Cisco ISE 1.2.1.198 Guest Portal Vlan Override at Mobile Device (android,IOS) not working

Hi Guy, 
In my ISE deployment, once the guest succcesful authenticated will be assign guest VLAN for internet access.
we are using guest portal to do the vlan override once user authenticated.
Window 7 Internet explorer (Active X), Chrome (Java Aplet) is working fine.
but Android,Apple IOS devices unable to release the DHCP and get new DHCP.
because from ISE and WLC we can see the Vlan have change, how mobile devices initiate dhcp release for Guest Portal
Kindly advice.
Regards
Freemen

I don't have such documentation nor I could find any on Cisco's site. With that being said, it doesn't mean that it doesn't exist. I just know that Active X is windows specific framework and Java is not supported on either iOS nor Android:
http://www.java.com/en/download/faq/java_mobile.xml
The good news is that Cisco appears to be steering away from Java so it is possible that in the future this will be supported. 
Hope this helps!
Thank you for rating helpful posts!

Similar Messages

  • ISE 1.2.1.198 - Guest Portal Configuration

    Is it possible to customize the default portal and add a paragraph any where on the login page with instructions?  I've tried adding the text in the Pre-Login Banner Text field, and it does wrap to the next line, but text goes of the screen before wrapping.  Would like to be able to add carriage return in the text, so text would scroll off the screen.

    ISE 1.3 (due out in November time frame) will have a huge amount of customization of the portal available for your use.
    If you really need to do it before then, and you have an ISE-certified Authorized Technology Partner you're working with, they have access to a Guest Portal Builder tool that can be used.
    Failing those, you're back to changing the native html code for the portal by hand. Not recommended.

  • Ise 1.2, cannot access guest portal

    I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443
    any idea?

    I had attached the steps to configure the guest portal and hope will address the problem.
    Configuring the Guest Portal
    Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.
    You can add a new Guest portal or edit an existing one.
    Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.
    Step 2Click Add.
    Step 3Update the fields on each of these tabs:
    •General—enter a portal name and description and choose a portal type.
    •Operations—enable the customizations for the specific portal
    •Customization—choose a language template for displaying the Guest portal with localized content
    •File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.
    •File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.
    •Authentication—indicate how users should be authenticated during guest login.
    Step 4Click Submit.
    Specifying Ports and Ethernet Interfaces for End-User Portals
    You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.
    You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.
    Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
    Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.
    Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.
    Step 4Click Save.
    If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
    Tips for Assigning Ports and Ethernet Interfaces
    •All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.
    •You must assign the Blacklist portal to use a different port than the other end-user portals.
    •Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.
    •You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:
    Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals
    You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.
    Before You Begin
    Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
    Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:
    •Default Sponsor Portal FQDN
    •Default My Devices Portal FQDN
    Step 3Enter a fully qualified domain name.
    Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
    Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node.

  • ISE 1.1 - Error Custom Guest Portal

    Ciao,
    we are facing a strange problem on ISE Custom Guest Portal.
    After pressing the login button it returns an error:
    Error:
    Resource not found.
    Resource:/guestportal/
    It seems like that te function "/guestportal/LoginCheck.action" is not able to return the succesfull login page.
    It's quite strange because user are authenticating without problem.
    Any clue?
    Ciao e grazie!
    Luciano

    Ciao,
    we faced the problem on clients connected in wireless, where WLC redirect to the custom guest portal.
    The setup works fine for almost 2 months, than it stop working; then we re-imaged the device (1st time).
    Digging in the log with SE of TAC (621986639) we found these errors:
    2012-06-06 13:55:32,152 ERROR 2012-06-06 13:55:32,152  [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    2012-06-06 13:57:43,839 ERROR 2012-06-06 13:57:43,839  [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:8080/guestportal/gateway?sessionId=SessionIdValue&action=cpp
    2012-06-06 13:59:39,923 ERROR 2012-06-06 13:59:39,923  [http-443-5][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    And during the test these errors were generated:
    2012-06-07 16:05:58,448 ERROR 2012-06-07 16:05:58,448  [http-8080-2][] org.apache.struts2.dispatcher.Dispatcher- Could not find action or result
    There is no Action mapped for action name Login. - [unknown location]
             at com.opensymphony.xwork2.DefaultActionProxy.prepare(DefaultActionProxy.java:186)
             at org.apache.struts2.impl.StrutsActionProxyFactory.createActionProxy(StrutsActionProxyFactory.java:41)
             at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:494)
             at org.apache.struts2.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:422)
    So we performed another re-image (2nd time) with a different media (not sure the problem was the media, it should be some script fail)  today I'm performing some test ... I'll update this discussion asap.
    Ciao!
    Luciano

