I would be curious what you envision the flow to be here as single click approval is part of a self-registration guest flow and you are talking VPN.  In theory you could:

1) Make a self-registering guest portal accessible via the Internet to one or more of your PSNs.  The URL could look something like https://vendor-register.mycompany.com:8443/<portal ID>.

2) You could probably do portal manipulation to hide the username and password section of the portal. 

3) Change the test for "Don't have an account?" to "Click here to register for vendor VPN account.".

4) Once they go through the self-registration process the sponsor would get the single click link and be able to approve/deny the access.

5) Once approved the vendor would get an email back with their credentials.  You could also add in the VPN group URL to the tunnel group the vendor should connect to, something like https://vpn.mycompany.com/onetimevendor.

6) Then you could setup a policy set specifically for the One Time Vendor VPN that keys on that tunnel group name and looks at the Guest Users for the identity source.

7) The authorization rule would only allow that Guest Type to login.

That all should work, but the interesting thing to test would be the one time use concept.  I would try setting the guest type to only allow 1 login and set the account to expire 1 minute after first login.  I am not sure if VPN authentication vs. guest portal use will properly track the first login concept.

Interesting use case.

Thanks, Jason.  With this scenario, can we configure ISE to apply a maximum access time limit to the user account that was granted access that will be enforced on the ASA?  Such as if user "A" is granted access, they only have network access for two hours, and then ISE can send a request to the ASA to terminate the connection?  Obviously we can do this on the guest wireless side where a WLC will drop the connection, but curious if the same thing could be used with the ASA to terminate the VPN tunnel.

I know it will work with subsequent logins after the maximum access time limit expires and they won't be able to log in again, but the customer is more concerned with the tunnel being able to stay up for a longer period of time than the guest user is granted access for and not have anything force the disconnect.  On the ASA we can configure a per-group max session timeout value as a safety net, but the customer will need to change the maximum session limit depending on the individual guest user request and therefore this wouldn't be optimal for them.

You can easily map to different group policies on the ASA based on Guest Types in ISE.  Do setup group policies with max connect times based on Vendor types (2 hour, 8 hour, 24 hour etc.) and then apply those group policies based on what Guest Type the approve puts them in.

Remember with single click you don't get to assign a guest type.  The single click process will assign them to the guest type for that portal, i.e. let's say 2 hours.  If the sponsor wants to change the guest type they need to log into the sponsor portal and change the guest type.  Might be just easier to have them just do a sponsored process instead of single click.

You could also try setting the session timeout (reauthentication) value on the result.  I haven't tested to see if the ASA respects that setting or not.

Awesome, great info...thanks Paul!