Cisco ISE Guest Sponsor Portal Isssue

Similar Messages

• Cisco ISE Guest Portal - DNS Issue - External Zone

  Hello,
  I have a customer that has the following sceanrio :
  In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
  since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
  My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
  Thank-you in advance for your replies.
  Robert C.

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• Cisco ISE Guest portal

  Dears,
  I want to configurate guest portal(Central Web authentication)  for wireless client on Cisco ISE. I confuse that:
  Must i configure redirect ACL in switch? If yes which access-group or which interface i applied this redirect ACL? 
  I read that must be create redirect ACL in WLC. 

  I also do my configuration form these guide. In this guide write that:
  reate the Authorization Profile
  On the ISE, the authorization profile must be created. Then, the authentication and authorization policies are configured. The WLC should already be configured as a network device.
  In the authorization profile, enter the name of the ACL created earlier on the WLC.
  Click Policy, and then click Policy Elements.
  Click Results.
  Expand Authorization, and then click Authorization profile.
  Click the Add button in order to create a new authorization profile for central webauth.
  In the Name field, enter a name for the profile. This example uses WLC_CWA.
  Choose ACCESS_ACCEPT from the Access Type drop-down list.
  Check the Web Redirection check box, and choose Centralized Web Auth from the drop-down list.
  In the ACL field, enter the name of the ACL on the switch that defines the traffic to be redirected. This examples usescwa_redirect.
  this confuse me. 

• Cisco ISE Guest portal - smart card login

  Does anyone know if Cisco ISE support smart card login to the guest portal page?                    

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• Cisco ISE Guest Login without provisioning

  Hi,
  I have setup the ise based on  https://supportforums.cisco.com/docs/DOC-26442  whereby I have an authorization rule for CWA and an authorization rule for guestflow with provisioning. All is working great, however I was wondering if it may be possible to setup the ise with the following scenarios with dual ssid:
  1. user login to guest ssid and redirects to guest web portal and input guest credential created by sponsor (this is working well)
  2. user login to guest ssid and redirects to guest web portal and input credential from AD goes to provisioning (this is working well)
  3. user login to guest ssid and redirects to guest web portal and input credential from specified AD group and get internet/network access without provisioning.
  For point 3, I was wondering if it may be possible and if so on how it may be accomplished? I have attached the present Authz rule for reference as well as the rule I have tried which does not seems to be working.
  Any help is appreciated!
  Thanks.

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• Cisco ISE - Guest Access With Google Chrome

  We've implemented the self provisioning guest portal/Guest SSID and it seems to work great for internet explorer, if a user uses Google Chrome to go through the setup the password is generated, they login and accept the terms and conditions, but then they get hung up on the WLC URL and then have to start self provisioning again.
  Any ideas?

  Please check the below browser requirements :
  Supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals
  These Cisco ISE portals support the following operating system and  browser combinations. These portals require that you have cookies  enabled in your web browser.
  Table 8     Supported Operating Systems and Browsers
  Supported Operating System Browser Versions
  Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
  •Native browser
  Apple iOS 6, 5.1, 5.0.1, 5.0
  •Safari 5, 6
  Apple Mac OS X 10.5, 10.6, 10.7, 10.8
  •Mozilla Firefox 3.6, 4, 5, 9
  •Safari 4, 5, 6
  •Google Chrome 11
  Microsoft Windows 82
  •Microsoft IE 10
  Microsoft Windows 73
  •Microsoft IE 9
  •Mozilla Firefox 3.6, 5, 9
  •Google Chrome 11
  Microsoft Windows Vista, Microsoft Windows XP
  •Microsoft IE 6, 7, 8
  •Mozilla Firefox 3.6, 9
  •Google Chrome 5
  Red Hat Enterprise Linux (RHEL) 5
  •Mozilla Firefox 3.6, 4, 5, 9
  •Google Chrome 11
  Ubuntu
  •Mozilla Firefox 3.6, 9

• Cisco ISE guests and Ironport

  Hi All,
  I'm currently writing a HLD for a Cisco ISE rollout in my organization, and I've come across sort-of-an-issue:
  I'm planning on getting the guests in through the ISE Guest portal, but I also want to push them through an authenticated proxy(for accounting purposes) instead of a transparent one... however, I can't seem to find a way to somehow integrate Ironport and ISE in order to achieve some sort of an SSO, to avoid users having to enter their credentials twice(guest portal and ironport)- has anyone got a working solution for this?
  Any constructive input appreciated!
  Thanks!

  Thanks for the swift responses and suggestions!
  I'll most certainly have a look at the proposals...
  However,  I still want the guest users to go through the S370, as it's not only  for accounting purposes, but I want them to authenticate, since it would  make tracing and pinning events to a person way easier - that's the  main reason why I'm trying to find a solution that might act like an  SSO. The business side stated that signing in twice(ISE guest portal, then proxy) is unacceptable. I know that there's no direct integration between ISE and Ironport at the moment, and I am going to put in a feature request for that, but for the time being, I am really keen on getting this to work somehow...
  BTW - I'm currently using a virtualised ISE, release 1.1.4., And I've got the 3395's on order...