  • Portal Rich Text Editor in Firefox 3.5 Not Working

    I'm using Oracle Portal Version: 10.1.4.0.0 (Build: 594)
    The text item Rich Text editor works fine in IE 6 and has reduced functionality in Firefox 3.0 (scroll doesn't work). I've just updated to Firefox 3.5 and the text editor doesn't work at all now.
    The user is presented with a grey box where all the text controls are squashed into the top left hand corner.
    The following errors appear in the Error Console :
    Error: element.children.tags is not a function
    Source File: http://xyz.example.net:7778/images/webword/WebWordMenuToolbar.js
    Line: 1
    Error: attachEvt is not defined
    Source File: http://xyz.example.net:7778/images/webword/buildUI1.js
    Line: 76
    (I've replaced our server url with http://xyz.example.net)
    Has anyone else noticed this? Has anyone got any suggestions on what I can do to investigate/fix it?
    Thanks,
    Matt
    Update :
    There is a patch available to potentially fix the Rich Text Editor issues in Firefox
    "The Rich Text Editor Does Not Work Correctly In FireFox" - Metalink Doc ID: 456512.1
    or you can replace the RTE completely with a 3rd party editor :
    "How to integrate third party RTE (FCKeditor) with Oracle Portal" - Metalink Doc ID: 352796.1
    Using FCKEditor may well solve the issues but I only use Firefox for development. Our users use IE6 so I don't want to replace the interface unless I have to.
    Edited by: Matt Hawkins on Jul 15, 2009 1:58 PM

    This is a known issue in both Portal 10.1.4.x and Portal 11.x :
    Bug 8708210 (11) NOT ABLE TO RENDER RICH TEXT EDITOR WITH FIREFOX 3.5 BROWSER
    This bug is not published on Metalink.
    There is no solution yet. Consider to use IE Tab (https://addons.mozilla.org/en-US/firefox/addon/1419) for editing file items until this bug is solved.

  • ISE Domain Name, Certificates and Guest Portal

    Hi everyone,
    We have an ISE deployment using our internal domain for its FQDN (For example: ise01.private.local). We now want to use it for authenticating guest access and have noticed the redirection URL by default uses the FQDN of the ISE server.
    This works fine for our corporate machines as we have our own internal CA and generated certificates. As we do not want certificate errors occurring for our guests, we need to use a public FQDN.
    Are we best off changing the domain-name used by the ISE servers or is there a way to edit the redirection URL to use a custom domain?
    I have heard suggestions that changing the domain-name is unsupported, but I can't find any other way.
    Thanks,
    Mark

    Mark,
    Do you already have a public FQDN pointing to your ISE?  If so, let's assume that you are authenticating guests using CWA.  First creat a new Authorization Profile, under Common Tasks, select Web Redirection (CWA, DRW, MDM, NSP, CPP), Choose the Authentication Method (in this case, CWA) and define the ACL to be used.  Just below that, select Static IP/Host Name and enter the public FQDN that points to your ISE.
    From here you can create an Authorization Policy to reference the profile you just created.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Mobile Printer ( Zebra RW420 ) Not Working with Cisco AP

    Good Morning everyone,
      In cold area -3 inside a warehouse I am trying to connect  a mobile printer ( Zebra RW420 ) to cisco access points of model AIR-LAP1242AG-A-K9  and AIR-LAP1252AG-E-K9  which are woking through WLAN controlar version  6.0.202.0 ,the mobile printer is connecting to cisco AP but shown without IP address , where the IP is configured static , since it's connectiong and working fine with motorola AP .
    after upgrading the firmware of mobile printer, I faced the same issue in dry area.
    Any ideas please ?

