Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Step 2Createanauthorizationprofileusingthenameoftheportalthatyouwanttoauthorizeforuse. What to Do Next Youshouldcreateaportalauthorizationpolicyrulethatusesthenewlycreatedauthorizationprofile. Create Authorization Policy Rules for Hotspot and MDM Portals ToconfiguretheredirectionURLforaportaltousewhenrespondingtotheusers'(guests,sponsors,employees) accessrequests,defineanauthorizationpolicyruleforthatportal. Theurl-redirecttakesthefollowingformbasedontheportaltype,where: ip:port=theIPaddressandportnumber PortalID=theuniqueportalname ForaHotspotGuestportal: https://ip:port/guestportal/gateway?sessionID=SessionIdValue&portal=PortalID&action=cwa&type=drw ForaMobileDeviceManagement(MDM)portal: https://ip:port/mdmportal/gateway?sessionID=SessionIdValue&portal=PortalID&action=mdm Procedure Step 1ChoosePolicy>AuthorizationtocreateanewauthorizationpolicyruleunderStandardpolicies. IfyouenabledPolicySets,choosePolicy>PolicySet,pickthePolicySetyouplantouseforthisportal, expandAuthorizationPolicy,andaddanewrule. Step 2ForConditions,selectanendpointidentitygroupthatyouwanttousefortheportalvalidation.Forexample, fortheHotspotGuestportal,selectthedefaultGuestEndpointsendpointidentitygroupand,fortheMDM portal,selectthedefaultRegisteredDevicesendpointidentitygroup. BecausetheHotspotGuestportalonlyissuesaTerminationCoA,donotuseNetworkAccess:UseCase EQUALSGuestFlowasoneofthevalidationconditionsintheGuestauthorizationpolicy.Instead, matchtheIdentityGroupthattheendpointbelongstoforvalidation.Forexample, Note •If"GuestEndpoint"+WirelessMABthenPermitAccess •IfWirelessMABthenHotSpotRedirect Step 3ForPermissions,selecttheportalauthorizationprofilethatyoucreated. Customize Guest Portals Youcancustomizetheportalappearanceanduser(guests,sponsors,oremployeesasapplicable)experience bycustomizingtheportalthemes,changingUIelementsontheportalpages,andeditingerrormessagesand notificationsthatdisplaytotheusers.Formoreinformationaboutcustomizingportals,seeCustomizationof End-UserWebPortals,onpage359. Cisco Identity Services Engine Administrator Guide, Release 1.3 315 Guest Portals
Sponsor Portals TheSponsorportalisoneoftheprimarycomponentsofCiscoISEguestservices.UsingtheSponsorportal, sponsorscancreateandmanagetemporaryaccountsforauthorizedvisitorstosecurelyaccessthecorporate networkortheInternet.Aftercreatingaguestaccount,sponsorsalsocanusetheSponsorportaltoprovide accountdetailstotheguestbyprinting,emailing,ortexting.Beforeprovidingself-registeringguestsaccess tothecompanynetwork,sponsorsmayberequestedviaemailtoapprovetheirguests’accounts. Managing Guest Accounts on the Sponsor Portal Sponsor Portal Logon Flow Asponsorgroupspecifiesasetofpermissionsthatcanbeassignedtoasponsoruser.Whenasponsoruser logsintoasponsorportal: 1ISEverifiestheuser’scredentials. 2Iftheuserauthenticatessuccessfully,thenextstepistosearchalltheavailablesponsorgroupstofindthe onesthatmatchthatsponsoruser,thatis,thesponsorgroupsthattheuserbelongsto.Ausermatchesor belongstoasponsorgroupifboth: •TheuserisamemberofoneoftheconfiguredMemberGroups. •IfyouareusingOtherConditions,alltheconditionsevaluatetotrueforthatuser. 