Client provisioning exception for guest flow - bug?

Similar Messages

• ISE 1.3 Guest API - using custom fields for guest creation?

  I am currently working with the new ISE 1.3 guest api, i have most everything working, i can create guests fine, with the basic information entered into the guest account like first name, last name, company, email, phone and so on. Now i need some more fields to enter other information in for that guest, and i have created 5 extra custom fields called option1-option5, and enabled them for the "Known Guests" page on my sponsor portal. I can however not figure out how they should be adressed in the xml input sent in the api request...anyone tried this ?
  Regards
  Jan

  Hi Johan,
  Sure i can lead on the way, the stuff i am doing is part of a complete system i build and sell, that integrates with ISE to give customers the ability to create guest accounts using a number of different social media facebook, google and so on, to self-provision accounts for guest acces (and many other things :-)
  I mainly use PHP for this, and for simplicity you can use a curl command line executed by any scripting you prefer, or use any curl library you might have available to you.
  So, you need an ise sponsor account that has the "api usage flag" allowed in the sponsor group it is a member of. Then you need to know a few things about the ise setup, that needs to be sent with your request to ise, to allow the creation of a guest account.
  If you need some code examples, send me a pm and we can figure something out
  API Reference :
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_guest.html

• Supplicant Client Provisioning for Windows + NAC - is it supported?

  Hello,
  I'm testing out a scenario where it would be most interesting to be able to provision a windows laptop from connecting to a Guest SSID with it the wireless settings it would need to access a secure SSID where then it would be Posture assessed. Like when someone brings their laptop from home to work in the company, and you want to make sure the laptop is not carrying any bad stuff, while still assisting the user with its configuration..
  As the NAC provisioning rules and the supplicant provisioning rules are done from the same page, I'm having trouble being able to differentiate the initial supplicant client provisioning (SPW) and the posture verification done after the the association to the secure SSID.
  The choices that we have on the client provisioning pages seem to be too limited to do this.
  Can anyone confirm if this scenario is supported?
  Thanks for any insight
  Gustavo Novais

  Hi Tarik, I managed to do what I wanted - same client being provisioned and NAC'd in two steps, as you were suggesting.
  One limitation that I found though is that as soon as you mark a device as registered (part of RegisteredDevices endpoint group), you stop being able to distinguish an iPad from a Windows workstation, if both of them have been registered by the same user - both of them will belong to RegisteredDevices group (assuming initial registration via webguest portal), both of them will have the similar certificate (same common name) and profiling group matching will no longer work.
  Do you know if there is any workaround to it? - I can see the common case where people bring their laptop from home as well as their iPad.
  A possible way would be to register to two different devRegPortals (two different endpoint groups) depending on the initial profiling option, but I saw no option on the guest portal to be able to choose multiple devRegPortals only self provisioning flow. I guess the best possible way would be to not merge guest portal and provisioning portals and use different authZ rules depending on the initial profiling of the devices, on a separate SSID dedicated to provisioning.
  Thanks for your insight
  Gustavo Novais

• ISE, BYOD: guest clients provisioning

  Hello!
  The question is about provisioning different types of wifi clients through the ISE Guest portal.
  ISE 1.1.4, WLC 7.4.100 (Guest WLAN uses MAB)
  Suppose, there are two groups of wireless clients:
  1) guest user, which credentials are created through the ISE Sponsor Portal
  2) domain user, who has credentials in ActiveDirectory
  The aim is to provision domain user, and not provision guest user.
  When client connects to Guest SSID and opens the browser, he is redirected to ISE Guest portal.
  When client uses domain user, he is provisioned, and when uses guest credentials he is not provisioned
  How ISE understands, that domain user must be provisioned and guest user must not be provisioned if Web portal is configured to provision everyone?
  (Web Portal -> Settings -> Enable Self-Provisioning flow)

  The answer is that typically you either know that MAC address or you have someting installed (NAC agent?) and fulfill some requirements.
  Alternative, you can perform CWA first (and...)
  Then if user is part of guest users -> allow internet only access
  If user is part of AD -> send him to do registration.
  Authorization policy allows you to use "identity group" as part of condition.
  If device registered -> allow full access. (just an idea).
  M.

