Cisco ISE 1.2.1.198 Guest Portal Vlan Override at Mobile Device (android,IOS) not working
Hi Guy,
In my ISE deployment, once the guest succcesful authenticated will be assign guest VLAN for internet access.
we are using guest portal to do the vlan override once user authenticated.
Window 7 Internet explorer (Active X), Chrome (Java Aplet) is working fine.
but Android,Apple IOS devices unable to release the DHCP and get new DHCP.
because from ISE and WLC we can see the Vlan have change, how mobile devices initiate dhcp release for Guest Portal
Kindly advice.
Regards
Freemen
I don't have such documentation nor I could find any on Cisco's site. With that being said, it doesn't mean that it doesn't exist. I just know that Active X is windows specific framework and Java is not supported on either iOS nor Android:
http://www.java.com/en/download/faq/java_mobile.xml
The good news is that Cisco appears to be steering away from Java so it is possible that in the future this will be supported.
Hope this helps!
Thank you for rating helpful posts!
Similar Messages
-
ISE 1.2.1.198 - Guest Portal Configuration
Is it possible to customize the default portal and add a paragraph any where on the login page with instructions? I've tried adding the text in the Pre-Login Banner Text field, and it does wrap to the next line, but text goes of the screen before wrapping. Would like to be able to add carriage return in the text, so text would scroll off the screen.
ISE 1.3 (due out in November time frame) will have a huge amount of customization of the portal available for your use.
If you really need to do it before then, and you have an ISE-certified Authorized Technology Partner you're working with, they have access to a Guest Portal Builder tool that can be used.
Failing those, you're back to changing the native html code for the portal by hand. Not recommended. -
Ise 1.2, cannot access guest portal
I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443
any idea?I had attached the steps to configure the guest portal and hope will address the problem.
Configuring the Guest Portal
Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.
You can add a new Guest portal or edit an existing one.
Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.
Step 2Click Add.
Step 3Update the fields on each of these tabs:
•General—enter a portal name and description and choose a portal type.
•Operations—enable the customizations for the specific portal
•Customization—choose a language template for displaying the Guest portal with localized content
•File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.
•File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.
•Authentication—indicate how users should be authenticated during guest login.
Step 4Click Submit.
Specifying Ports and Ethernet Interfaces for End-User Portals
You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.
You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.
Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.
Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.
Step 4Click Save.
If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
Tips for Assigning Ports and Ethernet Interfaces
•All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.
•You must assign the Blacklist portal to use a different port than the other end-user portals.
•Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.
•You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:
Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals
You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.
Before You Begin
Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:
•Default Sponsor Portal FQDN
•Default My Devices Portal FQDN
Step 3Enter a fully qualified domain name.
Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node. -
ISE 1.1 - Error Custom Guest Portal
Ciao,
we are facing a strange problem on ISE Custom Guest Portal.
After pressing the login button it returns an error:
Error:
Resource not found.
Resource:/guestportal/
It seems like that te function "/guestportal/LoginCheck.action" is not able to return the succesfull login page.
It's quite strange because user are authenticating without problem.
Any clue?
Ciao e grazie!
LucianoCiao,
we faced the problem on clients connected in wireless, where WLC redirect to the custom guest portal.
The setup works fine for almost 2 months, than it stop working; then we re-imaged the device (1st time).
Digging in the log with SE of TAC (621986639) we found these errors:
2012-06-06 13:55:32,152 ERROR 2012-06-06 13:55:32,152 [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
2012-06-06 13:57:43,839 ERROR 2012-06-06 13:57:43,839 [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:8080/guestportal/gateway?sessionId=SessionIdValue&action=cpp
2012-06-06 13:59:39,923 ERROR 2012-06-06 13:59:39,923 [http-443-5][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
And during the test these errors were generated:
2012-06-07 16:05:58,448 ERROR 2012-06-07 16:05:58,448 [http-8080-2][] org.apache.struts2.dispatcher.Dispatcher- Could not find action or result
There is no Action mapped for action name Login. - [unknown location]
at com.opensymphony.xwork2.DefaultActionProxy.prepare(DefaultActionProxy.java:186)
at org.apache.struts2.impl.StrutsActionProxyFactory.createActionProxy(StrutsActionProxyFactory.java:41)
at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:494)
at org.apache.struts2.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:422)
So we performed another re-image (2nd time) with a different media (not sure the problem was the media, it should be some script fail) today I'm performing some test ... I'll update this discussion asap.
