ISE sponsor portal guest accounts

Similar Messages

• ISE 1.3 Guest account Activate

  Hi,
  Has anyone worked with ISE 1.3 with creating guest accounts using sponsor portal.?.
  Our issue is that whenever we create new guest account using sponsor portal the account is shown as "Created" not as "Active". When we try to use the same account in guest portal it gives authentication failed and shows as "account is not yet active" in ISE report. (please see the attached file)
  Can anyone tell how to make new account active or why it shown as "created" not as "active"?
  thanks in advance.

  Hi there,
  I am having the exact same problem with my ISE 1.3 deployment after upgrading from 1.2 to 1.3 .
  The issue seems to relate to timezones (as a lot of ISE problems do!) .
  The issue relates to settings under Guest Access -> Settings ->Guest Locations and SSID . You should have defined a location local to you, for me it is 'Southampton, Europe/ London', the San Jose entry cannot be removed.
  There should be an option to select timezone in the Sponsor Portal but it is missing so defaults to 'San Jose'. This causes a time-zone mis-match between between the account itself and the SSID location.
  However if you create a guest account using the admin GUI: Guest Access -> Manage Accounts, although you still cannot select the timezone it will choose the correct one for the SSID and you will then be able to use the account via the Guest Portal. I don't know what would happen if you had a second SSID and alternative location, it would probably be totally broken!
  I have raised this issue with TAC three weeks ago, and had a webex with the Business Unit last week. They saw the issue and took some debug logs, all very helpful people, but the problem is still unresolved.
  cheers,
  Seb.

• ISE Sponsor Portal

  ISE Sponsor Portal
  I'm still coming to grips with ISE!
  Web Portal Managment>Settings>Sponsor>Language template>English>Configure Print Notification
  Rather than just add text I will like to add some graphics, I tried adding HTML to the Layout which doesn't work. When my Sponsor needs to printout a day account for example rather than basic textformat,  I would like to add graphics to give to the customer. Can this be achieved another way?

  Hi Stephen,
  The defect CSCty82696 is filed in ISE 1.1.x version for this similar issue and this is fixed with the following template.
  Template Used:
  Welcome to the Guest Portal, your username is
  Username: %username%
  Password: %password%
  First Name: %firstname%
  Last Name: %lastname%
  Time Zone: %timezone%
  Mobile Number: %mobilenumber%
  Optional 1:%option1%
  Optional 2: %option2%
  Duration of Account: %duration%
  Email: %email%
  Time Profile: %timeprofile%
  Account Start Time: %starttime%
  Account End Time: %endtime%
  Restricted Window: %restrictedwindow%
  As per the defect notes it says HTML  tags are now treated as literals for security reasons. We don't want to  allow malicious scripts to be sent in email notifications so embedding  HTML text now will show up as literal text rather than HTML tags.

• Cisco ISE sponsor Portal email notification of guest account

  Is there anyway to not have the email button be displayed in the sponsor portal?  We don't have email or SMS enabled and sponsor users are complaining that the button is there but doesn't work, it woul be really good if you could just remove it.  I have looked at the sponsor language template configuration but it doesn't appear to be able to not display the button just rename it?
  any information would be much appreciated.
  Craig

  Martin,
            thank you very much for the information, I don't think I would ever have checked there for this configuration.  It is taking me awhile to get used to the ISE GUI, I don't find it particularly intuitive but hopefully I will get there.
  thanks
  Craig

• ISE doesnt send Guest accounts via Email

  HI
  I have come across an issue in ISE1.1.2.
  once i create a guest account, and click on email, i get the below error
  i have patched version 1.1.2 to the latest patch 3
  i have also configured teh sponsor portal customisation email address.
  ISE reports "Internal Error encountered. Please contact administrator or help desk"
  anyone have any suugestions?

