Automatic device registration
I am using ISE 1.2. I have to configure automatic device registration through Guest Portal.
The issue is that whenever a guest logs in for first time, he needs to enter the device mac address manually. Is there any method so the ise will automatically notice device's mac address and automatically populate it in "Device ID" field on Device Registration Portal
Regards,
Aditya
Similar Messages
-
ISE 1.2 device registration with MAB only, no client provisioning
Hello,
Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
I do not want to push certificates or native supplicant profiles to client devices.
I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
Am i really obliged to use native supplicant provisioning to register my device ?
GNHi
Device Registration web auth is a process where you can configure user without client provisioning.
In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC. -
ISE - auto assign a device to group upon device registration
Hi,
Is it possible to auto assign a device to group upon device registration?
Typically in the registration portal, once "Register" button is clicked, the MAC address is put into "Registered Device" group, but let's say I want it to be put in different groups depending on the AD group? (Let's say when if Staff A register the device, the device automatically put into group A, Staff B to group B, and so forth)
ThanksIf you create a portal Specific for device registration, you can define to which ID groups will belong the registered endpoints.
I didn't tried this, but it might be possible to have a different portal for registration based on AD group, if you chain it after CWA or Dot1x. That would make an additional redirection though. -
To automate a registration by telephone
Please help me with your good selves.
My client requires to automate a registration task for his customers by telephone. The requirement is the Oracle database should take numeric input from the callers telephone keypad eg 1 or 2 or 3 and the oracle must store this input inside its database and do some required processing with such input and generate a unique numeric id (sequence) and send back this unique numeric ID to the caller who is on hold. Note. Is there any electronic device to be installed at the client site to solve the above task? please let me know what it is, how to install, and how to get it? please please please help me. if you cant help i appretiate if you give me some clues.
Hope you will do the needful.
Kind regards
TammuThank you for your message.
OK i can install Oracle 9i collaboration suite. Is there any other thing to install eg. fixing a telephone to the CPU and etc? I completely have zero knowledge. Please can you outline/summarise the instructions how to construct and install to meet my client requirement. Please help me -
How do I skip the Device Registration Portal for Cisco ISE web portal
I have set up a sponsor and guest portal system for wireless guest access to the internet using ISE v1.2.0.899 virtual and WLC 5500 runninng 7.4. After logging into the intial page, the guest user is directed to the Device Registration Portal. Entering a MAC address value puts the user in a continuous failing loop. But, if they just hit the "continue" button at the bottom of the page, they will be directed onward and have internet access as was intended. I have no requirement for guest users to register their devices. What do I need to do to remove the device registration portal from the log on sequence for guest user access? Thanks!
Hello Scoot,
you make a list of the MAC add of coperate devices. and set a rule if authentication doesn't happen only these devices can do the self registration.
I hope this works for you -
Hello,
we are at the beginning of evaluating the sybase unwired plattform and stuck in the following situation.
we created a MBO, deployed it to the supserver, generated the iOS code, included it in your app and now trying to connect to the server with the following settings:
DEVICE:
ServerName: myServer.local (the sup is running in a VM)
ServerPortSetting: 5001
CompanyIDSetting: 0
UserNameSetting: supAdmin
ActivationCodeSettings: 123
URL Prefix: /tm?cid=%cid%
SCC- Device Registration:
Activation user name: supAdmin
Server name: myServer
Port: 5001
FarmID: 0
Activation Code: 123
For the connect we use the following code:
SUPConnectionProfile* cp = [iMAM_IMAMDB getSynchronizationProfile];
[cp setDomainName:@"default"];
// Set log level
[MBOLogger setLogLevel:LOG_INFO];
if (![iMAM_IMAMDB databaseExists]) {
[iMAM_IMAMDB createDatabase];
CallbackHandler* databaseCH = [CallbackHandler newInstance];
[iMAM_IMAMDB registerCallbackHandler:databaseCH];
[iMAM_IMAMDB startBackgroundSynchronization];
NSInteger stat = [SUPMessageClient start];
if (stat == kSUPMessageClientSuccess) {
while([SUPMessageClient status] != STATUS_START_CONNECTED){
[NSThread sleepForTimeInterval:0.2];
NSLog(@"wait for connection to the sup server!");
[iMAM_IMAMDB beginOnlineLogin:@"supAdmin" password:@"s3pAdmin"];
while([iMAM_IMAMDB getOnlineLoginStatus].status == SUPLoginPending){
[NSThread sleepForTimeInterval:0.2];
NSLog(@"wait for connection to the sup server!");
the problem is, that we are currently not leaving the first while loop, means we do not get a connection to the supserver. In the scc i do not see any incoming requests of my device - "Activation still pending"
Any clue what causes this strange behaviour?
Are there any further sybase monitoring capabilities which helps me to get more information about this?
In general the sybase scc can be reached by the device, which means that that the tcp channel is open.
We are running on sybase 1.5.5 and iOS 4.2.
Looking forward to share my experiences with you here.
JensHi, try to use same server name in scc (myServer.local).
