Cisco ISE Guest portal - smart card login
Does anyone know if Cisco ISE support smart card login to the guest portal page?
No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.
Similar Messages
-
Cisco ISE Guest Portal - DNS Issue - External Zone
Hello,
I have a customer that has the following sceanrio :
In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect URL from ISE (URL to access the ISE Guest Portal), this URL is based on the ISE DNS name, not on its IP address; so, the PC can't resolve this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided by the DHCP server, and, so, it can't access the Guest Portal at all ;
I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
Thank-you in advance for your replies.
Robert C.Robert,
Manual assignment has been made available in ISE 1.2 release.
M. -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
Dears,
I want to configurate guest portal(Central Web authentication) for wireless client on Cisco ISE. I confuse that:
Must i configure redirect ACL in switch? If yes which access-group or which interface i applied this redirect ACL?
I read that must be create redirect ACL in WLC.I also do my configuration form these guide. In this guide write that:
reate the Authorization Profile
On the ISE, the authorization profile must be created. Then, the authentication and authorization policies are configured. The WLC should already be configured as a network device.
In the authorization profile, enter the name of the ACL created earlier on the WLC.
Click Policy, and then click Policy Elements.
Click Results.
Expand Authorization, and then click Authorization profile.
Click the Add button in order to create a new authorization profile for central webauth.
In the Name field, enter a name for the profile. This example uses WLC_CWA.
Choose ACCESS_ACCEPT from the Access Type drop-down list.
Check the Web Redirection check box, and choose Centralized Web Auth from the drop-down list.
In the ACL field, enter the name of the ACL on the switch that defines the traffic to be redirected. This examples usescwa_redirect.
this confuse me. -
We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
thanks - ciscosxRobert,
Manual assignment has been made available in ISE 1.2 release.
M. -
Hi,
I have a weird problem; after a guest user account has been created on Cisco ise 1.1.4 patch 8; when the guest user is redirected to the ise guest portal; the first login is always unsuccessful. Upon entering the login credential and password correctly; the client would be redirected to the same login page. Upon retrying the process a few times; it would succeed after 2-3 times.
On the ise authentication; I see a guest authentication error; "Guest Authentication Failed : 86020: Unknown exception" with only a single step seen on the logs for troubleshooting "5431 Guest Authentication Failed"
I would like to check if anyone has seen such an issue/behaviour?
Any suggestions is appreciated.
Thanks.No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.
-
Hello
Has anyone else experienced the issue where this exit button works when IE is used to login to the ISE Guest portal, but not when Chrome is used. Same for Safari (from IPAD).
Sent from Cisco Technical Support iPad AppGoogle Chrome is not a fully supported browser for use with the Administrative User Interface of the Identity Services Engine (ISE), Version 1.1.3 and earlier.
-
Cisco ISE Guest Sponsor Portal Isssue
Dear all ,
We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
We have created open ssid in wlc and using external redirected url of ise for guest login page.
But when we create any guest user in sponsor login for guest user we faced following issue
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page
wihout successful login prompt.
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
Can anyone help me to resolved above issue regading cisco ise guest sponsor portal
Thanks & Regards
Pranav GadePranav your answers are inline,
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page
wihout successful login prompt. When you are using CWA (central web authentication) there is no way we can redirect users using the redirect-url because this will always redirect users for every time they initiate a web request. There is no other coa feature that will remove this condition since they have already been authenticated. Here is a guide that explains the user experience when using central web auth -
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now No this is not possible, you can change the verbage and force the AUP to be displayed informing users that they can retry their web request after hitting the accept button.
Here is the documented experience once users go through the guest process -
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet. Check the advanced timer on your SSID as you may be hitting the session timeout on the WLC. Please disable this option and let the COA feature in ISE expire user sessions on the controller.
Thanks,
Tarik Admani
*Please rate helpful posts* -
hi all,
my customer has set Wireless LAN Guest Voucher for 28 days however after 6 days its not working.
Our customer gives Wireless LAN Guest User a 28 days voucher from ISE Guest Portal Solution. After 6 days of using the accounts will not work. Must be deleted and added new. These accounts are not expired, but the login will fail after 6 days.
any idea why this is or do I need to escalte this to Cisco?
regards,
LanceYou might have another limiter in there. have are your durations configured?