3Ifthesponsoruserbelongstoasponsorgroup,thenthatusergetsthepermissionsfromthatgroup.Auser canbelongtomorethanonesponsorgroup,inwhichcasethepermissionsfromthosegroupsarecombined. Ifuserdoesnotbelongtoanysponsorgroup,thenthelogintothesponsorportalfails. Sponsorgroupsandtheirpermissionsareindependentofthesponsorportals.Thesamealgorithmformatching sponsorgroupsisappliedregardlessofwhichsponsorportalthesponsorlogsinto. Using a Sponsor Portal UseaSponsorportaltocreatetemporaryguestaccountsforauthorizedvisitorstosecurelyaccessyourcorporate networkortheInternet.Aftercreatingguestaccounts,youcanalsouseaSponsorportaltomanagethese accountsandtoprovideaccountdetailstotheguests. OnaSponsorportal,thesponsorcancreatenewguestaccountsindividually,orimportagroupofusersfrom afile. AnISEadministratorthatwasauthorizedfromanexternalidentitystore,suchasActiveDirectory,can bepartofaSponsorgroup.However,internaladministratoraccounts,forexample,thedefault"admin" account,cannotbepartofaSponsorgroup. Note ThereareseveralwaystoopenaSponsorportal: •IntheAdminstratorsconsole,usingtheManageAccountslink—OntheAdministratorsconsole,click GuestAccess,thenclickManageAccounts.WhenyouclickManageAccounts,youareassignedto thedefaultsponsorgroupwithaccesstoALL_ACCOUNTS.Youcancreatenewguestaccounts,but thoseguestscannotbenotified,sincethereisnoemailaddressavailabletoreceivetheaccountactivation Cisco Identity Services Engine Administrator Guide, Release 1.3 316 Sponsor Portals
requestfromtheguest.ASponsorwiththesameprivilegeswhologsontothesponsorportal,andsearches forthoseaccounts,cansendnotification. ThissteprequiresthattheFQDNthatyouconfiguredonthesponsorportal'sPortalBehaviorandFlow SettingspageisinyourDNSserver. •IntheAdminstratorsconsole,fromtheSponsorPortalconfigurationpage.ClickGuestAccess> Configure>SponsorPortals,openasponsorportal,andclickthePortalTestURLlinktotheright oftheDescriptionfield. •Inabrowser,byopeningtheURL(FQDN)configuredinthesponsorportal'sPortalSettingspage, whichmustbedefinedinyourDNSserver. What to do next RefertotheSponsorPortalUserGuideforCiscoIdentityServicesEnginehttp://www.cisco.com/c/en/us/td/ docs/security/ise/2-2/sponsor_guide/b_spons_SponsorPortlUserGuide_22.htmlforinformationonhowtouse theSponsorportal. Managing Sponsor Accounts Asponsoruserisanemployeeorcontractorofyourorganizationwhocreatesandmanagesguest-useraccounts throughthesponsorportal.CiscoISEauthenticatessponsorsthroughalocaldatabase,orthroughexternal LightweightDirectoryAccessProtocol(LDAP),MicrosoftActiveDirectory,orSAMLidentitystores.Ifyou arenotusinganexternalsource,youmustcreateinternaluseraccountsforsponsors. Sponsor Groups SponsorgroupscontrolthepermissionsgiventoasponsorwhenusinganySponsorportal.Ifasponsorisa memberofasponsorgroup,thenthesponsorreceivesthepermissionsdefinedinthegroup. AsponsorisconsideredtobeamemberofasponsorgroupifthesponsorbelongstoatleastoneoftheMember Groupsdefinedinthesponsorgroup.AMemberGroupcanbeaUserIdentityGroup,oragroupselected fromanexternalidentitysource,suchasActiveDirectory. Asponsorcanbeamemberofmorethanonesponsorgroup.Ifso,thesponsorreceivesthecombined permissionsfromallofthosegroups,asfollows: •Anindividualpermissionsuchas"Deleteguests'accounts"isgrantedifitisenabledinanyofthegroups. •ThesponsorcancreateguestsusingtheGuestTypesinanyofthegroups. •Thesponsorcancreateguestsatthelocationsinanyofthegroups. •Foranumericvaluesuchasabatchsizelimit,thelargestvaluefromthegroupsisused. Ifasponsorisnotamemberofanysponsorgroup,thenthesponsorisnotpermittedtologintoanysponsor portal. •ALL_ACCOUNTS—Sponsorscanmanageallguestaccounts. •GROUP_ACCOUNTS—Sponsorscanmanagetheguestaccountscreatedbysponsorsfromthesame SponsorGroup. •OWN_ACCOUNTS—SponsorscanmanageonlytheGuestaccountsthattheycreated. Youcancustomizethefeaturesavailabletoparticularsponsorgroupstolimitorexpandthefunctionalityof theSponsorportal.Forexample: Cisco Identity Services Engine Administrator Guide, Release 1.3 317 Sponsor Portals