Ciao!
Luciano -
Portal Rich Text Editor in Firefox 3.5 Not Working
I'm using Oracle Portal Version: 10.1.4.0.0 (Build: 594)
The text item Rich Text editor works fine in IE 6 and has reduced functionality in Firefox 3.0 (scroll doesn't work). I've just updated to Firefox 3.5 and the text editor doesn't work at all now.
The user is presented with a grey box where all the text controls are squashed into the top left hand corner.
The following errors appear in the Error Console :
Error: element.children.tags is not a function
Source File: http://xyz.example.net:7778/images/webword/WebWordMenuToolbar.js
Line: 1
Error: attachEvt is not defined
Source File: http://xyz.example.net:7778/images/webword/buildUI1.js
Line: 76
(I've replaced our server url with http://xyz.example.net)
Has anyone else noticed this? Has anyone got any suggestions on what I can do to investigate/fix it?
Thanks,
Matt
Update :
There is a patch available to potentially fix the Rich Text Editor issues in Firefox
"The Rich Text Editor Does Not Work Correctly In FireFox" - Metalink Doc ID: 456512.1
or you can replace the RTE completely with a 3rd party editor :
"How to integrate third party RTE (FCKeditor) with Oracle Portal" - Metalink Doc ID: 352796.1
Using FCKEditor may well solve the issues but I only use Firefox for development. Our users use IE6 so I don't want to replace the interface unless I have to.
Edited by: Matt Hawkins on Jul 15, 2009 1:58 PMThis is a known issue in both Portal 10.1.4.x and Portal 11.x :
Bug 8708210 (11) NOT ABLE TO RENDER RICH TEXT EDITOR WITH FIREFOX 3.5 BROWSER
This bug is not published on Metalink.
There is no solution yet. Consider to use IE Tab (https://addons.mozilla.org/en-US/firefox/addon/1419) for editing file items until this bug is solved. -
ISE Domain Name, Certificates and Guest Portal
Hi everyone,
We have an ISE deployment using our internal domain for its FQDN (For example: ise01.private.local). We now want to use it for authenticating guest access and have noticed the redirection URL by default uses the FQDN of the ISE server.
This works fine for our corporate machines as we have our own internal CA and generated certificates. As we do not want certificate errors occurring for our guests, we need to use a public FQDN.
Are we best off changing the domain-name used by the ISE servers or is there a way to edit the redirection URL to use a custom domain?
I have heard suggestions that changing the domain-name is unsupported, but I can't find any other way.
Thanks,
MarkMark,
Do you already have a public FQDN pointing to your ISE? If so, let's assume that you are authenticating guests using CWA. First creat a new Authorization Profile, under Common Tasks, select Web Redirection (CWA, DRW, MDM, NSP, CPP), Choose the Authentication Method (in this case, CWA) and define the ACL to be used. Just below that, select Static IP/Host Name and enter the public FQDN that points to your ISE.
From here you can create an Authorization Policy to reference the profile you just created.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Mobile Printer ( Zebra RW420 ) Not Working with Cisco AP
Good Morning everyone,
In cold area -3 inside a warehouse I am trying to connect a mobile printer ( Zebra RW420 ) to cisco access points of model AIR-LAP1242AG-A-K9 and AIR-LAP1252AG-E-K9 which are woking through WLAN controlar version 6.0.202.0 ,the mobile printer is connecting to cisco AP but shown without IP address , where the IP is configured static , since it's connectiong and working fine with motorola AP .
after upgrading the firmware of mobile printer, I faced the same issue in dry area.