//////only if expiring////////////////////////
You are probably hitting the account duration set on the Sponsor Group that created the voucher.
this can be set under administration -> sponsorgroups -> click on the sponsor group in question -> authorization levels -> and set the Max duration for accounts. -
How to use ISE Guest Portal for AD users
Hi there,
As subject explains all, I want to use ISE Guest Portal for my domain users. I have tried many different ways to authenticate users and finally I came to the conclusion that ISE CWA works pretty well and is very stable. WLC Webauth sucks alot, does not redirect to the login page always.
Can you please share what other ways are stable ways to authenticate AD users? I know about WPA 802.1x authentication but that requires a CA in the network which is not available at the moment. So can you please Suggect?
Otherwise, I want to use ISE Guest Portal for my AD users as well. AD is already integrated to ISE, the issue happens when I attempt to athenticate using AD user account, the user gets authenticated but the Guest Portal redirects me to Device Provissioning page and there it shows an error saying "there is not policy to register the device, contact system admin"
Am I missing something??
I am running WLC 5760 with ISE 1.2
Thanks in advance..Hi,
Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Pb to reach ISE Guest portal due to DNS constraints
I have set up a Guest Portal with WLC 5508 7.4 and ISE 1.1.1 ;
everything is OK, except one thing :
the Guest VLAN, associated to the Guest SSID is, actually, a DMZ behind my customer firewall and the DHCP parameters provided to the wireless Guest equipement connected on this VLAN include the public ISP DNS servers addresses, not the customer internal DNS serveurs addresses;
this seems OK since the idea of this Guest SSID is to give a pure Internet access to the Guests, and no connection at all towards the customer internal servers;
the problem is that, when the wireless guest receives the redictect URL from ISE (URL to access the ISE Guest Portal), this URL is based on the ISE DNS name, not on its IP address; so, the PC can't resolve this internal DNS name by using the ISP DNS servers addresses provided by the DHCP server, and, so, it can't access the Guest Portal at all ;
Apart from changing those DNS values in the DHCP server (the customer does not accept this solution), how could we solve this problem ?
I have tried to code manually , in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
cisco-av-pair=url-redirect=https://192.168.1.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa,
but, it does not work, since the sessionIdValue variable is not replaced by its real value when sent to the wireless client
any comment welcomedWe had the same issue. Our solution was to advertise the internal IP address from our external facing DNS server and let it propagate publicly. Our ISE box is in a DMZ and the firewall rules do not allow outside traffic to it, however the clients will get the correct internal IP address and since they are already inside the firewall on the DMZ segment they are able to get to the ISE box with the publicly resolved internal IP address. The other option we entertained was a firewall DNS redirect. That would work by intercepting the DNS request for that specific URL and return the proper internal IP, all other DNS requests would pass through to the public DNS server.
-
Hi All,
I'm currently writing a HLD for a Cisco ISE rollout in my organization, and I've come across sort-of-an-issue:
I'm planning on getting the guests in through the ISE Guest portal, but I also want to push them through an authenticated proxy(for accounting purposes) instead of a transparent one... however, I can't seem to find a way to somehow integrate Ironport and ISE in order to achieve some sort of an SSO, to avoid users having to enter their credentials twice(guest portal and ironport)- has anyone got a working solution for this?
Any constructive input appreciated!
Thanks!Thanks for the swift responses and suggestions!
I'll most certainly have a look at the proposals...
However, I still want the guest users to go through the S370, as it's not only for accounting purposes, but I want them to authenticate, since it would make tracing and pinning events to a person way easier - that's the main reason why I'm trying to find a solution that might act like an SSO. The business side stated that signing in twice(ISE guest portal, then proxy) is unacceptable. I know that there's no direct integration between ISE and Ironport at the moment, and I am going to put in a feature request for that, but for the time being, I am really keen on getting this to work somehow...
BTW - I'm currently using a virtualised ISE, release 1.1.4., And I've got the 3395's on order... -
TACACS+ and Smart Card login
We are currently using Cisco ACS 5.3 integrated with Active Directory for authentication to our Cisco devices. We are looking to move to smart card logins and trying to find out if this is possible to authenticate to the console/ssh on the router/switch using a smart card.
