Cisco ISE web auth Splash page
Was wondering if the splash page offered by Cisco ISE can be customized, or if it's necessary to redirect to an External server?
Currently using a downloaded web auth pass-through splash page setup for guest access on a 5508 WLC, but have been asked to move this feature off the WLC and onto the ISE and then customize the page with company logo's and a couple graphics.
Is this possible?
Thanks in advance...
Yes, but you will definitely need ISE 1.3. When creating the guest portal in ISE you would select the "Hotspot Guest Portal" option. This allows guest users to just agree to an AUP (Acceptable Use Policy) and then get Wi-Fi access.
And yes, you can also perform posture assessment:
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/118741-configure-ise-00.html#anc9
Thank you for rating helpful posts!
Similar Messages
-
I've seen it menitoned in a few places that there are sample web auth splash pages located on the WLC that can be uploaded and modified. I've also hear that there are some sample pages on Cisco's website, but I am unable to find them in either location. How do I access these sample pages?
Jason,
The sample web-auth bundle is located in the same location as the download for the controller code.
http://www.cisco.com/cisco/software/type.html?mdfid=282600534&flowid=7012
there is a link there for the Webauth bundle
HTH,
Steve
Please remember to rate helpful posts or to mark the question as answered so that it can be found later. -
WLC 5508 Web Auth Splash Page: Is it possible to place a download?
Hi,
I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
Thanks
MichaelIt could be done, but you will want to stay within the limits of the WebAuth bundle size (~ <10MB I believe). This shouldn't be a problem considering a .doc size, but I have to ask the same question. Why would you want to do this as opposed to just putting your terms of use inline to the page as just text/html? Maybe there is a good reason, but I can't really think of any scenario. Feel free to elaborate.
-
Hi All,
I've got a very basic web authentication page working but need to include a CHECK BOX to verify a user has read the T&C's. Got the checkbox to display but need the script code to disable (when not checked) either username/password input or the submit button. Any of you bright guy's managed to do this or anything similar.
Web splash attached.
Thank for any replies,
JayGuy's sorted it
if(!document.getElementById('agree').checked){
alert('Please agree to the terms and conditions.');
return false;
}else{
var link = document.location.href;
var searchString = "redirect=";
var equalIndex = link.indexOf(searchString);
var redirectUrl = ""; if(!document.getElementById('agree').checked){
alert('Please agree to the terms and conditions.');
return false;
}else{
var link = document.location.href;
var searchString = "redirect=";
var equalIndex = link.indexOf(searchString);
var redirectUrl = "";
Thanks anyway! -
Hi,
Can anyone help me in resetting the Cisco ISE web interface password. I'm able to login to CLI of ISE but couldnt use the same credentials to login to web interface. Is there any way to reset this web interface password through ISE CLI?
Thanks
DanielDaniel,
Just ran across your question, the answer is you can have login credentials for the cli but that is seperate from the gui. The way I understand it is once you get to the gui for the first time user is admin and password is cisco. At this point you are required to put in a new password. Once in the gui other users can be created for the gui.
Erik -
ISE web auth for non-cisco switch(D-link 3528)
Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
And the wired users will get full network access after they pass the web auth.you can use ISE ln-line posture node with 3rd part switches
RADIUS access device must supply the following RADIUS attributes:
Calling-Station-Id (for MAC_ADDRESS)
User-Name
NAS-Port-Type
RADIUS accounting message must have the Framed-IP-Address attribute
VLAN, DACL features can be used but again it depends on switch models let us know specific switch models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, -
Web-Auth Admin Page not loading
I have a WLC 2504 Controller which is set up for guest wireless using the Web-Auth feature / Lobby Ambassador.
When I web browse to the Controller and enter my credentials no page is displayed.
The log file displays the following error:
#CLI-3-LOGIN_FAILED: cliutil.c:632 Login failed. User:lobby-admin, Service type:11. unknown service type.
However when I run a debug aaa events I see the following event that the user passed authentication.
*emWeb: Mar 17 18:54:53.120: Authentication succeeded for lobby-admin
The wireless controller version 7.6.130.0
There is genuinely nothing fancy about the set up and done these loads of times.
I have tried this with Google Chrome, IE and Firefox using both HTTPS and HTTP and it's still exactly the same problem.
Regards
GregWhich authentication protocol do you want use and does the request from the WLC hit the correct policy on the authentication server?
If you want to use radius as the authentication protocol you need to return the radius "Service-Type" attribute with value "Callback Administrative" for a lobby admin user. If you go with tacacs you need to use role based authentication. For example "role1=ALL" gives the user access to all the tabs in the GUI. -
Cannot connect to web auth login page
Controller is vWLC 7.4, AP is 2600. Browser gets successfully redirected to 1.1.1.1, so DNS appears to work. However 1.1.1.1 does not respond. Wireshark in the client shows SYN frames but no response. I tried various debugs but nothing is shown on the WLC when the client attempts to reach the login page. 1.1.1.1 is not used in the local network and ends up at the default route. WLAN operates in central mode.