Any ideas please ?Hi Leo ,
Kindly find the below results :-
(WiSM-slot4-2) >show interface detailed label
Interface Name................................... label
MAC Address...................................... c4:7d:4f:bd:d4:4b
IP Address....................................... 10.161.20.123
IP Netmask....................................... 255.255.255.128
IP Gateway....................................... 10.161.20.126
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 502
Quarantine-vlan.................................. 0
Active Physical Port............................. LAG (29)
Primary Physical Port............................ LAG (29)
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
(WiSM-slot4-2) >debug client 00:15:70:21:8a:34
(WiSM-slot4-2) >*Dec 24 10:14:44.575: 00:15:70:21:8a:34 Association received fro
m mobile on AP 00:1a:e3:01:84:e0
*Dec 24 10:14:44.575: 00:15:70:21:8a:34 Applying site-specific IPv6 override for
station 00:15:70:21:8a:34 - vapId 6, site 'DC993', interface 'label'
*Dec 24 10:14:44.575: 00:15:70:21:8a:34 Applying IPv6 Interface Policy for stati
on 00:15:70:21:8a:34 - vlan 502, interface id 12, interface 'label'
*Dec 24 10:14:44.575: 00:15:70:21:8a:34 Applying site-specific override for stat
ion 00:15:70:21:8a:34 - vapId 6, site 'DC993', interface 'label'
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Changing ACL 'none
' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1276)
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 STA - rates (4): 2 4 11 22 0 0 0 0 0 0 0
0 0 0 0 0
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Deleted mobile LWA
PP rule on AP [68:ef:bd:2e:7a:10]
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 Updated location for station old AP 68:e
f:bd:2e:7a:10-0, new AP 00:1a:e3:01:84:e0-0
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Change state to ST
ART (0) last state DHCP_REQD (7)
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 START (0) Initializing policy
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 START (0) Change state to AUTHCH
ECK (2) last state DHCP_REQD (7)
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 AUTHCHECK (2) Change state to L2
AUTHCOMPLETE (4) last state DHCP_REQD (7)
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobil
e LWAPP rule on AP 00:1a:e3:01:84:e0 vapId 6 apVapId 1
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 L2AUTHCOMPLETE (4) Change state
to DHCP_REQD (7) last state DHCP_REQD (7)
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) pemApfAddMobileSta
tion2 2514, Adding TMP rule
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Adding Fast Path r
ule
type = Airespace AP - Learn IP address
on AP 00:1a:e3:01:84:e0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo F
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Successfully plumb
ed mobile rule (ACL ID 255)
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) pemApfAddMobileSta
tion2 2630, Adding TMP rule
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Replacing Fast Pat
h rule
type = Airespace AP - Learn IP address
on AP 00:1a:e3:01:84:e0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumb
*Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Successfully plumb
ed mobile rule (ACL ID 255)
*Dec 24 10:14:44.577: 00:15:70:21:8a:34 apfPemAddUser2 (apf_policy.c:213) Changi
ng state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Associated to
Associated
*Dec 24 10:14:44.577: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station:
(callerId: 49) in 1800 seconds
*Dec 24 10:14:44.577: 00:15:70:21:8a:34 Sending Assoc Response to station on BSS
ID 00:1a:e3:01:84:e0 (status 0) Vap Id 1 Slot 0
*Dec 24 10:14:44.577: 00:15:70:21:8a:34 apfProcessAssocReq (apf_80211.c:4391) Ch
anging state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Associate
d to Associated
*Dec 24 10:14:44.582: 00:15:70:21:8a:34 0.0.0.0 Removed NPU entry.
*Dec 24 10:14:44.586: 00:15:70:21:8a:34 0.0.0.0 Added NPU entry of type 9, dtlFl
ags 0x0
(WiSM-slot4-2) >*Dec 24 10:14:44.591: 00:15:70:21:8a:34 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Dec 24 10:16:44.550: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
*Dec 24 10:16:44.550: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*Dec 24 10:16:44.550: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*Dec 24 10:16:54.550: 00:15:70:21:8a:34 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
*Dec 24 10:16:54.551: 00:15:70:21:8a:34 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Associated to Disasso
ciated
*Dec 24 10:16:54.551: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*Dec 24 10:17:04.550: 00:15:70:21:8a:34 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
*Dec 24 10:17:04.551: 00:15:70:21:8a:34 Sent Deauthenticate to mobile on BSSID 00:1a:e3:01:84:e0 slot 0(caller apf_ms.c:4511)
*Dec 24 10:17:04.552: 00:15:70:21:8a:34 apfMsExpireMobileStation (apf_ms.c:4548) Changing state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Disassociated to Idle
*Dec 24 10:17:04.552: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:1a:e3:01:84:e0]
*Dec 24 10:17:04.552: 00:15:70:21:8a:34 Deleting mobile on AP 00:1a:e3:01:84:e0(0)
*Dec 24 10:17:04.555: 00:15:70:21:8a:34 0.0.0.0 Removed NPU entry.