The program run on the device or on the simulator? Try to telnet myServer.local on port 5001
If still not work try this:
if (result == kSUPMessageClientSuccess) {
[iMAM_IMAMDB asyncOnlineLogin:@"supAdmin"
password:@"s3pAdmin"];
while([databaseCH loginSuccessCount] < 1) {
[NSThread sleepForTimeInterval:1];
[window addSubview:navController.view];
[window makeKeyAndVisible];
} else
[self showNoTransportAlert:result];
Edited by: Alessandro Iannacci on Apr 6, 2011 10:43 AM -
ISE 1.2 Guest Portal - Device registration portal
Hello,
I have a problem with the following setup:
- Cisco ISE 1.2 (latest patch)
- Cisco WiSM with 7.0.220.0 (first generation)
I have build Guest access via ISE. Because the WiSM's highest version is 7.0.X I used LWA with a redirect to the ISE guest portal. When using the Guest SSID with a iPad the client is redirected to the ISE guest portal and the user can enter his credentials (deliverd by the Sponsor). After clicking "Sign On" the client is forwarded to the "Device Registration Portal" of ISE and need to register his MAC address.
We have try a lot of differend settings but we cannot switch off the forward to the "Device Registration Portal". We only want to use the Guest User portal.
Please can someone help me to find a solution for this problem?
Thank you in advance.I know this might be reaching, but have you turned off the My Devices portal?
If so, an idea of the different settings you have already tried might help.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
ISE 1.2 Device registration problem
I'm trying to get the device registration to work, but keep getting "Device not supported" or "Unable to obtain the user information".
I cannot seem to find any information on those errors from the manuals.
What are the possible solutions to get it working ? If the device is not supported, does it mean, that the profiling failed or something else ?
ISE 1.2Hi Harri,
What kind of authentication are you doing for these users? MAB, Dot1x? Also is this issue seen with all devices, or just a few ( i.e. same type, same vendor...)?
If this is self-registration for guest users, there is a known issue with using Custom Guest Portal. The defect details are given below :
https://tools.cisco.com/bugsearch/bug/CSCui77336/?reffering_site=dumpcr
Therefore if you are using the custom portal, can you instead try with a default portal?
Thanks,
Aastha -
Ise 1.2 Device Registration not auto filling the MAC field
Hello
I have installed 1.2 and when guests login, they get the new (not improved imo) device registration portal, but the field where they have to enter the MAC adress is empty, I can remember it was prefilled in previous ISE versions.
Is this normal beheavior on 1.2? I have configured calling station ID on MAC instead of IP, any other things that I need to configure to get this working?
90% of the users doesnt know what a MAC adress is, or where to find it.
Greetings
StevenPeter, I am glad you like my slides (although not sure I ever published this version outside Cisco!).
Steven, It sounds like you have enabled the option in the Guest Portal to allows Device Registration. This option is intended to be used by Guest accounts only and does NOT support auto-populate of MAC address. This was a very limited feature introduced in 1.0.
This feature should not be confused with the DRW or NSP flows for device registration. For the purposes of device registration with web auth, both CWA+DRW and CWA+NSP flows are working in ISE 1.2 Patch 7. However, CWA+NSP flow will not work for guest user accounts if enable the Supplicant Provisioning option in the web portal. The intent of the NSP flow is for employee accounts doing BYOD, and not for guest users. That said, it will still work if redirect successfully authenticated guest users to NSP using the Network_Access:UseCase=Guest_Flow condition (and optional match on Guest role).
I would recommend CWA+DRW option for Guest users as it is simpler, more streamlined, and you can specify a unique Identity Group such as "GuestEndpoints" to these devices. This makes future cleanup easier and maintains them separately from employee RegisteredDevices. ISE 1.2 ERS API can be used to programmatically to delete these endpoints periodically.
Hope that helps to clarify. -
ISE 1.2: Employee with personal device registration
Hi experts,
I'm aware of this discussion https://supportforums.cisco.com/discussion/11962026/ise-12-device-registration-mab-only-no-client-provisioning#comment-9371166
but looking for a detailed configuration to get following to work:
Employee's have access to the network with their corporate devices. No problem
Now employees need to be able to use their own mobile devices to get access. There is no definition of what devices are allowed.
II guess to let employees register their private devices with MAC address on MyDevice portal would be the most sufficient solution.
Does anyone have a detailed configuration or link how to achieve that?
Thanks,
FrankHaving BYOD access be based on mac address only is not really ideal and also not secure. A mac address can easily be spoofed and consequently your security policy can be bypassed. If you have a PKI environment you can take the EAP-TLS with SCEP approach:
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html
If you don't have a PKI environment and don't want to mess with certificates you can still use a more secure method than MAC addresses. For instance, you can perform PEAP user authentication. You can create a "special" BYOD AD group and place the authorized users there. Then they can use their AD credentials to authenticate. In the authorization policy you can limit the access for those type of authentications via dACLs (switches) or named access lists (WLCs)
Hope this helps!
Thank you for rating helpful posts! -
ISE 1.3 IOS 8.1 Unsupported Browswer Error in Device Registration Page
I recently upgraded to ISE 1.3. We are now getting unsupported browser errors in the device registration redirect page on ipad and iphone IOS devices running 8.1. We are running 7.6 as 8.0 was unstable with ISE1.2.1. The device registration redirect page worked fine with these same devices in ISE 1.2.1. Is there a work around short of turning off registration? The "mydevices" page seams to work, but does not populate the mac addresses of the devices like the device registration page does.