Direct Smart card authentication is not supported for vty / console session on IOS. However, via TACACS to a AAA server (e.g. Cisco ACS) you can turn it to use a two factor-based external authentication store. Even if the Smart card get the PKI cert of some kind to the client PC and then to the terminal emulator like Putty or SecureCRT, AAA with Tacacs + would not be possible as Tacacs is not capable for encapsulating any kind of PKI.
Jatin Katyal
- Do rate helpful posts - -
ISE Guest Portal and one more SSID using internal accounts
Hi Guys,
I have two SSIDs on WLC, the first is related with ISE Guest Portal and the second is related with employee but i realize that the
Guest user can access the employee SSID and employee accounts can access the Guest portal page.
I guess this is happen because i cannot split these databases under "Internal Users" on Authentication Policy.
How can i restrict the access even if i am using the internal databse?
thanks a lotusing the Authorization policy is the right way. Match the corp ID store to the corp WLAN SSID ID in the AuthZ policy, for example (where Employee is your corp ID store and yyyy is the name of your corp SSID):
-
How to configure smart card login in sunray 2fs??
Hi all,
Please help me to configure smart card login using Sun Ray Server Software 4.0... How to assign a smart card for a particular user? Do I need to flash th smart card for user information or any other method exists?I'm not sure what you know or don't know about this so I'll give you what I know:
1. Create a token reader and a token
* Plugin a Sun Ray DTU/client
* Check the MAC address of the Sun Ray you just plugged in
* Access the Sun Ray admin GUI
* Choose the 'Desktop Units' tab
* See if your Sun Ray DTU is listed (if it isn't listed you have Sun Ray Server configuration issues...)
* If it is listed click the identifier
* Check the status of the DTU to see if this particular unit is already a token reader (normally it is not, i.e. by default a Sun Ray DTU is not)
* Click 'Edit'
* Check 'Token Reader'
* Click 'OK'
* /opt/SUNWut/sbin/utrestart (I'm not sure if a warm restart is OK or a hard restart is necessary)
Now insert a shiny new Java card into your token reader's slot
* In the Sun Ray admin GUI choose the 'Tokens' tab
* Search for currently used tokens
* You should see a token identifier such as 'Payflex.blah' under your desktop unit (i.e. the token reader)
* Click the token identifier and click 'Edit'
* Assign a username (i.e. Unix username) to the token under 'Owner'
* Click 'OK' and remove the smart card from the token reader
2. Assign the Token
* Insert your smart card from step 1 into the token reader
* In the Sun Ray GUI click 'Tokens' and 'New'
* Under 'Identifier' you should see 'Read Identifier from Token Reader' checked
* Click 'Read Token'
* Assign an owner (i.e. Unix user account) and a session type (Kiosk or Regular)
* Click 'OK'
Item 2 from the notes I used for this looks alot like item 1 so I can't say that it is strictly necessary.
I don't have a Sun Ray Server accessible to me at the moment to confirm but this procedure should help I hope.
Maybe you are looking for
-
I bought Adobe Premier 3 and my computer does not have a cd-rom how can I download it?
I bought this product a while back and I want to download it into my new computer but the computer does not have a cdrom thing, is there a link to a download?
-
Printer Driver for Canon MX310
Hi everyone, Just made the switch to Mac on the weekend, and everything is running smoothly on my new SR Macbook so far. The only thing I'm having trouble with is getting the right printer driver set up. I got the Canon MX310 with the rebate that cam
-
How to study for the MCSA: SQL Server Exams?
Hi guys, Forgive me if this question has already been answered but I'm simply trying to find out the best way to tackle the three exams required for the MCSA in SQL Server. I read a blog post on the Pluralsight website which, in discussing the MCSA
-
Hi All I am following the path : SAP Service Marketplace under <b>http://service.sap.com/swdc</b> > SAP Software Distribution Center > Download > Support Packages and Patches > Entry by Application Group > SAP xApps It i
-
I recently bought a new laptop with a lot of oomph, Intel Core 3.0 processor, 6 gig ram, etc. I installed CS4 Design Premium and photoshop installed the 64 it version. It's fast and that's great, but I lose all of my favorite plugins, Genuine Fractal