Trainer Sagar Dhawan
- Posted on
[Day 46] Cisco ISE Mastery Training: Guest Sponsor Portal Configuration
Table of Contents
Introduction
In enterprise environments, guest network access must be controlled, logged, and approved — without overwhelming the IT helpdesk. The Cisco ISE Guest Sponsor Portal enables authorized staff (sponsors) to create, manage, and approve guest accounts securely through a web-based interface. This approach ensures that only vetted guests gain access, while maintaining an audit trail for compliance. In high-security organizations, this is crucial to meet regulatory requirements and prevent shadow IT or rogue network usage.
Problem Statement
Organizations face these real-world challenges:
- Allowing visitors (partners, vendors, clients) network access without risking corporate data.
- Offloading guest account creation from IT to designated staff (receptionists, event coordinators).
- Maintaining compliance by keeping guest logs for forensic and legal purposes.
- Ensuring the guest network is isolated but still easy to use.
Without a controlled sponsor process, guest Wi-Fi access can become chaotic — leading to insecure credentials sharing, inability to track usage, and potential data leaks.
Solution Overview
Cisco ISE’s Guest Sponsor Portal solves this by:
- Allowing delegated administration so non-IT staff can approve and create guest accounts.
- Supporting customizable workflows for different sponsor groups.
- Enforcing time-based account expiry and device limits.
- Logging all sponsor and guest actions for full accountability.
Sample Lab Topology
Text Description:
We will use a VMware or EVE-NG lab setup with the following:
- Cisco ISE VM (Policy Service Node)
- Cisco WLC (3504/9800 series)
- Catalyst Switch for trunk/access VLAN segmentation
- Guest Laptop/Smartphone (connecting to Guest SSID)
- Sponsor PC (accessing Sponsor Portal via corporate VLAN)
- Internet Router (for guest VLAN internet access)
Flow:
- Guest connects to Guest SSID → WLC → ISE captive portal redirect.
- Sponsor logs into the Sponsor Portal to approve/ create account.
- Guest gets credentials → logs into Guest Portal → gets internet access.
Diagram Description:
Step-by-Step GUI Configuration Guide
Step 1: Create a Guest Identity Group
- ISE GUI → Administration > Identity Management > Groups
- Click Add → Name:
GuestUsers→ Save.
[Screenshot: ISE Identity Group Creation]
Step 2: Enable Sponsor Portal Service
- Go to Administration > Web Portals > Sponsor Portals
- Select Default Sponsor Portal or click Add to create new.
- Configure:
- Portal Name: CorporateSponsorPortal
- Portal URL:
/sponsorportal - Authentication Method: Internal ISE Users / AD users with Sponsor role
- Allowed Actions: Create, Approve, Modify, Delete Guest Accounts
- Save.
[Screenshot: Sponsor Portal Configuration Screen]
Step 3: Create a Sponsor User
- Go to Administration > Identity Management > Identities
- Add a new user:
- Username:
reception - Password:
C!sc0Recep! - Identity Groups:
SponsorAllAccounts
- Username:
- Save.
[Screenshot: Adding Sponsor User in ISE]
Step 4: Configure Guest Portal Policy Set
- Go to Policy > Policy Sets
- Create a new Policy Set named Guest_Access with Condition:
WLCANDSSID == GuestSSID
- Under Authentication Policy:
- If Wireless MAB →
Internal Endpoints(Check Guest MAC if returning) - If Guest Login →
Internal UsersorGuestUsers
- If Wireless MAB →
- Under Authorization Policy:
- Pre-Auth → Redirect to Guest Portal
- Post-Auth → Permit Access with Guest VLAN or dACL.
[Screenshot: ISE Policy Set Screen]
Step 5: WLC Configuration
On GUI:
- Security > AAA > RADIUS Authentication → Add ISE as RADIUS server.
- WLANs > Create New Guest WLAN → Name:
GuestSSID. - Security Settings: MAC Filtering enabled.
- AAA Server: Select ISE for Authentication.
- ACLs: Create
Guest_Redirect_ACLallowing only DHCP, DNS, and ISE portal IP.
[Screenshot: WLC WLAN Config]
Step 6: Validation – Guest & Sponsor Flow
Guest Side:
- Guest connects to
GuestSSID. - Browser is redirected to ISE Guest Portal.
- Guest waits for sponsor approval.
Sponsor Side:
- Sponsor logs into
https://ISE-FQDN/sponsorportal. - Creates guest account with credentials and validity period.
CLI Validation (WLC):
show client detail <MAC> debug client <MAC> show aaa servers
CLI Validation (ISE):
ise/admin# show logging application ise-psc.log tail ise/admin# show logging system tail
GUI Validation (ISE):
- Operations > RADIUS > Live Logs – Check authentication and authorization result.
FAQs for Guest Sponsor Portal
1. Can I restrict who can be a sponsor?
Yes. In ISE, sponsor access is role-based. You can limit sponsor login rights to specific Internal Users, AD Groups, or External Identity Stores, ensuring only authorized staff can create guest accounts.
2. Can I create multiple sponsor portals for different departments?
Yes. Cisco ISE supports multiple sponsor portals, each with unique branding, permissions, and workflow. For example, HR might have one portal, and Events/Reception another, each limited to their guest type.
3. How do I prevent sponsors from creating accounts with excessive validity periods?
Define Guest Types in ISE with fixed maximum validity durations. Even if a sponsor tries to set a longer period, ISE will enforce the limit.
4. Can sponsors approve guest requests without creating credentials manually?
Yes. Guests can pre-register via a web form, and sponsors can approve or reject these pending requests in the Sponsor Portal without manually entering credentials.
5. Is it possible to bulk-create guest accounts?
Yes. The Sponsor Portal supports bulk account creation by uploading a CSV file, which is useful for large events or conferences.
6. How do I track which sponsor created a specific guest account?
ISE logs every action taken in the Sponsor Portal, including the sponsor’s username, timestamp, and guest account details, visible under Operations > Reports or Live Logs.
7. Can sponsors reset a guest’s password if they forget it?
Yes. Sponsors with modify privileges can reset credentials instantly via the Sponsor Portal without IT helpdesk intervention.
8. Can I limit the number of devices per guest account?
Yes. In the Guest Type configuration, you can set a maximum number of devices allowed per account. ISE enforces this based on MAC address tracking.
9. Can sponsors access the portal from outside the corporate network?
Yes, if the portal is published externally (via VPN, reverse proxy, or public IP), but best practice is to restrict sponsor access to internal or secure VPN connections for security.
10. How do I customize the look of the Sponsor Portal?
Under Work Centers > Guest Access > Portals & Components, you can edit portal themes, add logos, change colors, and even insert custom text or instructions for your sponsors.
YouTube Link
For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience
Closing Notes
The Guest Sponsor Portal is a vital part of enterprise guest management, balancing ease of use for reception staff with security and compliance for IT. By delegating account management to authorized sponsors, enterprises maintain control, improve operational efficiency, and enhance the visitor experience.
Upgrade Your Skills – Start Today
“Ready to go from ISE beginner to deployment expert? Join a 4-Month Instructor-Led Cisco ISE & CCIE Security Mastery Program — the same training powering network engineers at Fortune 500 companies.
Get hands-on labs, real-world case studies, and step-by-step configurations just like this one. Reserve your seat today and start building the skills that make you indispensable in the network security field.”
View the full course outline here
Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088