Related Topics SponsorPortals,onpage316 Create Sponsor Accounts and Assign to Sponsor Groups TocreateinternalsponsoruseraccountsandspecifythesponsorswhocanusetheSponsorportals: Procedure Step 1ChooseAdministration>IdentityManagement>Identities>Users.Assigntheinternalsponsoruser accounttotheappropriateuseridentitygroup. ThedefaultSponsorGroupshavethedefaultIdentityGroupGuest_Portal_Sequenceassignedto them. Note Step 2ChooseGuestAccess>Configure>SponsorGroups>Create,EditorDuplicateandclickMembers. Mapthesponsoruseridentitygroupstosponsorgroups. What to Do Next Youcanalsocreateadditionaluseridentitygroupsspecifictoyourorganizationtousewithsponsors.Choose Administration>IdentityManagement>Groups>UserIdentityGroups. Configure Sponsor Groups Ciscoprovidesdefaultsponsorgroups.Ifyoudonotwanttousethedefaultoptions,youcaneithercreate newsponsorgroupsoreditthedefaultsponsorgroupsandchangethesettings.Youcanalsoduplicatea sponsorgrouptocreatemoresponsorgroupswiththesamesettingsandprivileges. Youcandisableasponsorgroup,whichpreventsthemembersofthesponsorgroupfromloggingintothe Sponsorportal.Youcandeleteanyofthesponsorgroups,exceptthedefaultsponsorgroupsprovidedby CiscoISE. Procedure Step 1ChooseGuestAccess>Configure>SponsorGroups>Create,EditorDuplicate. Step 2EntertheSponsorgroupnameandDescription. Step 3MemberGroups—ClickMemberstoselectoneormoreuser(identity)groupsandgroupsfromexternal identitysources,andaddthosegroups.Inorderforausertobeamemberofthissponsorgroup,theymust belongtoatleastoneoftheconfiguredgroups. Step 4ClickMemberstoselectuser(identity)groupsandaddthemasgroupmembersofthissponsorgroup. Step 5Tospecifywhichguesttypesthatsponsorsbasedonthissponsorgroupcancreate,clickinsidetheboxunder Thissponsorgroupcancreateaccountsusingtheseguesttypes,andselectoneormoreguesttypes. YoucancreatemoreguesttypestoassigntothissponsorgroupbyclickingthelinkunderCreateGuest Typesat.Afteryoucreateanewguesttype,save,close,andreopenthesponsorgroupbeforeyoucanselect thatnewguesttype. Step 6UseSelectthelocationsthatguestswillbevisitingtospecifythelocations(usedtosettheguesttimezones) thatsponsorsinthissponsorgroupcanchoosefromwhencreatingguestaccounts. Cisco Identity Services Engine Administrator Guide, Release 1.3 318 Sponsor Portals
YoucanaddmorelocationstochoosefrombyclickingthelinkunderConfigureguestlocationsatand addingguestlocations.Afteryoucreateanewguestlocation,save,close,andreopenthesponsorgroupbefore youcanselectthatnewguestlocation. Thisdoesnotrestrictguestsfromlogginginfromotherlocations. Step 7UnderSponsorCanCreate,configureoptionsthatsponsorsinthisgrouphaveforcreatingguestaccounts. •Multipleguestaccountsassignedtospecificguests(Import)—Enablethesponsortocreatemultiple guestaccountsbyimportingguestdetailssuchasfirstnameandlastnamefromafile. Ifthisoptionisenabled,theImportbuttondisplaysontheCreateAccountspageoftheSponsorportal. TheImportoptionisonlyavailableondesktopbrowsers(notmobile),suchasInternetExplorer,Firefox, Safari,andsoforth •Limittobatchof—Ifthissponsorgroupisallowedtocreatemultipleaccountssimultaneously,specify thenumberofguestaccountsthatcanbecreatedinasingleimportoperation. Althoughasponsorcancreateamaximumof10,000accounts,werecommendthatyoulimitthenumber ofaccountsyoucreate,duetopotentialperformanceissues. •Multipleguestaccountstobeassignedtoanyguests(Random)—Enablethesponsortocreatemultiple randomguestaccountsasplaceholdersforguestswhoarenotknownasyet,ortocreatemanyaccounts quickly. Ifthisoptionisenabled,theRandombuttondisplaysontheCreateAccountspageoftheSponsor portal. •Defaultusernameprefix—Specifyausernameprefixthatsponsorscanusewhencreatingmultiple randomguestaccounts.Ifspecified,thisprefixappearsintheSponsorPortalwhencreatingrandom guestaccounts.Inaddition,ifAllowsponsortospecifyausernameprefixis: ◦Enabled—ThesponsorcaneditthedefaultprefixintheSponsorportal. ◦Notenabled—ThesponsorcannoteditthedefaultprefixintheSponsorportal. Ifyoudonotspecifyausernameprefixorallowthesponsortospecifyone,thenthesponsorwillnot