Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
195
Views
2
Helpful
2
Replies

Cisco ISE: Sponsor decide duration by Approval

Go to solution
User42
Level 1
Level 1

‎04-21-2024 08:44 AM

Hi everyone

 

Is there a way that the Sponsor can decide for how long a guest accounts is active by approval?

 

1. Guest Register himself with the Guest Portal (also with an E-Mail Address from a Sponsor)

2. The Sponsor gets an E-Mail.

3. By Clicking on the link, the Sponsor can decide that this account is active for x days (Based on his ad Group)

(Example: Sponsor from AD Group A: Can approve accounts from 1-30 days, Sponsor from AD Group B: Approve Accounts from 1-5 days)

 

Thanks in advance!

 

 

2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-21-2024 02:54 PM

The Sponsor Approval workflow is not flexible enough to allow that. Every self-registered visitor will always be assigned to the same Endpoint Identity Group. That means you should consider which Endpoint Identity Group to use as the lowest common denominator for self-registration visitors (e.g. 5 days), and then leave the special cases to Sponsor created accounts (e.g. 30 days). Ultimately, duration of visit is determined by the existence of a MAC address in the Endpoint Identity Group, and the Endpoint Purge Rule will clear out addresses when the time is up.

View solution in original post

Go to solution
Aref Alsouqi
VIP
VIP

‎04-22-2024 02:04 AM

As @Arne Bier mentioned, there is no way to achieve what you are trying to do, approving the guest accesses via the approver received emails is just a link to allow or reject that approval request.

The guest duration along side other attributes such as how many simultaneous logins, maximum devices that can register etc are dictated by the guest type you associate to the portal, and that is a unique value to all the guest users that will register through that portal. By default there are three types, Daily, Weekly, and Contractor, you can create your own customer guest type if needed.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎04-21-2024 02:54 PM

The Sponsor Approval workflow is not flexible enough to allow that. Every self-registered visitor will always be assigned to the same Endpoint Identity Group. That means you should consider which Endpoint Identity Group to use as the lowest common denominator for self-registration visitors (e.g. 5 days), and then leave the special cases to Sponsor created accounts (e.g. 30 days). Ultimately, duration of visit is determined by the existence of a MAC address in the Endpoint Identity Group, and the Endpoint Purge Rule will clear out addresses when the time is up.

Go to solution
Aref Alsouqi
VIP
VIP

‎04-22-2024 02:04 AM

As @Arne Bier mentioned, there is no way to achieve what you are trying to do, approving the guest accesses via the approver received emails is just a link to allow or reject that approval request.

The guest duration along side other attributes such as how many simultaneous logins, maximum devices that can register etc are dictated by the guest type you associate to the portal, and that is a unique value to all the guest users that will register through that portal. By default there are three types, Daily, Weekly, and Contractor, you can create your own customer guest type if needed.

0 Helpful
Customers Also Viewed These Support Documents