  Hi Neno
  i have configured an SMTP server on ISE admin, i have created a default email address ( [email protected]). i have got an email address in the customization page of teh sponsor portal ( [email protected]).
  One thing i just tried was when i create a guest user with an email address of [email protected] , that worked fine. but if i configure a guest user with an email address of [email protected] , this is when i get the error message.

• ISE Sponsor Portal Questions!!!

  Hi Team,
  Few questions!!
  Can we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
  2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE  or in Active Directory?
  3. Advantages of Sponsor portal over NAC guest server?
  Cheers!!
  Minakshi

  Can we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
  Yes you can
  2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE  or in Active Directory?
  They are updated into Local ISE database
  3. Advantages of Sponsor portal over NAC guest server?
  Sponsor portal allows a person ( can be anyone assigned by Admin ) to manage Guest account.
  Refer http://www.cisco.com/c/en/us/td/docs/security/ise/1-0/sponsor_guide/ise10_sponsor_book/ise10_sponsor.html

• ISE purge unused guest accounts

  My customer has ISE running 1.2.0 for its guest service. Today, they ask me about a way to purge guest accounts that never were used.
  I know the 1.2 user guide stand this:
  You can force expired guest user accounts to purge immediately without waiting for a scheduled purge. If a guest account created using FromFirstLogin is not used (user never logs in), it does not expire and is not purged. You must manually delete it in the Sponsor portal.
  My question is about release 1.3, the manual does not indicate the same thing, so I like to know if the unused accounts can be purged in some easy way, or they can be included in the regular purge process.
  Regards.

  So, Does the 1.3 release has a new parameter to set purge unused accounts after some days? In that case, which parameter is it?

• ISE 1.2 - Guest Account converted to lower-case automatically

  Hello
  I have an ISE appliance version 1.2 and sponsor portal
  I create accounts with upper case username and upper case password, but Sponsor portal convert it to lower case.
  I try to login with lower case or upper case. I can't login with both.

  Check the Multiport configurations and HTML page settings for converting the Alphabetic-Cases.:
  You can check the below link for step by step configuration of HTML-Page’s setting:
  Link-1
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_custom_portals.html
  Link-2
  http://www.cisco.com/en/US/docs/security/ise/1.0/sponsor_guide/ise10_sponsor.html#wp1069407

• ISE 1.3 Guest Account Expiration Notice email subject customization

  Hi,
  Under Guest Type Settings, you can configure Account Expiration Notification. I managed to customise the e-mail body, but I cannot change the subject. Is there a way to change the subject of the email guests are receiving before account expiration?
  Thanks,

  1

• ISE 1.2 corrupted sponsor portal

  Hi,
  since I started to use ISE sponsor portal it showes me wrongly, see attached screenshot.
  I tried various browsers, but the problem is the same. Other pages are okay, just the main with guest users has problem.
  Looks like it happened after upgrade from previous ISE version.
  Does anybody know how to fix this?
  Thanks and greets
  Karel

  Hi Karel,
  As regarding to your query,
  These selections will allow guests to change their password, perform self-service, and require
  acceptance of a default AUP upon login.
  Changed in ISE 1.2: Now that we have the ability to Change Account Duration (discussed later in the lab) the option
  to Require guest and internal users to change password at expiration and first login has been updated so that
  the guest must change the password when not only first logging in but then also when the expired account has been
  reactivated. It’s not being used in this lab so be aware of this option.
  Self-service allows any user to generate access credentials without requiring a sponsor to perform this task.
  As this is not a sponsored user and any user may create their own account with this policy setting, it is
  common to assign self-service guests to an Identity Group with minimal network access privileges such as
  “Internet_Only”.

• ISE 1.2 Guest First Login time profile not working

  I had create time profile First Login and assign to Guest that generate in sponsor portal but account status is Active instead of Await Initial Login.
  Any suggestion ?

