit options from use that guest type

example authorization rules

Keep in mind the logic is from top down and maybe needs to be tweaked

If guest flow and endpointFULLACCESS then permit access

If endpointgroupRESTRICT and AUP is less than 4 then permit access
If endpointgroupRESTRICT and AUP is less than 12 then block access
>> tweak to your liking

If guest flow and adgroupRESTRICT then redirect them to hotspotportalX >> This is where the employees endpoint are moved to another group

If guest endpoint group and AUP < 1 hr then permit access
If guest endpoint group and AUP < 12 hrs then redirect to html page blocked access
>> This will Only allow them to register once a day on that endpoint

If mab then redirect to guest portal
>> everyone logins here . Guests will register themselves and be put into guest endpoint group

This flow should work but please understand how it all flows and test it out and treat her the way you want

Customers Also Viewed These Support Documents