*Dec 24 10:17:04.568: 00:15:70:21:8a:34 Adding mobile on LWAPP AP 00:1a:e3:01:84:e0(0)
*Dec 24 10:17:04.568: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
*Dec 24 10:17:04.568: 00:15:70:21:8a:34 apfProcessProbeReq (apf_80211.c:4761) Changing state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Idle to Probe
*Dec 24 10:17:04.788: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 Association received from mobile on AP 68:ef:bd:2e:7a:10
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 Applying site-specific IPv6 override for station 00:15:70:21:8a:34 - vapId 6, site 'DC993', interface 'label'
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 Applying IPv6 Interface Policy for station 00:15:70:21:8a:34 - vlan 502, interface id 12, interface 'label'
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 Applying site-specific override for station 00:15:70:21:8a:34 - vapId 6, site 'DC993', interface 'label'
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1276)
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 STA - rates (4): 2 4 11 22 0 0 0 0 0 0 0 0 0 0 0 0
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:1a:e3:01:84:e0]
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 Updated location for station old AP 00:1a:e3:01:84:e0-0, new AP 68:ef:bd:2e:7a:10-0
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 START (0) Initializing policy
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 68:ef:bd:2e:7a:10 vapId 6 apVapId 1
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 00:15:70:21:8a:34 on AP 68:ef:bd:2e:7a:10 from Probe to Associated
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 Sending Assoc Response to station on BSSID 68:ef:bd:2e:7a:10 (status 0) Vap Id 1 Slot 0
*Dec 24 10:17:04.813: 00:15:70:21:8a:34 apfProcessAssocReq (apf_80211.c:4391) Changing state for mobile 00:15:70:21:8a:34 on AP 68:ef:bd:2e:7a:10 from Associated to Associated
*Dec 24 10:17:06.751: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCI
ATED
*Dec 24 10:17:06.751: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4181, Adding TMP rule
*Dec 24 10:17:06.751: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 68:ef:bd:2e:7a:10, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo F
*Dec 24 10:17:06.751: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Dec 24 10:17:06.756: 00:15:70:21:8a:34 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Dec 24 10:17:06.756: 00:15:70:21:8a:34 Sent an XID frame -
Dear All,
We have two cucm Clusters in Different Locations between that clusters i created
Inter-Cluster Trunk (Non-Gatekeeper Controlled) Now all are working fine Between Clusters
audio calls & Video calls between sccp 8945 phones , but iam facing a Problem with third party
Video Phones (Polycom VVX 1500 ) Third Party SIP Phones located in second cluster, From 1 st cluster cisco 8945 Video
phone to 2nd cluster Polycom Video phone all calls are works for voice call only, but no video ,
Please Suggest me Solution.
Thank you,
SrimanTry setting up a SIP trunk between the two clusters and set a route patten just to the VVX 1500 and check how that goes.
From memory inter-cluster trunks are a H.323 like protocol which might have video inter-op issues with the Polycom device. -
Cisco ISE Guest Sponsor Portal Isssue
Dear all ,
We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
We have created open ssid in wlc and using external redirected url of ise for guest login page.
But when we create any guest user in sponsor login for guest user we faced following issue
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page
wihout successful login prompt.
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
Can anyone help me to resolved above issue regading cisco ise guest sponsor portal
Thanks & Regards
Pranav GadePranav your answers are inline,
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page
wihout successful login prompt. When you are using CWA (central web authentication) there is no way we can redirect users using the redirect-url because this will always redirect users for every time they initiate a web request. There is no other coa feature that will remove this condition since they have already been authenticated. Here is a guide that explains the user experience when using central web auth -
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now No this is not possible, you can change the verbage and force the AUP to be displayed informing users that they can retry their web request after hitting the accept button.