    Hi Leo ,
      Kindly find the below results :-
    (WiSM-slot4-2) >show interface detailed label
    Interface Name................................... label
    MAC Address...................................... c4:7d:4f:bd:d4:4b
    IP Address....................................... 10.161.20.123
    IP Netmask....................................... 255.255.255.128
    IP Gateway....................................... 10.161.20.126
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 502
    Quarantine-vlan.................................. 0
    Active Physical Port............................. LAG (29)
    Primary Physical Port............................ LAG (29)
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. Unconfigured
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... No
    Guest Interface.................................. No
    (WiSM-slot4-2) >debug client 00:15:70:21:8a:34
    (WiSM-slot4-2) >*Dec 24 10:14:44.575: 00:15:70:21:8a:34 Association received fro
    m mobile on AP 00:1a:e3:01:84:e0
    *Dec 24 10:14:44.575: 00:15:70:21:8a:34 Applying site-specific IPv6 override for
    station 00:15:70:21:8a:34 - vapId 6, site 'DC993', interface 'label'
    *Dec 24 10:14:44.575: 00:15:70:21:8a:34 Applying IPv6 Interface Policy for stati
    on 00:15:70:21:8a:34 - vlan 502, interface id 12, interface 'label'
    *Dec 24 10:14:44.575: 00:15:70:21:8a:34 Applying site-specific override for stat
    ion 00:15:70:21:8a:34 - vapId 6, site 'DC993', interface 'label'
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Changing ACL 'none
    ' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1276)
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 STA - rates (4): 2 4 11 22 0 0 0 0 0 0 0
    0 0 0 0 0
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Deleted mobile LWA
    PP rule on AP [68:ef:bd:2e:7a:10]
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 Updated location for station old AP 68:e
    f:bd:2e:7a:10-0, new AP 00:1a:e3:01:84:e0-0
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Change state to ST
    ART (0) last state DHCP_REQD (7)
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 START (0) Initializing policy
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 START (0) Change state to AUTHCH
    ECK (2) last state DHCP_REQD (7)
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 AUTHCHECK (2) Change state to L2
    AUTHCOMPLETE (4) last state DHCP_REQD (7)
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobil
    e LWAPP rule on AP 00:1a:e3:01:84:e0 vapId 6 apVapId 1
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 L2AUTHCOMPLETE (4) Change state
    to DHCP_REQD (7) last state DHCP_REQD (7)
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) pemApfAddMobileSta
    tion2 2514, Adding TMP rule
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Adding Fast Path r
    ule
      type = Airespace AP - Learn IP address
      on AP 00:1a:e3:01:84:e0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo F
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Successfully plumb
    ed mobile rule (ACL ID 255)
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) pemApfAddMobileSta
    tion2 2630, Adding TMP rule
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Replacing Fast Pat
    h rule
      type = Airespace AP - Learn IP address
      on AP 00:1a:e3:01:84:e0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumb
    *Dec 24 10:14:44.576: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Successfully plumb
    ed mobile rule (ACL ID 255)
    *Dec 24 10:14:44.577: 00:15:70:21:8a:34 apfPemAddUser2 (apf_policy.c:213) Changi
    ng state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Associated to
    Associated
    *Dec 24 10:14:44.577: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station:
    (callerId: 49) in 1800 seconds
    *Dec 24 10:14:44.577: 00:15:70:21:8a:34 Sending Assoc Response to station on BSS
    ID 00:1a:e3:01:84:e0 (status 0) Vap Id 1 Slot 0
    *Dec 24 10:14:44.577: 00:15:70:21:8a:34 apfProcessAssocReq (apf_80211.c:4391) Ch
    anging state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Associate
    d to Associated
    *Dec 24 10:14:44.582: 00:15:70:21:8a:34 0.0.0.0 Removed NPU entry.
    *Dec 24 10:14:44.586: 00:15:70:21:8a:34 0.0.0.0 Added NPU entry of type 9, dtlFl
    ags 0x0
    (WiSM-slot4-2) >*Dec 24 10:14:44.591: 00:15:70:21:8a:34 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Dec 24 10:16:44.550: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
    *Dec 24 10:16:44.550: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
    *Dec 24 10:16:44.550: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
    *Dec 24 10:16:54.550: 00:15:70:21:8a:34 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
    *Dec 24 10:16:54.551: 00:15:70:21:8a:34 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Associated to Disasso
    ciated
    *Dec 24 10:16:54.551: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
    *Dec 24 10:17:04.550: 00:15:70:21:8a:34 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
    *Dec 24 10:17:04.551: 00:15:70:21:8a:34 Sent Deauthenticate to mobile on BSSID 00:1a:e3:01:84:e0 slot 0(caller apf_ms.c:4511)
    *Dec 24 10:17:04.552: 00:15:70:21:8a:34 apfMsExpireMobileStation (apf_ms.c:4548) Changing state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Disassociated to Idle
    *Dec 24 10:17:04.552: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:1a:e3:01:84:e0]
    *Dec 24 10:17:04.552: 00:15:70:21:8a:34 Deleting mobile on AP 00:1a:e3:01:84:e0(0)
    *Dec 24 10:17:04.555: 00:15:70:21:8a:34 0.0.0.0 Removed NPU entry.
    *Dec 24 10:17:04.568: 00:15:70:21:8a:34 Adding mobile on LWAPP AP 00:1a:e3:01:84:e0(0)
    *Dec 24 10:17:04.568: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
    *Dec 24 10:17:04.568: 00:15:70:21:8a:34 apfProcessProbeReq (apf_80211.c:4761) Changing state for mobile 00:15:70:21:8a:34 on AP 00:1a:e3:01:84:e0 from Idle to Probe
    *Dec 24 10:17:04.788: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 Association received from mobile on AP 68:ef:bd:2e:7a:10
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 Applying site-specific IPv6 override for station 00:15:70:21:8a:34 - vapId 6, site 'DC993', interface 'label'
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 Applying IPv6 Interface Policy for station 00:15:70:21:8a:34 - vlan 502, interface id 12, interface 'label'
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 Applying site-specific override for station 00:15:70:21:8a:34 - vapId 6, site 'DC993', interface 'label'
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1276)
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 STA - rates (4): 2 4 11 22 0 0 0 0 0 0 0 0 0 0 0 0
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:1a:e3:01:84:e0]
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 Updated location for station old AP 00:1a:e3:01:84:e0-0, new AP 68:ef:bd:2e:7a:10-0
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 START (0) Initializing policy
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 68:ef:bd:2e:7a:10 vapId 6 apVapId 1
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 00:15:70:21:8a:34 on AP 68:ef:bd:2e:7a:10 from Probe to Associated
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 Sending Assoc Response to station on BSSID 68:ef:bd:2e:7a:10 (status 0) Vap Id 1 Slot 0
    *Dec 24 10:17:04.813: 00:15:70:21:8a:34 apfProcessAssocReq (apf_80211.c:4391) Changing state for mobile 00:15:70:21:8a:34 on AP 68:ef:bd:2e:7a:10 from Associated to Associated
    *Dec 24 10:17:06.751: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCI
    ATED
    *Dec 24 10:17:06.751: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4181, Adding TMP rule
    *Dec 24 10:17:06.751: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 68:ef:bd:2e:7a:10, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo F
    *Dec 24 10:17:06.751: 00:15:70:21:8a:34 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Dec 24 10:17:06.756: 00:15:70:21:8a:34 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Dec 24 10:17:06.756: 00:15:70:21:8a:34 Sent an XID frame

