In this session, we'll be doing the third part of creating ISE guest accounts as a

sponsor. Note that we've already created a new sponsor portal. Authorization
profiles and policy have been created, and we're ready to test our endpoint now. We
should get redirected to the new guest sponsor portal as a result.
So open up our iPad, and we see that it's not connected to Wi-Fi. If you'll recall
that we removed it from context visibility endpoints, which also removed it from
guest endpoints, to compel a MAB failure upon access. We see that it did connect to
guest. And let's open up to a Internet destination, and we should get a redirection
to occur.
Now, one thing that will distinguish this portal from the other portals that we've
been interacting with is, notice that we do not have the opportunity to self-
register or to create our own account. So let's go back over to the admin PC. And
on the Firefox browser, we'll open a new tab and try and reach our new sponsor
portal. And recall that we've tied this to where the domain employees group should
be able to access this.
And we could see that we've got the opportunity to create accounts. And when we
create random accounts, they are automatically set with a prefix that we specified
for this sponsor portal and sponsor group. This sponsor group can also manage all
other guest accounts that have been created, including through self-registration.
Let's go ahead and create a couple of random accounts to use with our new sponsor
portal. We'll create two accounts. It will automatically have the prefix applied.
It will automatically create dynamic random user names from that. We'll create a
duration of 2 days, and we'll do it from my local time and date to tomorrow's time
and date, from abruptly midnight to midnight. And we'll do that based on Denver
time zone. And we'll create the account.
You'll notice that we asked for two accounts. So we have two new usernames created,
both with that common prefix, and dynamic random user passwords also created. So
now let's try logging in with our iPad. Agree to the AUP and sign on. And that
appears to work OK.
Now let's investigate on ISE and the Live Logs to validate the flow. And we can see
here, as specified, the initial access to the guest Wi-Fi attempted a MAB
authentication. And as result, a MAB failure redirected us to the sponsor portal.
Then we attempted a login with one of the new randomly created guest accounts. And
as a result of that, a change of authorization was issued. And finally, new
authorization was provided, along with full guest access, and also, of course,
having profiled that endpoint as an Apple iPad.
And a quick review-- we have done multiple things for sponsored guest access. We
created and customized a sponsored guest portal for our guests to be redirected to.
We created appropriate authorization profile and policy to cause that redirection.
Then additionally, we created a new sponsor group and a new related sponsor portal
to allow sponsors to create user accounts and manage them. And then we attempted
the access via that sponsor portal with the newly created guest account from the
iPad and got success for the most part from there.