• Better provisioning in Windows client: Remember templates for the Start Screen - like the need for categorization (taxonomy) in the Start Menu

  Better provisioning in Windows client: Remember templates for the Start Screen - like the need for categorization (taxonomy) in the Start Menu ...
  Like my previous suggestion about categories alike Linux to clean up the mess in the start menu:
  Please help new users to use the Start Screen in valuable way - demonstrate the value.
  You don't sell SharePoint with a completely unorded randomized site hierarchy - and without any templates.
  Not content - but abstract content like templates are everything when you need to learn to use ... i.e. a new product like the Start Screen. It gets you started right away. A like Word as well.
  Please bring order and form to the content. I.e. T E M P L A T E S parsing the layout of the tiles.
  Have context switching for virtualization working with the virtual desktop mode. So I only see those tiles that are in context with my actual workflow.
  Of course you would need a well-made taxonomy for apps - i.e. subclassed.

  Hello cor-el,
  Thanks for your help. The View > Zoom didn't work the first time, but I just tried it again on a couple of web pages and it works great!!
  Thanks again. Have a Great Day! You sure improved my attitude!
  You RocK!!!
  Best regards,
  Gael

• ISE 1.2 Patch 7 possible guest CWA bug

  Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
  In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
  If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.

  Hi,
  I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
  The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7.

• AIR-AP1142N-A-K9 configuration issue for guest ssid

  I'm trying to get the guest ssid working.  I was frustrated so saved my old config and wiped out everything on this AP.  Now my bvi1 does not come online.
  ap#sh ip int bri
  Interface                  IP-Address      OK? Method Status                Protocol
  BVI1                       192.168.2.249   YES NVRAM  down                  down    
  Dot11Radio0                unassigned      YES NVRAM  up                    up      
  Dot11Radio0.50             unassigned      YES unset  up                    up      
  Dot11Radio0.51             unassigned      YES unset  up                    up      
  Dot11Radio1                unassigned      YES NVRAM  administratively down down    
  GigabitEthernet0           unassigned      YES NVRAM  up                    up      
  GigabitEthernet0.50        unassigned      YES unset  up                    up      
  GigabitEthernet0.51        unassigned      YES unset  up                    up      
  ap#
  ap#sh int bvi
  *May  6 15:05:24.611: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]1
  BVI1 is down, line protocol is down
    Hardware is BVI, address is 003a.99eb.8d00 (bia b862.1fe9.9af0)
    Internet address is 192.168.2.249/24
    MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       3 packets output, 180 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  ap#
  I have a private vlan 50 and the public vlan 51.  The private ssid seems to work and allow connectivity to the internet but I don't understand with the same configuration the Public ssid doesn't seem to work.
  I get this output when trying to connect with my cell phone. 
  *May  6 15:00:37.288: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:00:38.432: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TYLOR-NB 9c4e.3617.483c Reassociated KEY_MGMT[WPAv2 PSK]
  *May  6 15:00:42.935: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:00:54.320: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   2c44.01c3.70a6 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:01:13.913: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:01:17.281: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:01:48.181: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:01:51.583: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:02:22.500: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:03:41.852: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  SSID [PUBLIC] :
  MAC Address    IP address      Device        Name            Parent         State     
  847a.8835.4f22 0.0.0.0         ccx-client    -               self           Assoc    
  ap#
  ap#show run
  Building configuration...
  Current configuration : 2746 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  enable secret 5 $1$4jEJ$ajpjBvSx3DUhxyvLADj.91
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  dot11 syslog
  dot11 ssid PRIVATE
     vlan 50
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 01150F035E050E0A2D
  dot11 ssid PUBLIC
     vlan 51
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 045D02010A2F444B05
  username Admin privilege 15 password 7 0526071D3545175840
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption vlan 50 mode ciphers aes-ccm
   encryption vlan 51 mode ciphers aes-ccm
   encryption mode ciphers aes-ccm tkip
   ssid PRIVATE
   ssid PUBLIC
   antenna gain 0
   mbssid
   station-role root
  interface Dot11Radio0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 50
   bridge-group 50 subscriber-loop-control
   bridge-group 50 block-unknown-source
   no bridge-group 50 source-learning
   no bridge-group 50 unicast-flooding
   bridge-group 50 spanning-disabled
  interface Dot11Radio0.51
   encapsulation dot1Q 51
   no ip route-cache
   bridge-group 51
   bridge-group 51 subscriber-loop-control
   bridge-group 51 block-unknown-source
   no bridge-group 51 source-learning
   no bridge-group 51 unicast-flooding
   bridge-group 51 spanning-disabled
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   antenna gain 0
   dfs band 3 block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 50
   no bridge-group 50 source-learning
   bridge-group 50 spanning-disabled
  interface GigabitEthernet0.51
   encapsulation dot1Q 51
   no ip route-cache
   bridge-group 51
   no bridge-group 51 source-learning
   bridge-group 51 spanning-disabled
  interface BVI1
   ip address 192.168.2.249 255.255.255.0
   no ip route-cache
  ip default-gateway 192.168.2.1
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  end      
  switch config:
  interface FastEthernet1/0/46
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 50
   switchport trunk allowed vlan 50,51
   switchport mode trunk