  • Video call from Cisco 8945 SCCP to Polycom VVX 1500 Third party Sip Phones between intercluster trunks is not working

    Dear All,
                   We have two cucm Clusters in Different Locations between that clusters i created
    Inter-Cluster Trunk (Non-Gatekeeper Controlled) Now all are working fine Between Clusters
    audio calls & Video calls between sccp 8945 phones  , but iam facing a Problem with third party
    Video Phones (Polycom VVX 1500 ) Third Party SIP Phones located in second cluster, From 1 st cluster cisco 8945 Video
    phone to  2nd cluster Polycom Video phone all calls are works for voice call only, but no video ,
    Please Suggest me Solution.
    Thank you,
    Sriman

    Try setting up a SIP trunk between the two clusters and set a route patten just to the VVX 1500 and check how that goes. 
    From memory inter-cluster trunks are a H.323 like protocol which might have video inter-op issues with the Polycom device.

  • Cisco ISE Guest Sponsor Portal Isssue

    Dear all ,
    We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
    We have created open ssid in wlc and using external redirected url of ise for guest login page.
    But when we create any guest user in sponsor login for guest user we faced following issue
    1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential  then its again redirect to same login page
    wihout successful login prompt.
    Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
    2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
    But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
    Can anyone help me to resolved above issue regading cisco ise guest sponsor portal
    Thanks & Regards
    Pranav Gade