beabletoassignusernameprefixesintheSponsorportal. •Allowsponsortospecifyausernameprefix—Ifthissponsorgroupisallowedtocreatemultiple accountssimultaneously,specifythenumberofguestaccountsthatcanbecreatedinasingleimport operation. Althoughasponsorcancreateamaximumof10,000accounts,werecommendthatyoulimitthenumber ofaccountsyoucreate,duetopotentialperformanceissues. Step 8UnderSponsorCanManage,youcanrestrictwhichguestsaccountsthemembersofthissponsorgroupcan viewandmanage. •Onlyaccountssponsorhascreated—Sponsorsinthisgroupcanviewandmanageonlytheguest accountsthattheyhavecreated,whichisbasedontheSponsor’semailaccount. •Accountscreatedbymembersofthissponsorgroup—Sponsorsinthisgroupcanviewandmanage theguestaccountscreatedbyanysponsorinthissponsorgroup. •Allguestaccounts—Sponsorsviewandmanageallpendingguestaccounts. Cisco Identity Services Engine Administrator Guide, Release 1.3 319 Sponsor Portals
Step 9UnderSponsorCan,youcanprovidemoreprivilegesrelatedtoguestpasswordsandaccountstothemembers ofthissponsorgroup. •Viewguests’passwords—Forguestaccountsthattheycanmanage,allowthesponsortoviewthe passwords. Iftheguesthaschangedthepassword,thesponsorcannolongerviewit;unlessitwasresetbythe sponsortoarandompasswordgeneratedbyCiscoISE. Ifthisoptionisdisabledforasponsorgroup,themembersofthatgroupcannotsendemailand SMSnotificationsregardingthelogincredentials(guestpassword)fortheguestaccountsthat theymanage. Note •Resetguestaccountpasswords—Forguestaccountsthattheycanmanage,allowthesponsortoreset passwordsforgueststoarandompasswordgeneratedbyCiscoISE. •Extendguests’accounts—Forguestaccountsthattheycanmanage,allowthesponsortoextendthem beyondtheirexpirationdate.Thesponsorisautomaticallycopiedonemailnotificationssenttoguests regardingtheiraccountexpiration. •Deleteguests’accounts—Forguestaccountsthattheycanmanage,allowthesponsortodeletethe accounts,andpreventguestsfromaccessingyourcompany'snetwork. •Suspendguests’accounts—Forguestaccountsthattheycanmanage,allowthesponsortosuspend theiraccountstopreventguestsfromloggingintemporarily. ThisactionalsoissuesaChangeofAuthorization(CoA)Terminatetoremovethesuspendedguests fromthenetwork. ◦Requiresponsortoprovideareason—Requirethesponsortoprovideanexplanationfor suspendingtheguestaccounts. •Approveandviewrequestsfromself-registeringguests—SponsorswhoareincludedinthisSponsor Groupcaneitherviewallpendingaccountrequestsfromself-registeringguests(thatrequireapproval), oronlytherequestswheretheuserenteredtheSponsor'semailaddressasthepersonbeingvisited.This featurerequiresthattheportalusedbytheSelf-registeringguesthasRequireself-registeredgueststo beapprovedchecked,andtheSponsor'semailislistedasthepersontocontact. ◦Anypendingaccounts—Asponsorbelongingtothisgroupanapproveandreviewaccountsthat werecreatedbyanysponsor. ◦Onlypendingaccountsassignedtothissponsor—Asponsorbelongingtothisgroupcanonlyview andapproveaccountsthattheycreated. •AccessCiscoISEguestaccountsusingtheprogrammaticinterface(GuestRESTAPI)—Forguest accountsthattheycanmanage,allowthesponsortoaccessguestaccountsusingtheGuestRESTAPI programminginterface. Step 10ClickSaveandthenClose. Cisco Identity Services Engine Administrator Guide, Release 1.3 320 Sponsor Portals