  Hi
  I know the bridge-group have to be identical to the sub interface number and vlan number
  This is true for all other vlans except for native vlan. For native vlan sub-interfaces bridge group number always should be 1. In your case, if vlan 50 is the native vlan (192.168.2.x/24 belong vlan) then configure bridge-group 1 under those .50 sub-interfaces. Then everything should work :)
  It is ideal if you could put AP management (BVI IP) into separate vlan & two user groups put vlan 50 & 51. Here is a sample configuration where vlan 110 is Mgmt & vlan 12,13 for user vlans.
  http://mrncciew.com/2012/10/24/multiple-ssid-config-on-autonomous-ap/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Report for Cash flow (fund flow from Bank GL)

  Hi Expert,
  I would like to have your advice on how can I create this type of report?  Is it better using Fund Management?
  My client is asking on cash flow report in which the report should show all fund (cash at bank) movement.  Basically, the report should have 2 main category, which are Cash Inflow / Cash Outflow,for example:
  Cash Inflow
  - Payment received from customer
  - Interest received from FD at Bank
  - Other receipts
  - Government Subsidy Received
  - Government Grant
  Cash Outflow
  - Payment to vendor
  - Finance charge paid to bank (overdraft/loan, etc)
  - Operating Expenses
  - CAPEX
  - Other Payments
  For cash inflow, double entries involve to bank GL is as follows:
  DR Bank
  CR Item listed in cash inflow section, for example: payment received from customer (or CR csutomer), FD interest received (Revenue item of P/L), etc
  For cash outflow, double entries involve to bank GL is as follows:
  DR  Item listed in cash outflow section, for example: payment to vendor (or DR vendor), Payment to non-trade vendor (for asset purchase, etc), Interest paid (expense item of P/L), etc
  Questions:
  Since my debit or credit leg of my bank account, currently does not have any indicator that can explicitly indicator the nature of my inflow and outflow, how can I produce my report of cash flow show above?
  Note: It is extremely heavy for customized ABAP program to extract my bank entry and point back to the opposite leg to find the nature of my inflow/outflow as well.
  Kindly advise.
  Thanks in advance,
  sbmel

  Hi
  In ECC 6.0 EhP4 - A new feature has been added inorder to provide such a kind of cash flow report... You need to activate Business Function PSM_FA_CASH..
  Refer this link http://help.sap.com/erp2005_ehp_04/helpdata/EN/42/e34f2c31023ee1e10000000a1553f6/frameset.htm...
  ... Under Business Functions in SAP ERP > Enterprise Busn Func > Accounting > Public Sector management > PSM, Cash basis accounting & Cash flow reporting
  Once you activate it, you will find additional nodes of IMG under SPRO > Public Sector management.....
  This works the same way as Doc Splitting... technically speaking, this new feature is extended arm of Doc Spliting... In Doc Splitting, you assign item Categories to each GL Account.... Similarly, you will assign a "Revenue / Expense Account" to each GL Account.... This R/E Account can be any alpha numeric text.... This R/E account then gets added as a Doc Splittin Char and is populated in every FI Doc that you post
  I have tried this in a test client a year ago and was more or less satisified with it barring some exceptions....
  br, Ajay M

• ISE 1.2 device registration with MAB only, no client provisioning

  Hello,
  Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
  I do not want to push certificates or native supplicant profiles to client devices.
  I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
  Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
  Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
  Am i really obliged to use native supplicant provisioning to register my device ?
  GN

  Hi
  Device Registration web auth is a process where you can configure user without client provisioning.
  In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
  1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
  2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
  3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
  4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
  5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
  6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• Client provisioning not working on ISE after 1.2 Migration

  Working on an initial piloted roleout of ISE with a customer. We initially had a single server setup as a pilot using 1.1.1.4 to pilot things like client supplicant provision, and then stood up a new VM as a secondary and upgraded that to 1.2. Today we tested client provisioning that work fine before, and it is failing for iOS (we haven't gotten to the other OS'es yet). What occurs is the user authenticates using PEAP and the client gets the request to install the root certificate. After this the client accepts the root certificate the connection drops. When you click the SSID to start the process again we see the redirect to the mydevices portal, but before you can click to register the client it redirected to accept the root certificate again, creating an endless loop. Has anyone else run into this bug?