    Pranav your answers are inline,
    1) When guest user gets conected to wirless and login in to guest  portal with credential after putting credential  then its again redirect  to same login page
    wihout successful login prompt. When you are using CWA (central web authentication) there is no way we can redirect users using the redirect-url because this will always redirect users for every time they initiate a web request. There is no other coa feature that will remove this condition since they have already been authenticated.  Here is a guide that explains the user experience when using central web auth -
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
    Can  we pompt successful login after guest login to guest portal or redirect  to any other link like google.com so guest user will gets to know he is  able to access internet now No this is not possible, you can change the verbage and force the AUP to be displayed informing users that they can retry their web request after hitting the accept button.
    Here is the documented experience once users go through the guest process -
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
    2)  We have creted time profile 8hours first login for guest user. When  guest user gets connected while putting credential in to guest portal.
    But  we face issue after approximately every 20 mins guest gets disconnected  from internet and guest again gets login page of guest portal and if we  put same credential then its working but after approx 20 min interval  user get disconnected from internet. Check the advanced timer on your SSID as you may be hitting the session timeout on the WLC. Please disable this option and let the COA feature in ISE expire user sessions on the controller.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE Guest Portal Time Profiles

    G'day All,
    Could someone advise if it is possible to extended or change the time profile of a guest account that has already been created? I am trying to understand using time profiles from within the Sponsor Portal. Imagine a guest user has an account created that gives them 2 weeks access, towards the end of the 2 weeks the user requires another week of access.
    From what I can see in both the ISE time profiles config page and from within the sponsor portal, either the user would have to wait until the existing account expired and have a new account created or a new account would have to be created to grant the additional access, and the existing account could be deleted, I am just seeking clarification of whether time extensions for Guest Accounts is possible prior to the account expiring.
    Currently using ISE 1.1.3
    Thanks in advanced guys.
    James.      

    Please follow the below steps to edite the time profile:
    Adding, Editing, or Duplicating Time Profiles
    To add or edit a time profile, complete the following steps:
    Step 1 From the Cisco ISE Administration interface, select Administration > Guest Management > Settings > Guest > Time Profiles.
    Step 2 Click one of the following:
    • Add—to create a new time profile
    • Edit—to edit an existing time profile
    • Duplicate—to duplicate an existing time profile
    Step 3 Enter the name and description of the new time profile.
    Step 4 Select a Time Zone for Restrictions. Time Restrictions are a set of time periods during which a guest account associated with that time profile would not be granted access to the network or guest portal.
    Step 5 From the Account Type drop- down menu, choose one of the predefined options:
    • StartEnd—allows sponsors to define start and end times for account durations
    • FromFirstLogin—allows sponsors to define the duration of time that guests can have access after login
    • FromCreation—allows sponsors to define the duration of time that guest can have access after account creation
    Step 6 Set the Duration for which the account will be active. The account expires after the duration set here has expired. This option is available only if you select the Account Type as FromFirstLogin or FromCreation.
    Step 7 Set the Restrictions for the guest access.
    These restrictions are composed of a day of the week and a start and end clock time. The Time Zone value specified in the time profile affects the clock times set in any of the Time Restrictions within the time profile. For example, a Time Restriction that specifies Monday 12:00 am to 8:00 am and Monday 6:00 pm to 11:59 pm would only grant system access between 8:00 am and 6:00 pm on Mondays within the time zone of the time profile. Any other day of the week would have no time restriction in this example and system access would be granted at any time.
    Step 8 Click Submit.

  • ISE upgrade 1.2: Self-provisioning portal not working

    Hi all,
    I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
    Screenshot of page is attached:
    I've checked ise-console.log application log file and found two errors correponding to the first page:
    [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
    [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:-         at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
    and the second (not working) one:
    [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
    [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:-  at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
    Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
    Can somebody please help?
    Thanks,
    L

    Errors When Adding Devices to My Devices Portal
    Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
    If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
    If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
    For more information on self-provisioning.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
    Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
    If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
    If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
    For more information on self-provisioning.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

  • Custom Guest Portal

    Hello. Can I change default web guest portal: change background picture, logo, and add some-things.
    Thansk.

