Step 1
| Choose
|
Step 2
| Enter the
Sponsor
group name and
Description.
|
Step 3
| Match Criteria-The settings in this section determine if a sponsor is a member of this group.
-
Member Groups—Click Members to select one or more user (identity) groups and groups from external identity sources, and add those groups. In order for a user to be a member of this sponsor group, they must belong to at least one of the configured groups.
-
Other conditions—Click Create New Condition to build one or more conditions that a sponsor must match to be included in this sponsor group. You can use authentication attributes from Active Directory, LDAP, SAML, and ODBC identity stores, but not RADIUS Token or RSA SecurID stores. You can also use internal user attributes. Conditions have an attribute, and operator, and a value.
-
To create a condition using the internal dictionary attribute Name, prefix the identity group name with User Identity Groups. For example:
InternalUser:Name EQUALS bsmith
This means that only internal users with the Name "bsmith" can belong to this sponsor group.
-
To create a condition using the ExternalGroups attribute of an Active Directory instance, select the AD “Primary Group” for the sponsor users you want to match. For example, AD1:LastName EQUALS Smith is true if the user’s name is Smith.
In addition to matching one or more of the configured member groups, a sponsor must also match all the conditions you create here. If an authenticating sponsor user meets the matching criteria for multiple sponsor groups, then that user is granted permissions as follows:
-
An individual permission, such as Delete guests' accounts is granted if it is enabled in any of the matching groups.
-
The sponsor can create guests using the Guest Types in any of the matching groups.
-
The sponsor can create guests using the Guest Types in any of the matching groups.
-
The sponsor can create guests at the locations in any of the matching groups.
-
For a numeric value such as a batch size limit, the largest value from the matching groups is used.
You can create Matching Criteria that contain Member Groups only, or Other Conditions only. If you only specify Other Conditions, then membership of a sponsor in the sponsor group is determined solely by matching dictionary attributes.
|
Step 4
| To specify which
guest types that sponsors based on this sponsor group can create, click inside
the box under
This
sponsor group can create accounts using these guest types, and
select one or more guest types.
You can create
more guest types to assign to this sponsor group by clicking the link under
Create
Guest Types at. After you create a new guest type, save, close, and
reopen the sponsor group before you can select that new guest type.
|
Step 5
| Use
Select
the locations that guests will be visiting to specify the locations
(used to set the guest time zones) that sponsors in this sponsor group can
choose from when creating guest accounts.
You can add more
locations to choose from by clicking the link under
Configure guest locations at and adding guest
locations. After you create a new guest location, save, close, and reopen the
sponsor group before you can select that new guest location.
This does not
restrict guests from logging in from other locations.
|
Step 6
| Under Automatic guest notification, check Automatically email guests upon account creation if email address is available if you want to save your sponsors the step of clicking Notify after creating a user. This causes a window to popup saying that an email was sent. Checking this also adds a header to the sponsor portal that says Guest notifications are sent automatically. |
Step 7
| Under
Sponsor
Can Create, configure options that sponsors in this group have for
creating guest accounts.
-
Multiple guest accounts assigned to specific guests (Import)—Enable the sponsor to create multiple guest accounts by importing guest details such as first name and last name from a file.
If this option is enabled, the Import button displays on the Create Accounts page of the Sponsor portal. The Import option is only available on desktop browsers (not mobile), such as Internet Explorer, Firefox, Safari, and so forth
-
Limit to batch of—If this sponsor group is allowed to create multiple accounts simultaneously, specify the number of guest accounts that can be created in a single import operation.
Although a sponsor can create a maximum of 10,000 accounts, we recommend that you limit the number of accounts you create, due to potential performance issues.
-
Multiple guest accounts to be assigned to any guests (Random)—Enable the sponsor to create multiple random guest accounts as placeholders for guests who are not known as yet, or to create many accounts quickly.
If this option is enabled, the Random button displays on the Create Accounts page of the Sponsor portal.
-
Default username prefix—Specify a username prefix that sponsors can use when creating multiple random guest accounts. If specified, this prefix appears in the Sponsor Portal when creating random guest accounts. In addition, if Allow sponsor to specify a username prefix is:
If you do not specify a username prefix or allow the sponsor to specify one, then the sponsor will not be able to assign username prefixes in the Sponsor portal.
-
Allow sponsor to specify a username prefix—If this sponsor group is allowed to create multiple accounts simultaneously, specify the number of guest accounts that can be created in a single import operation.
Although a sponsor can create a maximum of 10,000 accounts, we recommend that you limit the number of accounts you create, due to potential performance issues.
|
Step 8
| Under
Sponsor
Can Manage, you can restrict which guests accounts the members of
this sponsor group can view and manage.
-
Only accounts sponsor has
created—Sponsors in this group can view and manage only the guest
accounts that they have created, which is based on the Sponsor’s email account.
-
Accounts created by members
of this sponsor group—Sponsors in this group can view and manage
the guest accounts created by any sponsor in this sponsor group.
-
All guest
accounts—Sponsors view and manage all pending guest accounts.
|
Step 9
| Under
Sponsor
Can, you can provide more privileges related to guest passwords and
accounts to the members of this sponsor group.
-
Update guests' contact information (email, Phone Number)—For guest accounts that they can manage, allow the sponsor to change a guest's contact information
-
View/print guests' passwords—When this is checked the sponsor can print passwords for guests. The sponsor can see the passwords for guests on the Manage Accounts page and in the details for a guest. When this is not checked, the sponsor can't print the password, but the user can still get the password through email or SMS, if configured.
-
Send SMS notifications with guests’ credentials—For guest accounts that they can manage, allow the sponsor to send SMS (text) notifications to guests with their account details and login credentials.
-
Reset guest account passwords—For guest accounts that they can manage, allow the sponsor to reset passwords for guests to a random password generated by Cisco ISE.
-
Extend guests’ accounts—For guest accounts that they can manage, allow the sponsor to extend them beyond their expiration date. The sponsor is automatically copied on email notifications sent to guests regarding their account expiration.
-
Delete guests’ accounts—For guest accounts that they can manage, allow the sponsor to delete the accounts, and prevent guests from accessing your company's network.
-
Suspend guests’ accounts—For guest accounts that they can manage, allow the sponsor to suspend their accounts to prevent guests from logging in temporarily.
This action also issues a Change of Authorization (CoA) Terminate to remove the suspended guests from the network.
-
Approve and view requests from self-registering guests—Sponsors who are included in this Sponsor Group can either view all pending account requests from self-registering guests (that require approval), or only the requests where the user entered the Sponsor's email address as the person being visited. This feature requires that the portal used by the Self-registering guest has Require self-registered guests to be approved checked, and the Sponsor's email is listed as the person to contact.
-
Any pending accounts—A sponsor belonging to this group an approve and review accounts that were created by any sponsor.
-
Only pending accounts assigned to this sponsor—A sponsor belonging to this group can only view and approve accounts that they created.
-
Access Cisco ISE guest accounts using the programmatic interface (Guest REST API)—For guest accounts that they can manage, allow the sponsor to access guest accounts using the Guest REST API programming interface.
|
Step 10
| Click
Save and then
Close.
|