The browser works when web auth is disabled, but when enabled in either "authentication" or "passthrough" mode any attempts gets redirected to 1.1.1.1 and times out at that point. Telnet to 1.1.1.1:443 failed also.
Same on two different clients using different OS versions.I've tested it in two very different production VLANs having different DHCP servers. Any client connected to those VLANs, whether by Wifi or Ethernet, gets an IP address and can work normally. The Wifi client also works fine when L3 web policy is disabled. A client connected via AP successfully gets an IP address in any case. DNS resolution has been verified and the redirection to 1.1.1.1 also works. It's just the connection to 1.1.1.1 which fails, everything else up to this point appears to work.
BTW: Is there a way to test the availability of the authentication web server on the WLC, locally? I can ping 1.1.1.1 successfully, but this only verifies the interface, not the web server. Normally I'd try a telnet to 1.1.1.1:443, but did not find anything similar on the WLC. -
How do I skip the Device Registration Portal for Cisco ISE web portal
I have set up a sponsor and guest portal system for wireless guest access to the internet using ISE v1.2.0.899 virtual and WLC 5500 runninng 7.4. After logging into the intial page, the guest user is directed to the Device Registration Portal. Entering a MAC address value puts the user in a continuous failing loop. But, if they just hit the "continue" button at the bottom of the page, they will be directed onward and have internet access as was intended. I have no requirement for guest users to register their devices. What do I need to do to remove the device registration portal from the log on sequence for guest user access? Thanks!
Hello Scoot,
you make a list of the MAC add of coperate devices. and set a rule if authentication doesn't happen only these devices can do the self registration.
I hope this works for you -
ISE, WLC: web auth, blocking user account
Hello!
We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
Credentials are created at the ISE sponsor portal.
We create user account in ISE sponsor portal with one hour lease.
In 10 minutes we delete (or block) user credentials.
In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
This happens because WLC thinks, that client is still associated.
There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
How the user account blocking process can be automated without manually deleting the client session from WLC client database?It seems that there is some bug about CoA when deleting Guest accounts
CSCuc82135
Guests need to be removed from the network on Suspend/Delete/Expiration
When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exists.
Workaround Reissue the Change of Authorization using the session information from Monitoring reports for the sessions associated with that guest user.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
from BUG Toolkit there is Release-Pending in "Fixed-in" option. -
Hi, All can anybody let me know how can I customize the WEB-AUTH login page. If I want to put some image & background how can I do that ? do we need anything special software ..how can I download & upload page from Controller...how can I edit the Page...please help me to do this....
I appreciate your response.Hi,
I would suggest that when you test the default web auth page as a user on the "guest" network (or even use the preview page but the code may be slightly different, you should be able to view the source code from within your browser (e.g. within Firefox use Ctrl-U). You can then use this as a basis for creating your own page.
In terms of HTML tools there are many available, but I use MS-Word 2003 and when necessary the script editor within MS-Word 2003. Once you are happy with your page save in the appropriate format. You can create a page as you want to see it and then convert it to HTML, and then remembering to embed the required "username" and "password" fields and the submit button.
HTH -
Web-auth page alterations and tweaking on WLC 4404
Hi,
As I mentioned in a previous post I'm running two guest WLANs through a C4404. One of them requires a Lobby Admin to generate a user for a 'less restricted' network and the other requires entry of some personal details into the capture screen before you get onto the filtered, web and secureweb only network.
I've got the registration one working fine and managed to create a login page tailored to suit.
What I'm having trouble with is altering the web-auth passthrough page. Currently it just asks for an email address (not verified) and then allows access to the network. I really want to capture an email, name and other details but it doesn't seem like I can easily upload another page to replace the default as the login.html file is being used for the other WLAN.
Has anyone else done a similar thing or managed to use a page called something other than login.html. My web skills are fairly weak, but I can work my way through most pages and make minor alterations.
Any info would be great...even better would be some page examples.
ThanksIt seems that every time you wish to use a customised page (either for webauth or passthrough) you need to name it login.html.
The email passthrough uses the WLC default page, but just includes an email field rather than the user/pass that's configured by a lobbyadmin.
So, without using any external server, do you think it's possible to have a customised webauth login page and a customised passthrough w/ email page AT THE SAME TIME?
As a side note, has anyone got the downloadable logo to fit in to the default page without problems. I can't seem to get the image size right and end up with blue borders around my customised logo?