Here is the documented experience once users go through the guest process -
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet. Check the advanced timer on your SSID as you may be hitting the session timeout on the WLC. Please disable this option and let the COA feature in ISE expire user sessions on the controller.
Thanks,
Tarik Admani
*Please rate helpful posts* -
ISE Guest Portal Time Profiles
G'day All,
Could someone advise if it is possible to extended or change the time profile of a guest account that has already been created? I am trying to understand using time profiles from within the Sponsor Portal. Imagine a guest user has an account created that gives them 2 weeks access, towards the end of the 2 weeks the user requires another week of access.
From what I can see in both the ISE time profiles config page and from within the sponsor portal, either the user would have to wait until the existing account expired and have a new account created or a new account would have to be created to grant the additional access, and the existing account could be deleted, I am just seeking clarification of whether time extensions for Guest Accounts is possible prior to the account expiring.
Currently using ISE 1.1.3
Thanks in advanced guys.
James.Please follow the below steps to edite the time profile:
Adding, Editing, or Duplicating Time Profiles
To add or edit a time profile, complete the following steps:
Step 1 From the Cisco ISE Administration interface, select Administration > Guest Management > Settings > Guest > Time Profiles.
Step 2 Click one of the following:
• Add—to create a new time profile
• Edit—to edit an existing time profile
• Duplicate—to duplicate an existing time profile
Step 3 Enter the name and description of the new time profile.
Step 4 Select a Time Zone for Restrictions. Time Restrictions are a set of time periods during which a guest account associated with that time profile would not be granted access to the network or guest portal.
Step 5 From the Account Type drop- down menu, choose one of the predefined options:
• StartEnd—allows sponsors to define start and end times for account durations
• FromFirstLogin—allows sponsors to define the duration of time that guests can have access after login
• FromCreation—allows sponsors to define the duration of time that guest can have access after account creation
Step 6 Set the Duration for which the account will be active. The account expires after the duration set here has expired. This option is available only if you select the Account Type as FromFirstLogin or FromCreation.
Step 7 Set the Restrictions for the guest access.
These restrictions are composed of a day of the week and a start and end clock time. The Time Zone value specified in the time profile affects the clock times set in any of the Time Restrictions within the time profile. For example, a Time Restriction that specifies Monday 12:00 am to 8:00 am and Monday 6:00 pm to 11:59 pm would only grant system access between 8:00 am and 6:00 pm on Mondays within the time zone of the time profile. Any other day of the week would have no time restriction in this example and system access would be granted at any time.
Step 8 Click Submit. -
ISE upgrade 1.2: Self-provisioning portal not working
Hi all,
I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
Screenshot of page is attached:
I've checked ise-console.log application log file and found two errors correponding to the first page:
[portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
[portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
and the second (not working) one:
[portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
[portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
Can somebody please help?
Thanks,
LErrors When Adding Devices to My Devices Portal
Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
For more information on self-provisioning.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
For more information on self-provisioning.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html -
Hello. Can I change default web guest portal: change background picture, logo, and add some-things.
Thansk.You can customize a portal theme, changing text, banners, background color, and images.
This section shows you how to create a custom portal theme, by setting and applying customized options.
You can follow the same steps to modify an existing customized portal theme.
Note: Supported image formats include jpg, jpeg, gif, and png.
To customize a portal theme, complete the following steps:
Step 1: From the Cisco ISE Administrator interface choose:
Administration > Guest Management > Settings.
Step 2: In the Settings panel on the left, Select
General > Portal Theme. (The Portal Theme page appears on the right.)
Step 3: Customize the portal theme in the following ways:
Change the Login Page Logo.
This setting allows you to change the logo on the portal Login page. You can choose the default Cisco
Logo or upload a custom image.
To upload a custom login page logo, complete the following steps:
Step 1: Select Upload New File from the drop-down menu.