    You can customize a portal theme, changing text, banners, background color, and images.
    This section shows you how to create a custom portal theme, by setting and applying customized options.
    You can follow the same steps to modify an existing customized portal theme.
    Note: Supported image formats include jpg, jpeg, gif, and png.
    To customize a portal theme, complete the following steps:
    Step 1: From the Cisco ISE Administrator interface choose:
    Administration > Guest Management > Settings.
    Step 2: In the Settings panel on the left, Select
    General > Portal Theme. (The Portal Theme page appears on the right.)
    Step 3: Customize the portal theme in the following ways:
    Change the Login Page Logo.
    This setting allows you to change the logo on the portal Login page. You can choose the default Cisco
    Logo or upload a custom image.
    To upload a custom login page logo, complete the following steps:
    Step 1: Select Upload New File from the drop-down menu.
    Step 2: Click Browse, navigate to and select the desired image file.
    Step 3: Click Open.
    Recommended guidelines for a login page logo image are as follows:
    • Height: 16-480 pixels
    • Width: 16-480 pixels
    Change the Login Page Background Image.
    This setting allows you to change the background image on the portal login page. You can choose the
    default Cisco background or upload a custom background image.
    To upload a custom background image, complete the following steps:
    Step 1: Select Upload New File from the drop-down menu.
    Step 2: Click Browse, navigate to and select the desired image file.
    Step 3: Click Open.
    Customize the Banner Logo
    This setting allows you to change the portal banner logo. You can choose the default Cisco banner or
    Upload a custom banner logo.
    To upload a custom banner logo, complete the following steps:
    Step 1: Select Upload New File from the drop-down menu.
    Step 2: Click Browse, navigate to and select the desired image file.
    Step 3: Click Open.
    Customize the Banner Background Image
    This setting allows you to change the portal banner background image. You can choose the default Cisco
    Background or upload a custom background image.
    To upload a custom banner background, complete the following steps:
    Step 1: Select Upload New File from the drop-down menu.
    Step 2: Click Browse, navigate to and select the desired image file.
    Step 3: Click Open.
    Change the Login Background Color
    This setting allows you to change the background color of the portal login page.
    To change the login page background color, complete the following steps:
    Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format, such as the following: FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
    Step 2: Click Show Color to display the specified color.
    Customize the Banner Background Color
    This setting allows you to change the banner background color of the portal. To set the login background color, complete the following steps:
    Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format, such as the following: FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
    Step 2: Click Show Color to display the representative color.
    Sponsor Settings
    Customize the Content Background Color
    This setting allows you to change the content background color for the portal pages.
    To change the content background color for the portal, complete the following steps:
    Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format such as FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
    Step 2: Click Show Color to display the representative color.

  • Cisco ISE - Not use FQDN in url-redirect parameter

    Hi,
    I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
    The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
    As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
    Thank you very much.
    Joana.

    Available in 1.2, and available as a "bit of a bodge" in 1.1.x  (read "a lot of a bodge")
    If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
    Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.

  • Cisco ISE authentication failed because client reject certificate

    Hi Experts,
    I am a newbie in ISE and having problem in my first step in authentication. Please help.
    I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
    Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
    I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
    Regards,
    Ratna

    Certificate-Based User Authentication via Supplicant Failing
    Symptoms or
    Issue
    User authentication is failing on the client machine, and the user is receiving a
    “RADIUS Access-Reject” form of message.
    Conditions (This issue occurs with authentication protocols that require certificate validation.)
    Possible Authentications report failure reasons:
    • “Authentication failed: 11514 Unexpectedly received empty TLS message;
    treating as a rejection by the client”
    • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
    the client rejected the Cisco ISE local-certificate”
    Click the magnifying glass icon from Authentications to display the following output
    in the Authentication Report:
    • 12305 Prepared EAP-Request with another PEAP challenge
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is reusing an existing session
    • 12304 Extracted EAP-Response containing PEAP challenge-response
    • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
    client
    • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
    client
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is re-using an existing session
    • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
    • 12815 Extracted TLS Alert message
    • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
    Cisco ISE local-certificate
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    Note This is an indication that the client does not have or does not trust the Cisco
    ISE certificates.
    Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
    The client machine is configured to validate the server certificate, but is not
    configured to trust the Cisco ISE certificate.
    Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

  • SP 19 upgrade issue : Log off Button not working in Portal Masthead

    Hi All,
    We have recently performed an upgrade from EP 7.0 SP12 to EP 7.0 SP19 stack level.
    After the upgrade we are facing these 2 issues:
    1) Log off button is not working in Portal Masthead
    2) SSO to BW reports also not working.
    Any immediate pointers and help is highly appreciable.
    Regards,
    Shailesh

    Hi Tobias,
    Thanks for the reply.
    I have tried rebuilding and redloying the par file after removing the function "'releaseProducerSessions()' " which is not available in SP 19..but still the issue persists.
    Any other process to be followed?
    2) SSO is working for other stuff, and the issue is specifically for Bex iViews/Reports
    Regards,
    Shailesh

Maybe you are looking for