Configure Account Content for Sponsor Account Creation Youcanconfigurethetypeofuserdatathatyourguestsandsponsorsmustprovidetocreateanewguest account.SomefieldsarerequiredtoidentifyanISEaccount,butyoucaneliminateotherfields,andaddyour owncustomfields. ToconfigurefieldsforaccountcreationbySponsors: 1InISE,chooseWorkCenters>GuestAccess>Portals&Components>SponsorPortals,andedit yoursponsorportal 2SelectthePortalPageCustomizationtab. 3ScrolldownandselectCreateAccountforKnownGuests. 4OnthePreviewdisplayontheright,selectSettings. Thesesettingsdeterminewhichfieldsdisplayandarerequiredforguestaccountswhentheyarecreatedon thesponsorportal.ThisconfigurationappliestoKnown,Random,andImportedguesttypes.Thetemplate thatthesponsordownloadstoimportnewusersiscreateddynamically,sothatonlythefieldssetinKnown Guestsareincluded. Configure a Sponsor Portal Flow Youcanuseadefaultportalanditsdefaultsettingssuchascertificates,endpointidentitygroup,identity sourcesequence,portalthemes,images,andotherdetailsprovidedbyCiscoISE.Ifyoudonotwanttouse thedefaultsettings,youshouldcreateanewportaloreditanexistingonetomeetyourneeds.Youcanduplicate aportalifyouwanttocreatemultipleportalswiththesamesettings. Youmaywanttocreatemultiplesponsorportalsifyourcompanyhasdifferentbrandingforyourcorporate officeanditsretaillocations,orifyourcompanyhasdifferentproductbrands,orifacity’sofficeswant differentthemedportalsforthefire,police,andotherdepartments. ThesearethetasksrelatedtoconfiguringaSponsorportal. Before You Begin Configureoreditexistingsponsorgroupsforyoursite,asdescribedinConfigureSponsorGroups,onpage 318. Procedure Step 1EnablePolicyServices,onpage322. Step 2AddCertificatesforGuestServices,onpage322. Step 3CreateExternalIdentitySources,onpage322. Step 4CreateIdentitySourceSequences,onpage323. Step 5CreateaSponsorPortal,onpage324. Step 6(Optional)CustomizeSponsorPortals,onpage324c_CustomizingSponsorPortals.xml. Cisco Identity Services Engine Administrator Guide, Release 1.3 321 Sponsor Portals
Enable Policy Services TosupporttheCiscoISEend-userwebportals,youmustenableportal-policyservicesonthenodeonwhich youwanttohostthem. Procedure Step 1ChooseAdministration>System>Deployment Step 2ClickthenodeandclickEdit. Step 3OntheGeneralSettingstab,checkPolicyService. Step 4ChecktheEnableSessionServicesoption. Step 5ClickSave. Add Certificates for Guest Services Ifyoudonotwanttousethedefaultcertificates,youcanaddavalidcertificateandassignittoacertificate grouptag.Thedefaultcertificategrouptagusedforallend-userwebportalsisDefaultPortalCertificate Group. Procedure Step 1ChoseAdministration>System>Certificates>SystemCertificates. Step 2Addasystemcertificateandassignittoacertificategrouptagthatyouwanttousefortheportal. Thiscertificategrouptagwillbeavailabletoselectduringportalcreationorediting. Step 3ChooseGuestAccess>Configure>SponsorPortals>CreateorEdit>PortalSettings. Step 4SelectthespecificcertificategrouptagfromtheCertificateGroupTagdrop-downlistthatisassociated withthenewlyaddedcertificate. Create External Identity Sources CiscoISEcanconnectwithexternalidentitysourcessuchasActiveDirectory,LDAP,RADIUSToken,and RSASecurIDserverstoobtainuserinformationforauthenticationandauthorization.Externalidentitysources alsoincludescertificateauthenticationprofilesthatyouneedforcertificate-basedauthentications. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources. Step 2Chooseoneoftheseoptions: •CertificateAuthenticationProfileforcertificate-basedauthentications. Cisco Identity Services Engine Administrator Guide, Release 1.3 322 Sponsor Portals
•ActiveDirectorytoconnecttoanActiveDirectoryasanexternalidentitysource(seeActiveDirectory asanExternalIdentitySource,onpage249formoredetails). •LDAPtoaddanLDAPidentitysource(seeLDAP,onpage271formoredetails). •RADIUSTokentoaddaRADIUSTokenserver(seeRADIUSTokenIdentitySources,onpage279 formoredetails). •RSASecurIDtoaddanRSASecurIDserver(seeRSAIdentitySources,onpage283formoredetails). Create Identity Source Sequences Before You Begin EnsurethatyouhaveconfiguredyourexternalidentitysourcesinCiscoISE. Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. ForallowingguestuserstoauthenticatethroughLocalWebAuth,youmustconfigureboththeGuestPortal authenticationsourceandtheidentitysourcesequencetocontainthesameidentitystores. Procedure Step 1ChooseAdministration>IdentityManagement>IdentitySourceSequences>Add. Step 2Enteranamefortheidentitysourcesequence.Youcanalsoenteranoptionaldescription. Step 3ChecktheSelectCertificateAuthenticationProfilecheckboxandchooseacertificateauthenticationprofile forcertificate-basedauthentication. Step 4ChoosethedatabaseordatabasesthatyouwanttoincludeintheidentitysourcesequenceintheSelectedList box. Step 5RearrangethedatabasesintheSelectedlistintheorderinwhichyouwantCiscoISEtosearchthedatabases. Step 6ChooseoneofthefollowingoptionsintheAdvancedSearchListarea: •DonotaccessotherstoresinthesequenceandsettheAuthenticationStatusattributetoProcessError —IfyouwantCiscoISEtodiscontinuethesearch,iftheuserisnotfoundinthefirstselectedidentity source. •Treatasiftheuserwasnotfoundandproceedtothenextstoreinthesequence—IfyouwantCisco ISEtocontinuesearchingtheotherselectedidentitysourcesinsequence,iftheuserisnotfoundinthe firstselectedidentitysource. Whileprocessingarequest,CiscoISEsearchestheseidentitysourcesinsequence.Ensurethatyouhave theidentitysourcesintheSelectedlistboxlistedintheorderinwhichyouwantCiscoISEtosearch them. Step 7ClickSubmittocreatetheidentitysourcesequencethatyoucanthenuseinpolicies. Cisco Identity Services Engine Administrator Guide, Release 1.3 323 Sponsor Portals
Create a Sponsor Portal YoucanprovideaSponsorportaltoenablesponsorstocreate,manage,andapproveaccountsforguestswho wanttoconnecttoyournetworktoaccesstheinternetandinternalresourcesandservices. CiscoISEprovidesyouwithadefaultSponsorportalthatyoucanusewithouthavingtocreateanotherone. However,youcancreateanewSponsorportal,oryoucaneditorduplicateanexistingone.Youcandelete anyoftheseportals,exceptthedefaultSponsorportal. AnychangesthatyoumaketothePageSettingsonthePortalBehaviorandFlowSettingstabarereflected inthegraphicalflowintheSponsorFlowdiagram.Ifyouenableapage,suchastheAUPpage,itappearsin theflowandthesponsorwillexperienceitintheportal.Ifyoudisableit,itisremovedfromtheflowandthe nextenabledpagedisplaysforthesponsor. Before You Begin Ensurethatyouhavetherequiredcertificates,externalidentitysources,andidentitysourcesequencesconfigured forusewiththisportal. Procedure Step 1ConfigurethePortalSettingspage,asdescribedinPortalSettingsforSponsorPortals,onpage787. Ensurethattheportalnamethatyouusehereisnotusedforanyotherend-userportals. Step 2ConfiguretheLoginSettingspage,asdescribedinLoginSettingsforSponsorPortals,onpage789. Step 3ConfiguretheAcceptableUsePolicy(AUP)PageSettingspage,asdescribedinAcceptableUsePolicy (AUP)SettingsforSponsorPortals,onpage790. Step 4ConfiguretheSponsorChangePasswordSettingspage,asdescribedinSettheGuestPasswordPolicyand Expiration,onpage300andinRulesforGuestPasswordPolicies,onpage299. Step 5ConfigurethePost-LoginBannerPageSettingspage,asdescribedinPost-LoginBannerSettingsforSponsor Portals,onpage790. Step 6SponsorPortalApplicationSettingsrefersyoutothePortalCustomizationtabifyouwithtocustomizethe portal. Step 7ClickSave. Customize Sponsor Portals Youcancustomizetheportalappearanceanduserexperiencebycustomizingtheportalthemes,changingUI elementsontheportalpages,andeditingerrormessagesandnotificationsthatdisplaytotheusers.Formore informationaboutcustomizingportals,seeCustomizationofEnd-UserWebPortals,onpage359. Configuring Account Content for Sponsor Account Creation Youcanconfigurethetypeofuserdatathatyourguestsandsponsorsmustprovidetocreateanewguest account.SomefieldsarerequiredtoidentifyanISEaccount,butyoucaneliminateotherfields,andaddyour owncustomfields. ToconfigurefieldsforaccountcreationbySponsors: Cisco Identity Services Engine Administrator Guide, Release 1.3 324 Sponsor Portals