View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0282 - ISE 2.2 Guest Access with Sponsored Guest (Part 5)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0282 - Video Download $24.00
Purchase SEC0282 - Video Download $24.00
The video demonstrates the second guest access deployment model on Cisco ISE 2.2 called Sponsored Guest. We will go through the complete workflow of configuring sponsored guest including some basic customization for both guest and sponsor portal. We will look at how to provide guest-equivalent access to our employees as well as to have guest devices automatically connected via device registration. Testing will be performed on both wired and wireless.
Part 5 of this video covers wired client testing
  • Guest Access Workcenter
  • Guest Settings (Account Purge, Custom Field, Email Settings, Location/SSID, Username/Password Policy)
  • Endpoint Identity Group
  • Guest Type
  • Guest Portal with Basic Customization
  • Sponsor Group
  • Sponsor Portal with Basic Customization
  • Authentication Policy (Wired & WLAN MAB)
  • Policy Element Result
    • Authorization (DACL and Named ACL)
    • Authorization (Authorization Profile)
  • Authorization Policy
  • Device Registration
  • Endpoint Purge
  • Guest Simultaneous Login

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


i tried to change the VLAN for wired guest user after registration by adding VLAN ID in authoriztion profile and vlan changed successfully but guest still keep old ip address and i have to do
>ipconfig /release then >ipconfig /renew
so user can get new ip address

It is usually not a good idea to change VLAN after user already obtained IP due to the problem you just mentioned. If you want guest to be in an isolated VLAN, it is best to make that VLAN the default VLAN on the port and instead change VLAN on 802.1X users.

Hi. I have successfully enabled guest access using your tutorials but one issue exist. Actually it is not problem because endpoint still has internet access but anyway, let me ask. When i reconnect guest laptop, it does not match the Reconnect policy instead it match Sponsored policy and in logs i see endpoint as mail address. I mean, how the laptop sends mail as identity when I did not entered credentials on webpage? Windows7. By the way, although devices match sponsored policy instead of Reconnect, i do not see it in Guest Access->Identities->Endpoints

First make sure that you have it setup to register endpoint to Endpoint Group. Second, the Reconnect rule must be above the Sponsored Guest rule. With this, the Endpoint should reconnect using MAB and get access. We can't really explain why you saw username in the reconnect session unless the session on ISE was not terminated properly.