[Day 64] Cisco ISE Mastery Training: Sponsor Approval Workflow

• Trainer Sagar Dhawan
• Posted on September 4, 2025
• No Comments

[Day 64] Cisco ISE Mastery Training: Sponsor Approval Workflow

---

Introduction

The Sponsor Approval Workflow in Cisco Identity Services Engine (ISE) is a controlled guest access mechanism where guest account creation must be approved by a designated sponsor before the guest can gain network access.

This process ensures:

• Security: Only authorized sponsors can validate guest requests.
• Accountability: Logs track who approved each request.
• Compliance: Meets audit requirements for regulated industries.

Think of it like a corporate front desk process — visitors register, but entry is granted only after an internal staff member approves them.

---

Problem Statement

In many organizations, especially in government, healthcare, and financial institutions, uncontrolled guest account creation is a security risk.

Problems without sponsor approval:

• Unauthorized Access: Anyone could self-register and connect.
• No Accountability: Difficult to trace who allowed guest entry.
• Compliance Failures: Violates NAC policies or security standards like ISO 27001, PCI DSS.

---

Solution Overview

Cisco ISE addresses this by enabling Sponsor Approval Workflow in its Guest Services module. Here’s how it works:

1. Guest Self-Registration: Guest fills out portal form.
2. Approval Notification: Assigned sponsor receives email/SMS.
3. Sponsor Approval: Sponsor approves/rejects request in the portal.
4. Access Provisioned: Guest account activated upon approval.

ISE integrates with:

• Active Directory: To validate sponsors.
• Email/SMS Gateways: To notify sponsors.

---

Sample Lab Topology

Lab Setup Requirements:

• VMware/EVE-NG hosting:
  • Cisco ISE VM (v3.x recommended)
  • Cisco WLC VM (9800-CL or 5508)
  • CSR1000v router (DHCP/DNS/NTP)
  • L2 switch (Catalyst 9k or virtual switch)
• Endpoints:
  • Guest laptop/mobile (Windows, iOS, Android)
  • Sponsor workstation (AD-joined)
• AD Server: Windows Server 2019 with DNS & AD DS

Topology Layout:

Guest connects to wireless SSID, hits Guest Portal, request flows to Sponsor via ISE.

---

Step-by-Step GUI Configuration Guide

Step 1 – Enable Sponsor Approval

1. Login to Cisco ISE Admin GUI.
2. Navigate: Guest Access → Portals & Components → Guest Portals.
3. Create or edit the Self-Registration Portal.
4. Under Workflow Settings, enable Require Approval from Sponsor.
   • Approval Method: Email Notification.
   • Sponsor Lookup Source: Active Directory.
   • Max Approval Time: 24 hours.
     [Screenshot: ISE Self-Registration Portal Settings]

---

Step 2 – Configure Sponsor Groups

1. Go to Administration → Identity Management → Groups.
2. Add an Identity Group called Sponsor_Group.
3. Map AD Group CN=WirelessSponsors,OU=Groups,DC=corp,DC=com to it.
   [Screenshot: AD Group Mapping]

---

Step 3 – Create Email Notification Template

1. Navigate: Guest Access → Settings → Notification Templates.
2. Create template SponsorApprovalEmail with:
   • Subject: Guest Account Approval Needed
   • Body: Include guest details and approval link.
     [Screenshot: Email Template Config]

---

Step 4 – Configure Authorization Policy

1. Go to Policy → Policy Sets.
2. In Guest Policy, add rule:
   • Condition: Guest_Approval_Status == Approved → Permit Access VLAN 30.
   • Else: Redirect to Guest Portal.
     [Screenshot: Policy Set Config]

---

Step 5 – Wireless LAN Controller Settings

CLI Example (WLC 9800-CL):

wlan GUEST 10 GUEST
security web-auth parameter-map guest-redirect
aaa override
no shutdown

GUI: Create WLAN with Layer 3 WebAuth redirect to ISE Guest Portal URL.

---

Step 6 – Validation Testing

1. Guest Action: Connect to Guest SSID → fill registration form.
2. Sponsor Action: Receive email → click Approve in sponsor portal.
3. ISE Logs:
   • Navigate Operations → RADIUS → Live Logs.
   • Verify Access-Accept after approval.
     [Screenshot: Live Logs Approval Entry]
4. CLI WLC Validation:

show client summary
show client detail <MAC>

---

FAQs – Sponsor Approval Workflow

1. Q: Can a sponsor approve a guest without logging into the Sponsor Portal?
A: Yes, if the email notification includes a secure direct approval link. However, logging in provides more control and visibility over pending requests.

---

2. Q: How does Cisco ISE know who the sponsor is?
A: During guest registration, ISE uses the Sponsor Lookup Source (e.g., AD) to verify the email or username entered, ensuring it belongs to an authorized sponsor group.

---

3. Q: Can multiple sponsors receive the same approval request?
A: Yes. You can configure ISE to send notifications to multiple sponsors (e.g., a department group). The first sponsor to approve completes the workflow.

---

4. Q: What if the sponsor doesn’t respond to the approval email?
A: The guest account will remain in a Pending state until the approval timeout expires (configurable in portal settings), after which it’s automatically rejected.

---

5. Q: Can the sponsor approve guest requests from a mobile phone?
A: Absolutely. The sponsor portal and email approval links are mobile-friendly, so sponsors can approve from smartphones or tablets.

---

6. Q: Can we bypass the sponsor approval step for certain trusted guests?
A: Yes. Use policy conditions based on guest attributes (e.g., email domain or pre-shared code) to auto-approve trusted accounts while keeping sponsor approval for others.

---

7. Q: Are approvals tracked for compliance audits?
A: Yes. ISE logs the approver’s username, timestamp, IP address, and guest details in its audit logs, which can be exported for compliance reports.

---

8. Q: Can the sponsor see the guest’s previous access history?
A: Yes. The Sponsor Portal allows viewing all previous accounts created/approved by the sponsor, including status and expiration times.

---

9. Q: Can sponsor approval be integrated with SMS notifications?
A: Yes, provided your ISE is integrated with an SMS gateway. The SMS can contain a link to approve the guest.

---

10. Q: Does sponsor approval work for both wired and wireless guests?
A: Yes. As long as the endpoint’s initial access triggers the Guest Portal redirection, the sponsor approval workflow applies to both wired and wireless network access.

---

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

---

Closing Notes

Sponsor Approval Workflow in Cisco ISE provides a human-in-the-loop security measure for guest access — ensuring only verified guests get network access while maintaining audit trails and compliance.

---

Upgrade Your Skills – Start Today

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes.

Fast-Track to Cisco ISE Mastery Pro – 4 months of instructor-led CCIE Security training.
Full course outline: https://course.networkjourney.com/ccie-security/

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

---