Auto-Provisioning Guest Accounts

Similar Messages

• Guest account and auto log out

  I will be using Snow Leopard machines in a computer lab with guest accounts. However, I've read that when the idle timer ticks over, the dialog box confirming the Guest account's files will be deleted comes up and does not time out (like a normal account would).
  So the machines never auto log out. In an environment where most users don't log off to protect their privacy, this is an annoying problem.
  Is this still an issue? Is there a way to turn off that dialog box confirming logout? Or some other way to get my Guests to auto log off?
  Thanks.

  it would actually be pretty easy to create a automator script that runs a bash script like "sudo exit" which would then prompt for the password of a admin.
  i also did a quick google search and found these:
  http://hintsforums.macworld.com/showthread.php?t=89181
  and
  http://hints.macworld.com/article.php?story=20050216114450735
  the second one will probably be more helpful but hopefully this little nudge will help out.

• Guest account will not auto logout

  I'm using a number of Snow Leopard machines in a public computing setting using the Guest account quite successfully. However, when the idle timer ticks over, the dialog box confirming the Guest account's files will be deleted comes up and does not time out (like a normal account would). So the machines never auto log out. In an environment where most users don't log off to protect their privacy, this is an annoying problem.
  Is there a way to turn off that dialog box confirming logout? Or some other way to get my Guests to auto log off?
  Thanks.

  I've found the guest account is great in a lab/classroom setting, but I need to be able to have the computers run a scheduled shutdown at night so they can reset for the next day. It was a real disappointment to see that the energy saver schedule wouldn't work because of the prompt about files being deleted. Has anyone come up with a way to bypass the prompt or force the logout/restart/shutdown option? I'm surprised I haven't been able to find more results from my search on this topic.

• How do i force a guest account to Auto log off after being inactive for a period of time?

  I have a 2010 21" iMac running OS X Snow Leopard (10.6.8) in a hotel's guest lounge. I want to have it log off of the guest account after being inactive for 5 mins so that it clears the session info if the last person who used it did not log off when they were done (***this happens very often***).
  I tried using the "System Preferences > Security> Log off when inactive for X minutes" option but this brings up the "Delete files and log off" dialogue which unless someone makes a selection just stays there and doesn't timeout, essentially stopping the logoff process.
  How can i bypass that dialogue and force the system to log off the Guest User to avoid any issues with other guest seeing info from the previous user?

  Hi daniel,
  I don't believe it's possible to do what you want, unless someone could write an Applescript for it. I suspect the best route for now is the old fashioned way, paper and marker, warning guests to log off or their info will be public.

• CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

  Hi All,
  I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
  Here is an example of the audit trail log from Change Account:
  Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
  Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
     Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
  Auto provisioned for request on 06/28/2010 17:14 
     User Provisioning failed for System(s) : DEV. Error Message :
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
     Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
  Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
     Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
  Note: the role names were replaced with "xxxxxxx."
  The system log gives an error, but it is very vague:
  2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
  com.virsa.ae.service.ServiceException
       at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
       at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
  Any ideas or suggestions?
  Current software level AC5.3 SP12.
  -Dylan

  Hello Varun,
  Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
  Results
  New Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  New Account without User Defaults configured:
  User provisioned successfully, no Auto-Provision error.
  Change Account with User Defaults configured:
  User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
  Change Account without User Defaults configured:
  User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
  In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
  For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
  What about on your side? Am I the only guy using SP12 here?

• Guest account creation in ISE

  Hello All,
  I am encountering an issue in which I find only when guest accounts are created by sponsor through the sponsor portal, guess access is granted. If I manually add guest account in the same guest role via the administrative UI, instead of guest access authz profile is hit, ISE goes through supplicant provisioning flow. I know that I do have enable self provisioning flow but why would it kick in for guest user created by admin? I see many bugs dealing with guest portal flows but failed in finding one exactly matching to my senario. Any insight is greatly appreciated. version 1.2.
  Fadi

  You can create and manage guest user accounts  to provide temporary network access for guests. If you have numerous  guest user accounts whose account information is stored in an external  database, you can import this information to expedite the account  creation process.
  Please Check the below guide for user’s creations:
  http://www.cisco.com/en/US/docs/security/ise/1.1/sponsor_guide/ise_sponsor_chp2.html

• Local Authentication for Guest accounts created on WCS

  I'm not sure this is technically possible but I have a requirement to set up an SSID on a WLC whereby I can provision guest user accounts from the WCS and have the WLC / SSID authenticate against the guest account created on the WCS. The SSID would not be a web-auth / layer 3 auth model but preferably be able to utilise layer 2 authentication (802.1x) against the account within WCS. Can anyone tell me if this is actually possible?
  Thanks in advance for your help.
  Cheers
  Sent from Cisco Technical Support iPad App

