Cisco ISE guests and Ironport

Similar Messages

• Cisco ISE Guest Sponsor Portal Isssue

  Dear all ,
  We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
  We have created open ssid in wlc and using external redirected url of ise for guest login page.
  But when we create any guest user in sponsor login for guest user we faced following issue
  1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential  then its again redirect to same login page
  wihout successful login prompt.
  Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
  2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
  But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
  Can anyone help me to resolved above issue regading cisco ise guest sponsor portal
  Thanks & Regards
  Pranav Gade

  Pranav your answers are inline,
  1) When guest user gets conected to wirless and login in to guest  portal with credential after putting credential  then its again redirect  to same login page
  wihout successful login prompt. When you are using CWA (central web authentication) there is no way we can redirect users using the redirect-url because this will always redirect users for every time they initiate a web request. There is no other coa feature that will remove this condition since they have already been authenticated.  Here is a guide that explains the user experience when using central web auth -
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
  Can  we pompt successful login after guest login to guest portal or redirect  to any other link like google.com so guest user will gets to know he is  able to access internet now No this is not possible, you can change the verbage and force the AUP to be displayed informing users that they can retry their web request after hitting the accept button.
  Here is the documented experience once users go through the guest process -
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
  2)  We have creted time profile 8hours first login for guest user. When  guest user gets connected while putting credential in to guest portal.
  But  we face issue after approximately every 20 mins guest gets disconnected  from internet and guest again gets login page of guest portal and if we  put same credential then its working but after approx 20 min interval  user get disconnected from internet. Check the advanced timer on your SSID as you may be hitting the session timeout on the WLC. Please disable this option and let the COA feature in ISE expire user sessions on the controller.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• Cisco ISE Guest Portal - DNS Issue - External Zone

  Hello,
  I have a customer that has the following sceanrio :
  In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
  since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
  My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
  Thank-you in advance for your replies.
  Robert C.

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Cisco ISE functionally and license

  HI. 
  I wanna configure the following on Cisco ISE 1.2.1.
  Self-registration portal for guests (SSID: guests)
  802.1x user certificate check (Cisco NAM supplicant) for employees (SSID: Corporate) (EAP-TLS)
  Self provisioning portal (to deploy BYOD certificate and give access for BYOD devices) for BYOD devices (SSID: Corporate) (PEAP, MSHAPv2)
  Can I configure these things with PLUS license or do I need Adv or Wireless? I am not sure if one of these requires profiling functionally.

  With plus license all the above items should work.
  Here is what plus license supports:
  Bring Your Own Device (BYOD)
  Profiling
  Endpoint Protection Service (EPS)
  TrustSec SGT
  For more info, refer ISE license section:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_license.html#41012
  Regards,
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE Guest portal

  Dears,
  I want to configurate guest portal(Central Web authentication)  for wireless client on Cisco ISE. I confuse that:
  Must i configure redirect ACL in switch? If yes which access-group or which interface i applied this redirect ACL? 
  I read that must be create redirect ACL in WLC. 

  I also do my configuration form these guide. In this guide write that:
  reate the Authorization Profile
  On the ISE, the authorization profile must be created. Then, the authentication and authorization policies are configured. The WLC should already be configured as a network device.
  In the authorization profile, enter the name of the ACL created earlier on the WLC.
  Click Policy, and then click Policy Elements.
  Click Results.
  Expand Authorization, and then click Authorization profile.
  Click the Add button in order to create a new authorization profile for central webauth.
  In the Name field, enter a name for the profile. This example uses WLC_CWA.
  Choose ACCESS_ACCEPT from the Access Type drop-down list.
  Check the Web Redirection check box, and choose Centralized Web Auth from the drop-down list.
  In the ACL field, enter the name of the ACL on the switch that defines the traffic to be redirected. This examples usescwa_redirect.
  this confuse me. 

• Cisco ISE Guest Login

  Hi,
  I have a weird problem; after a guest user account has been created on Cisco ise 1.1.4 patch 8; when the guest user is redirected to the ise guest portal; the first login is always unsuccessful. Upon entering the login credential and password correctly; the client would be redirected to the same login page. Upon retrying the process a few times; it would succeed after 2-3 times.
  On the ise authentication; I see a guest authentication error; "Guest Authentication Failed : 86020: Unknown exception" with only a single step seen on the logs for troubleshooting "5431  Guest Authentication Failed"
  I would like to check if anyone has seen such an issue/behaviour? 
  Any suggestions is appreciated.
  Thanks.

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• Cisco ISE - Guest Access With Google Chrome

  We've implemented the self provisioning guest portal/Guest SSID and it seems to work great for internet explorer, if a user uses Google Chrome to go through the setup the password is generated, they login and accept the terms and conditions, but then they get hung up on the WLC URL and then have to start self provisioning again.
  Any ideas?

