In this session, we're doing the second part of creating ISE guest accounts as a

sponsor. Here, we'll be creating a new sponsor group and a new sponsor portal for
sponsors to be able to manage guest accounts with.
We'll start with our Work Centers menu, Guest Access, and Portals and Components.
Select Sponsor Groups, and we can see that there are three sponsor groups already
created with a brief description about what they're capable of managing. We'll
select the ALL_ACCOUNTS sponsor group and duplicate it.
And then we see a copy of the ALL_ACCOUNTS group, and we'll edit that. We'll rename
the group to add more meaning within our lab and a brief description of what that
sponsor group can do and the members that are currently allowed to be members of
this sponsor group. We can add additional members. And we could see the list of our
demo.local domain groups, and we'll select employees that we also want to be able
to have be members of this new sponsor group.
We can provide some further filtering in terms of what the sponsor group can
manage. These are all the guest types. We can add locations that the sponsor group
can manage. We can check the box for automatically emailing guests, and sponsors
can notify guests as they're creating guest accounts.
We'll disallow the ability to generate multiple accounts assigned to specific
guests, but we will do a random generation. And in this case, we'll support that
random generation by creating a prefix. In this case, as random accounts were
created, they'll all have this prefix, and we'll leave a little bit of a trail for
auditing purposes of future needs. And then we can allow that sponsor to create--
allow them to modify that prefix or not. We'll deselect that, and we can limit the
number of batch accounts that they can create.
We can further tune what guest accounts they can manage. In this case, we'll leave
it as all guest accounts. But notice, we can tune this in other fashions. We'll
require the sponsor to require a reason for suspending an account, and we'll leave
the rest of the values to the defaults for the sponsor group.
And get a confirmation of save.
We'll go over here to Sponsor Portals. We see that there's already an existing
default Sponsor Portal in place. We'll select that and duplicate it. Select it and
edit it.
And we'll modify some of the settings. You'll notice a couple of things that are
unique to the sponsor portal. One is that it runs on a different port, typically,
than the guest portals, which makes sense. Some of this will allow some isolation
for access. We can modify the identity cert that we want to apply here, and we'll
get a warning as we save this portal about the fact that we're modifying the ID
cert tied to that port.
We also have a different identity store sequence for authentication purposes. Let's
take a quick look at that. We can see our guest portal sequences including internal
users and guest users, where the sponsor portal sequence does not include guest
users, only internal users in Active Directory join points.
The other values, we'll leave the same. One other exception to this particular
portal is that we can tie it to an A record within our DNS and allow sponsors to be
able to reach it without having to provide a redirection policy for them to reach
this portal. We could also isolate sponsors to particular SSIDs, and those would
have to be added within the Settings page if we wanted to limit which SSIDs can be
utilized to access to this portal. We can do that there.
And save our work. You can see it's a very simple flow, and we'll also demonstrate
single-click approval through email later on. And we get the notification about all
portals on the same 8445 port. We'll now be utilizing a different ID certificate.
So get the confirmation. We'll do a little customization.
And we should see all these updates applied in our little demonstration applet down
here, and we'll save our work. As we get confirmation of the save, we've just now
created a new sponsor group, which includes our demo, employees, users from our
domain, and defined what privileges they are allowed to operate within the sponsor
portal. And we've just now created a new sponsor portal for those sponsors to
utilize, and we've set things up in such a way that redirection is not required to
reach the sponsor portal. They can enter it in an FQDN to directly reach it.