  Ok then .. Sounds like you are already very fimilar with the wlc..
  Lets kick a few ideas around ..
  If you want to use WCS lobby then you cant use radius, becuase WCS will not update radius accounts. But you could use the WLC as a radius server and store the guest account(s) on the WLC. Gives you 802.1X security, WCS loddy admin access and your guest accounts. You can also expire the accounts as well. So you would move the control from radius to the wlc. You can also apply your qos / bandwidth.
  Another option would be to create radius accounts. Set up your guest wlan, point it to radius. You can still apply a global bandwith restriction within the qos profile on the wlc.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• User names for non-existing guest accounts appearing in WCS reports

  Hi All,
  I currently have a client where we have deployed a guest network using webauth and the lobby ambassador account to provision guest users under WCS 5.2.
  When running client detail reports there are a number of odd behaviours that i don't understand.
  First and most importantly the username section of the report is populated with usernames that have never been provisioned and do not currently exist.
  I made a guess and thought maybe it was recording usernames of people who had attempted to log in via webauth using their normal user accounts as the recorded names were in this format but this did not generate an entry in the report.
  The second issue was that a lot of users had pulled down a few MB (8.5 was the highest at that point) of data while not authenticated. The standard webauth page is used with some minor changes and this is tiny so i can't account for where this data is coming from unless they are pulling down that page repeatedly.
  I am hoping someone will have experienced these 2 situations and can assist.
  Thanks
  Ben

  The username section can get populated from the users that do exist on the controller.
  The second issue doesnt make much sense, you may want to open a TAC SR to investigate this further

• After upgrading to Lion, and then running fire vault I've lost my guest account from log-in and can't edit it in system preferences!

  I upgraded successfully to Lion.
  I then decrypted the legacy filevault and started the new firevault.
  After this completed I noticed that I no longer have a guest account at log-in.
  And I am unable to edit the guest account at system preferences even though I am admin.
  (The guest account is unticked in system preferences - allow users to login).
  Thanks.

  Same here. Looks file FileVault2 disables the possibility to use a Guest Account as it enforces all accounts to have a password. In addition Auto Login is no longer possible. See http://support.apple.com/kb/HT4790 for details.

• Create WCS guest accounts

  Hi
  I like to know if some one has some solution or input to my questions below
  Is there a way to auto generate user and password for guest accounts?
  So that you don't have to write in username just click on generate accont and WCS make up a username and password.
  And when bulk loading guest user is it posible to configure start date and time not just lifetime of the account  like  when you manual create a guest account?
  Regards
  Mikael Mattsson

  Hi,
  no you cannot auto-generate the username. The Lobby Ambassador has to type in the username.
  For bulk imports, you cannot schedule a future start time I'm afraid.
  This kind of advanced guest feature is more what the NAC Guest Server can do (it's not only for NAC, it's a Guest Server).
  Hope this helps,
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• WCS expiring guest accounts early

  Hi Folks, We've had a number of reports from our Service Desk (who create the guest accounts for us) that they've been getting users who have long-term accounts (90days) expire early.
  I've taken a look at the settings and sure enough, today there are accounts on WCS that are showing as expired but have a long life time.
  Example:
  User(x) created on 13th July with an expiry of the 15th Sept
  User(y) created on 12th July with an expiry of the 12th Oct
  This is only a couple listed here but the problem seems to be widespread accross long-life accounts. I've checked the clocks and they're all synced between WCS and the WLC's, when accounts are created they are done through WCS and pushed down to the single mobility anchor (our topology is 6 WLC's split over 2 sites, with a 7th WLC for MA with a toe in the internet DMZ)
  We're running 7.0.172.0 of WCS and 7.0.116.0 on all the WLC's I think the problem has started to occur as it's really only now that we're using longer life-time accounts in anger. 
  Originally the accounts were being deleted by the cleaner process, so it just looked like the accounts were disappearing - we've stopped this and now it just shows that they expire.
  Any suggestions that you can give as to why this might be occuring would be great!  Unfortunaly we can't create 'unlimited' accounts as our policy is that they should have a lifetime of no more than 3 months, so the overhead on monitoring would be too big - so there has to be an automated process.
  Thanks in advance!
  Kev

  I upgraded to WLC 7.0.235.0 and WCS 7.0.230.0 and am still getting users complaining about their accounts expiring early.  Someone please correct me if I have misread something but the WCS is suppose to check the account every so often and re-provision the account based on the expire date set?  We setup our users with 90day accounts that is pushed to two 5508 controllers running the code above, the process works well but the expiration of accounts has become a issue.  Anyone know if the bug was truly fixed in 7.0.235 code or do I need to set the lifetime of the account lower.      