  Check what is the role you have assigned , if ActivatedGuest then account is enabled automatically. Status for these guests displays as "Active" even if the guest has not yet signed on

• ISE Sponsor Authentication via RADIUS

  My client is requesting us to change the way the sponsor users are authenticated and authorized to access the ISE Sponsor Portal.
  Their like to pass the ISE request to AD through a RADIUS server first. They said "to avoid sending AD credentials to ISE directly". Under this requirements,
  My search and limited knowledge give me to assume I should define a Proxy RADIUS
  I think I can Define an External RADIUS server, but I wonder if creating this, it would be available as an Identity Source for the "Sponsor Portal Sequence".
  If not, how can I add this? After that, what conditions or attributes should I look for to use in the "Sponsor Group Policy" in order to filter username/password and allow access only to employees and deny access to anyone else?
  I will appreciate any advice you can give me to offer the best recommendation to the customer.
  Regards.
  Daniel Escalante.       

  I think I understood the customer concern. This is quoted from Microsoft http://support.microsoft.com/kb/321051
  "The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."
  So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...
  The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)
  In my case there is no FW between ISE and AD, so where or how can I show the customer we are using LDAPS?
  Regards.

• ISE 1.1 sponsor portal different type of guest accounts

  Hi there
  I just played around with the ISE 1.1.2.145 sponsor portal. I have the following 3 requirements, but I don't see a way the get there with the actuals sponsor portal features:
  1. I would like to create a event user (one single user for multiple logins) with a given username and a given password
  2. I would like to create a single user with a given username and a given password
  3. How can I change the password of such a user
  At the moment I am a little disappointed from the sponsor portal, there are not that features or I can't see the way to get there ;-)
  Can anybody confirm the above problems?
  Best regards
  Dominic

  It is possible to use internal users as well as AD users for admin.
  I'm not actually sure whetehr it's possible to stop using Internal Users.
  I have it working using both, primarily as I don't have AD credentials on customer site, so they use AD credentials and I stick to using Internal Admin User.
  I still haven't understood your original question entirely, but if you select the guest username to be created based on email address (rather than first name/last name), then you can create a single username using a fictional email address, and allow the user to change the password on first login. You can then change the password to whatever you want.
  Does that fit?

• ISE 1.2 Sponsor Portal- Account Expiration Date Defaults to same time as Start Date

  We have a time profile setup for ISE Sponspr Portal with Start/End.  I understand this allows the sponsor to specifially set the start and end time for the guest account.  When creating an account, the Start/End time is the same time.  If a Sponsor forgets to set the end time, then the guest account will be created, but will expire not allowing the guest to login.  It would be nice to have the end time default to something other than the start time, like 8 hours default.  Is this possible?  Can the expiration time default to something like 8 hours, but still give the Sponsor the ability to adjust the start/end times if needed?  This is very simple, and I cannot believe this is not available.

  Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
  Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
  DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
  DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
  DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.
  Upon expiration of their account per their assigned time profile, they will no longer be able to login or access the company network.
  If a guest were to return to the network, the sponsor can change the account duration via the sponsor portal to grant them access again and then require them to change their password if deemed necessary (depending on the settings). Changing account duration can be used for extending a guest users access longer than the original setup.
  If you upgrade to Cisco ISE 1.2, the older time profiles are still available, but you can delete them if you are not using them. If the older time profiles are assigned to a sponsor group, a message alerts you before deleting. If you perform a new installation of Cisco ISE 1.2, only the new time profiles display.

• Is there a way to Limit the number of guest accounts a Sponsor can create from the sponsor portal?

  Hello,
  I am trying to find a way to limit the number of guest accounts a Sponsor can create from the portal. I am running ISE 1.2 and I am finding it difficult to limit the number of guests a sponsor can create.

  Interesting feature that unfortunately is currently not possible. I also don't think this is a feature that will be offered in the highly anticipated v1.3. I would recommend that you reach to your Cisco team and request this feature. 
  Thank you for rating helpful posts!