• Cisco ISE Guest Login

  Hi,
  I have a weird problem; after a guest user account has been created on Cisco ise 1.1.4 patch 8; when the guest user is redirected to the ise guest portal; the first login is always unsuccessful. Upon entering the login credential and password correctly; the client would be redirected to the same login page. Upon retrying the process a few times; it would succeed after 2-3 times.
  On the ise authentication; I see a guest authentication error; "Guest Authentication Failed : 86020: Unknown exception" with only a single step seen on the logs for troubleshooting "5431  Guest Authentication Failed"
  I would like to check if anyone has seen such an issue/behaviour? 
  Any suggestions is appreciated.
  Thanks.

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• ISE GUEST external portal

  Hi,
  Can I integrated Cisco ISE to use external URL for guest authentication ?
  regards
  Prasad

  Hi,
  If I am understading your scenario correctly then following link might be helpful,
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_ui_reference_administration.html#wpxref85952

• ISE Guest Wifi Portal Users restricted to 5 day account

  Hi,
  I have a custom Guest wifi portal configured in Mulit-Portal Configuration to do self service, Portal Type is default Portal.
  I have the Guest Portal Policy configured to a time profile of 6 months which works ok for my other wifi profiles.
  My users however are only getting a 5 day account to expiry.
  I suspect the Guest Portal I have configured is not using the Default Guest Portal Policy as configured in "Web Portal Management\Settings\Guest\Portal Policy but I can't find any other option or settings
  Please Any help gratefully recieved.
  Thanks

  There was a bug that caused a failure like this, think it was solved in 1.2 patch 8...  could be worth a try to patch if you haven't done so....

• OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

  We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
  Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
  thanks - ciscosx

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Cisco ISE Guest Authentication Failed : 86020: Unknown exception

  Hi,
  I would like to check what may be causing the error message 86020:unknown exception for ise when guest user authenticates via wireless using CWA? I have also attached a screen capture of the error and after the authenitcation logs change to autheorization only succeed after a repeated trying. Based on user feedback for failed login, When guest user gets conected to wirless and login in to guest  portal with credential after putting credential  then its again redirect  to same login page wihout successful login prompt; not too sure if there may be any settings that may be looked into and the reason for the unknown exception error?
  Any suggestion/recommendation is appreciated.

  Hi Tarik,
  Not too sure if i understand on the static hostname for redirection; there are 2 PSNs for the deployment however they are acting as active/secondary for the wireless (This is done from the wlan on the wlc to set the primary/secondary radius server). From the guest redirection; it is always hitting the primary radius server defined on the wlan/wlc. The ise is running version 1.1.4 with patch 8 applied.
  Not  too sure if there may be any settings that may be looked into for the guest authentication/redirection and the reason for the unknown exception error?
  Thanks.

• Cisco ISE Date Format mm/dd/yyyy

  We have implemented Cisco ISE Guest Portal and when we create a new account for a visitor the date format is mm/dd/yyyy.See attached file.
  We have tried to change it through Administration/Settings/Language Template/English/Configure Time/Date Formats unfortunately with no results.
  Is this a bug or i am not looking in the right place?
  We are running Cisco ISE 1.2.

  check CSCuj86793

• MAC OS X unable to download Cisco ISE supplicant agent

  Hi,
  I have a problem with MAC OS X clients unable to download the Cisco ISE supplicant agent using Safari browser but able to login on the ISE guest portal. If the same client was to login to the ISE guest portal using Firefox; it has no issues downloading the ise supplicant and posture agent.
  I have tried to update the Java version on the client to the latest; however it does not resolve the issue. As I am new to MAC OS clients; I was wondering what may be the cause of the issue?
  I have summarized the issue as follows:
  1. MAC OS X 10.8 with safari 6 -- unable to download agent but can login successfully on the Cisco ISE guest portal
  2. MAC OS X 10.8 with Firefox -- able to login to Cisco ISE guest portal and download agents; no issues
  3. MAC OS X 10.7 with safari and firefox ---  unable to download agent but can login successfully on the Cisco ISE guest portal
  4. Windows XP & Windows 7 & Iphone/Ipad/Android -- able to login/download agent without any issues
  Any suggestions is appreciated.
  Thanks.

  For Agent Download Issues on Client Machine
  • Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the
  policy identity group, conditions, and type of agent(s) defined in the policy.
  (Also ensure whether or not there is any agent profile configured under Policy >
  Policy Elements > Results > Client Provisioning > Resources > Add > ISE
  Posture Agent Profile, even a profile with all default values.)
  • Try reauthenticating the client machine by bouncing the port on the access
  switch.
  Remember that the client provisioning agent installer download requires the following:
  • The user must allow the ActiveX installer in the browser session the first time an agent is installed
  on the client machine. (The client provisioning download page prompts for this.)
  • The client machine must have Internet access.
  Client Machine Operating Systems and Agent Support in Cisco ISE
  Check the following link
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp95449