• Guest Account log-file location(s)

  I have used the "Guest Account" when people come to visit - it's great
  HOWEVER, in the interest(s) of saving some disk-space I want to delete the log-files that OS X 10.6.x keeps of the guest-account's useage / web-visiting
  activity and so-on - but I can not FIND these log-files - ???
  however, I find the Lego site, the Toys R Us Site, and the banking and the soccer and other such things in the log-files (Parental-Controls / logs) when people leave and I don't really care - so I'd like to DELETE these log-files but I can't find them?
  can anyone tell me where to find these log-files (I'm familiar with Terminal and can use it - I came from the Unix-world???
  VikingAsia

  I have just 'tested' this thing...
  I'm logged-in as 'vikingasia' (which is - basically - an account with root or administrator priveledges
  I can go to System Preferences => Accounts => enable the guest account and enable fast-user-switching - and enable Parental Controls - etc. etc. etc. - then close the System Preferences window
  check /Users - no 'Guest' there
  However, - if I go to 'fast-user-switching' - switch to the Guest Account, open Safari - surf a bit on Apple or Wikipedia or Toshiba - THEN - go BACK to my 'normal' account (via fast-user-switching) - there IS a /Users/Guest - but everything in it (except "Sites") has a small red circle in the lower-right with a white minus-sign in it...
  THEN I can go BACK to the Guest Account (via 'fast-user-switching') and close-out the Safari application then "Log-Out" of the "Guest Account" then (when I log-out of the Guest Account) it auto-magically drops me back to a password window - and I put-in the password for the 'normal' account and the '/Users/Guest' is gone (all of it)
  BUT - if I now go into "System Preferences => Accounts => Guest => Parental Controls => Web Sites Visited => Logs - I still find the OLD LOGS from 3-6-8
  months ago?
  Harumph?

• GRC Auto-Provisioning Behavior

  Ellow Experts,
  I am newbie in supporting GRC thus most of the errors encountered are crucial for me to resolve.
  I have some inquiries with regards to GRCu2019s behavior.
  1. If a GRC Request has been created to assign roles with validity date earlier than today, why does the GRC closes the request (with logs saying that auto-provision has been completed) but the roles were not assigned yet to the user id.
  Ex. GRC CUP created March 22 to assign the following roles:
  RoleXXX  valid from March 26, 2010 to December 31, 2010.
  RoleYYY  valid from March 26, 2010 to December 31, 2010.
  Upon checking useru2019s role, these roles were not assigned to his account.
  2. We also have scenario where the role is requested to be added for next week but GRC auto-provisioned it today and closed the request.
  Ex. GRC CUP created March 22 to assign the following roles:
  RoleZZZ valid from March 26, 2010 to December 31, 2010.
  RoleAAA valid from March 26, 2010 to December 31, 2010.
  Upon checking user id, role has been assigned to him the same day the GRC request has been closed.
  Please advice why this 2 new scenario has different result where as same type of request. Does workflow has something to do with it?
  Version: GRC-SAC-SAE 5.3_09.1
  Thanks.

  Hi Santosh,
  In AC 10.1, I created one brf plus initiator rule.Although I saved it in GRAC_ACCESS_REQUEST package.Transport button is not available(Not greyed).
  Dis you faced this issue..How to get this change in transport??
  PS:Application are activated.
  Thanks,
  Mamoon

• AC 5.3 SP10 CUP Delaying Auto Provisioning Email

  All -
  Is it possible to delay the auto provisioning email? If yes, how?
  We have a scenario where security needs to perform certain tasks post user account set-up before the user logs on to the system (we don't want to auto provision & lock the user) and want to delay the automatic email sent to the user. Is this possible?
  Thanks,
  Daniel

  Daniel,
     Here is the email content:
  Your request #_!AUTO_PROVISION_REQNO#_! provisioning has been done. Your  account has been created.    Your ID is #_!AUTO_PROVISION_ID#_!  Your password in each system (Password/System):#_!AUTO_PROVISION_PASSWORD#_!
  It is part of cleanandinsert xml file, which comes with the installation. You can search for this and change the email content.
  Alpesh

• How do I allow "Guest" account to access my music?

  I can't believe I am having such a difficult time with this.
  I'd like all the accounts I have set up to be able to access my music library. And if I add music I'd like each account to access the new music without having to update each library. I've read other posts and I can't quite grasp how I share the library.
  If I can't share it, how do I move the library from my folder to the guest folder?

  It's even worse!
  I tried putting the music folder into the shared folder.
  I still couldn't access them from the guest account. And worse, I can't get them back into my original account. They are not erased (thank god!), I can see them in a folder, just can't pull them up on itunes.
  Should I do the "consolidate music"? I'm leary of making a whole copy as I don't have enough hard drive space.
  Now I am going to rant....This should not be that difficult!!!