Step 2: Click Browse, navigate to and select the desired image file.
Step 3: Click Open.
Recommended guidelines for a login page logo image are as follows:
• Height: 16-480 pixels
• Width: 16-480 pixels
Change the Login Page Background Image.
This setting allows you to change the background image on the portal login page. You can choose the
default Cisco background or upload a custom background image.
To upload a custom background image, complete the following steps:
Step 1: Select Upload New File from the drop-down menu.
Step 2: Click Browse, navigate to and select the desired image file.
Step 3: Click Open.
Customize the Banner Logo
This setting allows you to change the portal banner logo. You can choose the default Cisco banner or
Upload a custom banner logo.
To upload a custom banner logo, complete the following steps:
Step 1: Select Upload New File from the drop-down menu.
Step 2: Click Browse, navigate to and select the desired image file.
Step 3: Click Open.
Customize the Banner Background Image
This setting allows you to change the portal banner background image. You can choose the default Cisco
Background or upload a custom background image.
To upload a custom banner background, complete the following steps:
Step 1: Select Upload New File from the drop-down menu.
Step 2: Click Browse, navigate to and select the desired image file.
Step 3: Click Open.
Change the Login Background Color
This setting allows you to change the background color of the portal login page.
To change the login page background color, complete the following steps:
Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format, such as the following: FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
Step 2: Click Show Color to display the specified color.
Customize the Banner Background Color
This setting allows you to change the banner background color of the portal. To set the login background color, complete the following steps:
Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format, such as the following: FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
Step 2: Click Show Color to display the representative color.
Sponsor Settings
Customize the Content Background Color
This setting allows you to change the content background color for the portal pages.
To change the content background color for the portal, complete the following steps:
Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format such as FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
Step 2: Click Show Color to display the representative color. -
Cisco ISE - Not use FQDN in url-redirect parameter
Hi,
I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
Thank you very much.
Joana.Available in 1.2, and available as a "bit of a bodge" in 1.1.x (read "a lot of a bodge")
If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead. -
Cisco ISE authentication failed because client reject certificate
Hi Experts,
I am a newbie in ISE and having problem in my first step in authentication. Please help.
I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
Regards,
RatnaCertificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication. -
SP 19 upgrade issue : Log off Button not working in Portal Masthead
Hi All,
We have recently performed an upgrade from EP 7.0 SP12 to EP 7.0 SP19 stack level.
After the upgrade we are facing these 2 issues:
1) Log off button is not working in Portal Masthead
2) SSO to BW reports also not working.
Any immediate pointers and help is highly appreciable.
Regards,
ShaileshHi Tobias,
Thanks for the reply.
I have tried rebuilding and redloying the par file after removing the function "'releaseProducerSessions()' " which is not available in SP 19..but still the issue persists.
Any other process to be followed?
2) SSO is working for other stuff, and the issue is specifically for Bex iViews/Reports
Regards,
Shailesh
Maybe you are looking for
-
Is There A Way To Make The "Check Out CNN On Twitter" Pop-Up Stop?
I had an old DVR that I had to get rid of and before that I got this annoying pop-up to stop appearing but it's been weeks with my new DVR and no matter what I do it keeps popping up on the screen. Sure, you just hit 'exit' on the remote and it goes
-
How to call A Seesion Bean from a standalone java program
i want to call a session bean vis a standalone java program on the same machine. i am having some problem with CORBA. i really do not understand what is going on. help me please. Thank you
-
Some function keys on wireless keyboard not working on iphone 4
I'm having trouble with the brightness and volume keys on my wireless keyboard when its paired with my iphone 4. They won't respond at all. Any fixes? i'm on version 4.3.5
-
HT4528 My iphone 4S was updated with the new iOS & its all messed up.
When I send one of my kids a text, they both get it. Anyone know how to fix that? Thanks, Jodi
-
1080p Tvs, Hurry up and make something new?
So, I am an owner of a Vizio 37" LCD 1080p tv. Well, 1080p is great I reccomend the tv it was the an amazing deal and definitely a bang for your buck. Well, I was curious if they're going to upgrade from 1080p anytime soon. I know they have the new L