Any help would be greatly appreciated.
Thanks -
PALM with WLC 4400 (Web Auth Portal)
We cannot get the Web Portal splash page to display on wireless Palm units....the site simply hangs. Is there any fixes out there for this problem. Thanks for all replies!!
Has anyone else seen this Palm/WebAuth issue or found a fix? I am seeing this on our Palm devices too. Running 4.x code with internal guest auth, laptops work just fine with the https://1.1.1.1 redirect, but the Palm just hangs. Could it be the certificate is not valid and the Palm has no way to prompt for that message like a laptop. Any ideas?
-
HiGuys We are facing issue in authenticating guest user via web authentication on WiSM.We have WiSM with 270 APs. We have guest ssid with web-auth enabled.we are running 4.2.061 code. It was working fine till last week, now suddenly it keeps getting off. Users are not getting web-auth login page. We had to disable the web-auth & reenable it then it again starts working. I dont know wht to do in this case. didnt find any log..whts going on in background.
need help to resolve it.
Thanks
NKI had the same basic issue and after reseaching found caveat CSCsk54969 which is a pretty close match. This caveat has been fixed in release 4.2.130. I have just upgraded to this release over the week end so to soon to tell yet.... fingers crossed...
-
Dears
I am trying to configure the posture for the ISE but the result is always " Posture status : pending " and the agent can access all network resources without any problem .
please helpPlease review the below steps:
Step 1 Choose Administration > System > Deployment > Deployment.
The Deployment navigation menu appears. Use the Table view or the List view button to display the
nodes in your deployment.
Step 2 Click the Table view.
Step 3 Click the quick picker (right arrow) icon to view the nodes that are registered in your deployment.
The Table view displays all the nodes that are registered in a row format in the Deployment Nodes page.
The Deployment Nodes page displays the Cisco ISE nodes that you have registered along with their
names, personas, roles, and the replication status for the secondary nodes in your deployment.
Step 4 Choose a Cisco ISE node from the Deployment Nodes page.
Note If you have more than one node that is registered in a distributed deployment, all the nodes that
you have registered appear in the Deployment Nodes page, apart from the primary node. You
have the option to configure each node as a Cisco Cisco ISE node (Administration, Policy
Service, and Monitoring personas) or an Inline Posture node.
Step 5 Click Edit.
The Edit Node page appears. This page contains the General settings tab that is used to configure the
Cisco ISE deployment. This page also features the Profiling Configuration tab, which is used to
configure the probes on each node.
Note If you have the Policy Service persona disabled, or if enabled but the Enable Profiler services
option is not selected, then the Cisco ISE administrator user interface does not display the
Profiling Configuration tab. If you have the Policy Service persona disabled on any Cisco ISE
node, Cisco ISE displays only the General settings tab. It does not display the Profiling
Configuration tab that prevents you from configuring the probes on the node.
Step 6 On the General settings tab, check the Policy Service check box, if it is already active.
If the Policy Service check box is unchecked, both the session services and the Profiler service check
boxes are disabled.
Step 7 For the Policy Service persona to run the Network Access, Posture, Guest, and Client Provisioning
session services, check the Enable Session Services check box, if it is not already active. To stop the
session services, uncheck the Enable Session Services check box.
The posture service only runs on Cisco Cisco ISE nodes that assume the Policy Service persona
and does not run on Cisco Cisco ISE nodes that assume the administration and monitoring
personas in a distributed deployment.
Step 8 Click Save to save the node configuration.
Maybe you are looking for
-
Nokia N8 permanent internet connection
I have a problem with the 3G internet connection on my Nokia N8. Once it is connected via 3G, this connection stays active forever. If I try to close the connection in Connection manager it starts again within a couple of seconds. The widgets is set
-
The new FF 22 dpi scaling breaks Flash programs (at least the ones that have "noScale" set in Flash). The problem is that I have this in the HTML (generated by swfobject.js): <object data="main.swf" name="flashContent" id="flashContent" type="applica
-
The SD version of my tv download didnt sync & I have an iPod. I can play it in iTunes but it won't sync with my iPod. I've never had this problem before, the other tv episodes have worked/downloaded both versions fine. How do I fix this?
-
Screen problems after Mountain Lion Update
I am getting the Kernal Panic after waking from sleep mode. Also, I am getting this strange screen after logging in and right before the screen comes up (see attached image). Any thoughts or help would be appreciated. Thanks, Chris
-
Some time ago I compiled and worked. Now I can't find packages and I don't know why it can't compile. Any suggestions? [k4misiek@arch qnapi]$ LANG=C makepkg ==> Making package: qnapi 0.1.6_rc2-1 (Sat Aug 6 11:07:06 CEST 2011) ==> Checking runtime dep