  Please check the below browser requirements :
  Supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals
  These Cisco ISE portals support the following operating system and  browser combinations. These portals require that you have cookies  enabled in your web browser.
  Table 8     Supported Operating Systems and Browsers
  Supported Operating System Browser Versions
  Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
  •Native browser
  Apple iOS 6, 5.1, 5.0.1, 5.0
  •Safari 5, 6
  Apple Mac OS X 10.5, 10.6, 10.7, 10.8
  •Mozilla Firefox 3.6, 4, 5, 9
  •Safari 4, 5, 6
  •Google Chrome 11
  Microsoft Windows 82
  •Microsoft IE 10
  Microsoft Windows 73
  •Microsoft IE 9
  •Mozilla Firefox 3.6, 5, 9
  •Google Chrome 11
  Microsoft Windows Vista, Microsoft Windows XP
  •Microsoft IE 6, 7, 8
  •Mozilla Firefox 3.6, 9
  •Google Chrome 5
  Red Hat Enterprise Linux (RHEL) 5
  •Mozilla Firefox 3.6, 4, 5, 9
  •Google Chrome 11
  Ubuntu
  •Mozilla Firefox 3.6, 9

• Cisco ISE Admin and EAP certificate renewal

  Hi board,
  maybe I'm asking a rather dumb question here, but anyway :)
  I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
  Here's the thing I do, when I initially install an ISE node
  1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
  2.) Sign CSR and bind certificate on ISE node - done
  Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
  CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
  So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
  How do you guys do this in your deployments?
  Thanks in advance and sorry again if this is a silly question.
  Johannes

  you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
  Certificate Renewal on Cisco Identity Services Engine Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

• Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

  Hello all,
  I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
  The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
  I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
  Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
  Thanks a lot for your help.
  The followings screenshots show the logs appearing in the ISE :  
  Kind regards, Emeric.

  This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
  In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
  When the user logs in you then see the user ID.
  For my benefit when rule are you talking about ?
  Thank you 

• Cisco ISE CLI and GUI password expire

  I had Cisco ISE version 1.1  i face a problem with the CLI and GUI password, as it expire and i can't login, i do the password reset using the ISE DVD,
  i navigate to the ISE CLI, and do the following commands:
  conf t
       password-policy
            no password-expiration-enable
  and reset the GUI admin password, using the command:
       # application reset-passwd ise admin
  from the ISE GUI i had remove the option for diable admin account after 45 days.
  but after 60 days the password expire again.
  so kindly advise what to check for this expire issue.

  Hi Mostafa,
  Yes, the last reply was more towards GUI password-mgmt because in maority of cases it happens with UI admin account. I need to know if you've restarted the ISE after disabling the expiration from the CLI because what I read few weeks ago in an internal defect that password policy configurations are not preserved on cli after restart so just to check could you please check the current settings on CLI w/ the help of show run | in password-policy.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE Guest portal - smart card login

  Does anyone know if Cisco ISE support smart card login to the guest portal page?                    

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• Cisco ISE Guest Login without provisioning

  Hi,
  I have setup the ise based on  https://supportforums.cisco.com/docs/DOC-26442  whereby I have an authorization rule for CWA and an authorization rule for guestflow with provisioning. All is working great, however I was wondering if it may be possible to setup the ise with the following scenarios with dual ssid:
  1. user login to guest ssid and redirects to guest web portal and input guest credential created by sponsor (this is working well)
  2. user login to guest ssid and redirects to guest web portal and input credential from AD goes to provisioning (this is working well)
  3. user login to guest ssid and redirects to guest web portal and input credential from specified AD group and get internet/network access without provisioning.
  For point 3, I was wondering if it may be possible and if so on how it may be accomplished? I have attached the present Authz rule for reference as well as the rule I have tried which does not seems to be working.
  Any help is appreciated!
  Thanks.

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

  We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
  Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
  thanks - ciscosx

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Cisco ise upgrading and licences

  I nedd to upgrade from version 1.1.2 patch 4 to 1.1.3
  the deployment is distributed so the split deployment technique needs to be used:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upg_dis_dep.html#wp1052969
  the guide is quite hard to follow as there are some licensing informations missing that can potentially cause service downs:
  in particular my questions reguarding the guide are:
  --- OUR licence is registered to the primary PAN node only----
  1) Deregistering primary PSN "D" node : what licence it will use? the inherited (10000 endpoints) or will it lose the licence completely and lock the network authentications?
  2) When node "B" will be deregistered and will become standalone what happens to its licence ? will it be lost? and what will happen to the node "D" when added back to the node "B" ?
  3) when I will switch back node "A" (after upgrade and registration to node "B") to its previous primary PAN state it is stated that the licence needs to be reloaded in it cause it was lost when adding it to node "B".... and in the meanwhile? no node will authenticate cause the primary node is without a licence?
  TY

  Giuliano,
  De-registered node will always use it's own license, i.e. it becomes standalone box without knowledge or information of anything around it. Either the evalutaion or whichever license you have supplied it with.
  License enforcement is performed by active admin node in cluster, according to its license.
  Have a look at:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCug04405
  I don't think license needs to be reloaded, but that may be just my memory not serving me. I'll double-check that one.
  M.