Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco ISE guests and Ironport

Unanswered Question
Aug 15th, 2013
User Badges:

Hi All,

I'm currently writing a HLD for a Cisco ISE rollout in my organization, and I've come across sort-of-an-issue:

I'm planning on getting the guests in through the ISE Guest portal, but I also want to push them through an authenticated proxy(for accounting purposes) instead of a transparent one... however, I can't seem to find a way to somehow integrate Ironport and ISE in order to achieve some sort of an SSO, to avoid users having to enter their credentials twice(guest portal and ironport)- has anyone got a working solution for this?

Any constructive input appreciated!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
jan.nielsen Thu, 08/15/2013 - 16:39
User Badges:
  • Gold, 750 points or more

If your only reason for putting them through ironport is to get some sort of accounting on guest activity, i would recommend using an ASA firewall, and then send the syslog to ISE from it, ISE will then correlate the url usage and bandwidth usage with the guest username and details automatically, and you can track it with the reporting features in ISE.

Tarik Admani Thu, 08/15/2013 - 21:01
User Badges:
  • Green, 3000 points or more

There is no direct integration between ISE and ironport for SSO, however Jan is dead on as far as guest activity tracking. Here is a guide from the nac guest server that shows how to make this work. What version of ISE are you using?



Tarik Admani
*Please rate helpful posts*

sanjinturic Fri, 08/16/2013 - 05:35
User Badges:

Thanks for the swift responses and suggestions!

I'll most certainly have a look at the proposals...

However,  I still want the guest users to go through the S370, as it's not only  for accounting purposes, but I want them to authenticate, since it would  make tracing and pinning events to a person way easier - that's the  main reason why I'm trying to find a solution that might act like an  SSO. The business side stated that signing in twice(ISE guest portal, then proxy) is unacceptable. I know that there's no direct integration between ISE and Ironport at the moment, and I am going to put in a feature request for that, but for the time being, I am really keen on getting this to work somehow...

BTW - I'm currently using a virtualised ISE, release 1.1.4., And I've got the 3395's on order...

Tarik Admani Sat, 08/17/2013 - 19:43
User Badges:
  • Green, 3000 points or more


If you can stop the order for the 3395 that would be great, the new 3495s are available and run on UCS so you can more remote management functions through the CIMC.

Here is another questions asked previously where SSO with ironport isnt supported.



Tarik Admani
*Please rate helpful posts*


This Discussion

Related Content