Are you using Safari or another browser? You need to use Safari as Chrome will show an error message like unsupported browser...
I did the NSP with an iPad iOS 8.1.1 and ISE 1.3 and it worked fine...
ISE 1.3 compatibility was just released today and says 8.0 is officially supported; does not mention 8.1:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
Patrick -
Query in Device Registration Criteria
Hello,
I need some more details regarding Device Registration Criteria. When I access the transaction SDOE_DEV_REGISTER, by default only the attribute name 'USER' is Mandatory. With this setting when I register a application on client, it registers for any available device.
I understand that I can make more parameters mandatory for device registration in the above transaction and this is fine.
However I see a potential problem with this. Say I am installing my application(using Custom Client) at a customer site who is already using some SAP Specific Standard Application. Now in this case its quite possible that the mandatory parameters for registration are different for SAP Standard Application and my custom application.
How can we handle such scenarios? Any help will be appreciated.
Regards,
ShubhamHi Shubham,
Basically device registration parameters are for identifying the correct logical device for the physical device based on the values of the parameters specified at the time of registration.
This is not application specific as at the time of registration you might be not aware of the application that is going to be installed (unless you use setup package).
So by default only user name is considered for registration, which is under the assumption that each user uses only one physical device..
Each applications internally uses device attributes for distribution criteria. The value for these attributes need not be set from the device at the time of registration. Infact these must be set via receiver generation so that you can avoid wrong values entered by application users during registration. So it doesn't matter what other applications (say SAP standard apps or other vendor apps) asks for device registration parameters, because these varies from one customer to another.
So now what is required is a unique way to identify the correct device, if a single user uses more than one device.. You can choose any other device attribute (either standard or custom; ) say for example device_type and set different values for the different usages. You can then instruct your end user to enter the value as per the device type they have..
Hope this clears all your doubts...
Regards
Ajith -
ISE device registration webauth with wlc 7.0 lwa
Is it possible to use the DRW feature with WLCs running 7.0 code? All configuration examples refer to 7.2 code. Its only for guest user device registration. No profiling / provisioning.
Compatibility matrix says that "Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like."
Thanks.Hi,
The reason you need to run the upgraded code is that the radius NAC feature coupled with a mac-filtering enabled SSID will work together. On the release prior you were unable to get both features to work with one another.
For your reference here is the item in the New Features section of the 7.2 WLC release notes:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314
thanks,
Tarik Admani
*Please rate helpful posts* -
Wireless Guest Portal with Device registration
Hi,
I have configured the ISE for wireless guest authentication. Once i got the guest portal and enter usernam/password, it redirecting to Self Provisioning portal for Device Registration. (attached)
I have unchecked the option "enable my device portal" under My Device-->Portal configuraiton (attached)
Can someone please advise, why I'm still getting Self provisioning portal, although I might need this later for On-board provisioning, at this time I just want guest user authentication and allow access to internet.
Thanks in advance.I think you should disable in the DefaultGuestPortal (Administration >> Web Portal Management >> Settings >> Guest >> Multi-Portal Configurations >> DefaultGuestPortal >> Operations .... Uncheck the option Enable Self-Provisioning Flow
Daniel Escalante. -
OAAM purge/archive impact on "safe" device registration
Does running the OAAM purge/archive process remove registration of "safe" devices and cause users to have to re-register safe devices? For example if the scripts are configured to purge data older than 30 days would users lose their device registration after 30 days?
Hi,
Thank you for sharing the information. It is useful for others who not understand Lync Server Roles and Components. You time and effort are appreciated.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support
Maybe you are looking for
-
TNS Listener error in Obiee 11g
Hi folks, I am struggling with one in Obiee11g . whenever login into the presentation services(http://localhost:9704/analytics), im getting ,username and password nt authenticated . i saw error msg in the server.log file. Error msg is : Received exce
-
My ipod touch used to sync on my old Hp laptop but now it's not even recognized as a device but will still charge on my new asus windows laptop. Itunes on my old laptop is missing something and won't work and I've reinstalled itunes on the HP already
-
How to use Landmark in a Class outside the Parsley Context
Hi all, Is there anyway to get the Landmark metadata work without adding the annotated Class in the Parsley Context file? I mean, I have a Class such as: [Landmark(name="content.foo")] public class MyClass extends ManagedClass { [Enter(time="every")]
-
I have an I book G3 about 3.5 years old. I had the logic board replaced two times under warranty and now the IBook will not work on the battery. I took it for repair and they said that it is the logic board and only Apple will replace it for $400 and
-
Policy Agent 2.2 with Tomcat connector (isapi_redirect.dll)?
Dear All, We have installed Policy agent 2.2 for IIS6 to enable SSO with SUN Access Manager 7.1. Policy agent 2.2 was installed in IIS6 as wild card application mapping extension. Our IIS6 also contains Apache tomcat connector (isapi_redirect.dll) as