  Please update the patch useing the below details and try it.
  To upload offline client provisioning resources, complete the following steps:
  Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
  Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
  Choose from the following Off-Line Installation Packages available for download:
  •win_spw--isebundle.zip— Off-Line SPW Installation Package for Windows
  •mac-spw-.zip — Off-Line SPW Installation Package for Mac OS X
  •compliancemodule--isebundle.zip — Off-Line Compliance Module Installation Package
  •macagent--isebundle.zip — Off-Line Mac Agent Installation Package
  •nacagent--isebundle.zip — Off-Line NAC Agent Installation Package
  •webagent--isebundle.zip — Off-Line Web Agent Installation Package
  Step 3 Click Download or Add to Cart.

• Cisco ISE 802.1X Client Provisioning

  Hi,
  I have a requirement for ISE client provisioning for both Windows and mac. I have the following setup:
  1. 2 SSIDs, Guest and Employee
  2. Guest is open access
  3. Employee is 802.1x eap-peap (username/password)
  I was wondering if client local administrator privillege is required for 802.1x provisioning for windows client? I believe it is required for MAC OS however not too sure if it may be required for Windows?
  Example Employee A connect to Guest SSID and is redirect to the guest web portal. Upon login, they will be presented with the device registration portal. Upon being presented by the ISE on the supplication wizard, will they be requested for local administrator/domain admin privillege to install the supplicant wizard package/provisioning agent successfully?
  Any suggestion is appreciated.
  Thanks.

  Hi,
  Appreciate for the feedback.
  Thanks

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• Oracle.as.provisioning.exception: The system cannot find the path specified

  Installing 11g middleware on Win2003 server. During Application Configuration portion the install fails in the Deploying Enterprise Manager step. Error log shows 'oracle.as.provisioning.exception.ASProvWorkflowException: The system cannot find the path specified'. I've pointed the environment variables to a temp directory that does not have spaces in the name (c:\TEMP) and placed the installation files in directories that do not have spaces. I can't tell what directory it can not find. Any ideas?
  Adding Templates.
  DEBUG : Checking if Templates are Already Applied.
  DEBUG : Checking Template : C:/bea/oracle_common/common/templates/applications/oracle.em_11_1_1_0_0_template.jar
  DEBUG : domain-info.xml location : C:/bea/user_projects/domains/ClassicDomain/init-info/domain-info.xml
  DEBUG : Reading Template to be applied : C:/bea/oracle_common/common/templates/applications/oracle.em_11_1_1_0_0_template.jar
  DEBUG : Name of the template : Oracle Enterprise Manager
  DEBUG : Version of the template : 11.1.1.0
  DEBUG : Reading domain-info.xml. Checking templates already applied.
  C:/bea/oracle_common/common/templates/applications/oracle.em_11_1_1_0_0_template.jar
  oracle.as.provisioning.exception.ASProvWorkflowException: The system cannot find the path specified.
  The system cannot find the path specified.
       at oracle.as.provisioning.weblogic.ASDomain._addTemplate(ASDomain.java:4176)
       at oracle.as.provisioning.weblogic.ASDomain.addTemplate(ASDomain.java:3973)
       at oracle.as.provisioning.engine.WorkFlowExecutor._addTemplates(WorkFlowExecutor.java:1398)
       at oracle.as.provisioning.engine.WorkFlowExecutor.executeWLSWorkFlow(WorkFlowExecutor.java:475)
       at oracle.as.provisioning.engine.Config.executeConfigWorkflow_WLS(Config.java:866)
       at oracle.as.install.classic.ca.standard.StandardWorkFlowExecutor.execute(StandardWorkFlowExecutor.java:65)
       at oracle.as.install.classic.ca.standard.AbstractProvisioningTask.execute(AbstractProvisioningTask.java:26)
       at oracle.as.install.classic.ca.standard.StandardProvisionTaskList.execute(StandardProvisionTaskList.java:61)
       at oracle.as.install.classic.ca.ClassicConfigMain.doExecute(ClassicConfigMain.java:124)
       at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:335)
       at oracle.as.install.engine.modules.configuration.action.TaskPerformer.run(TaskPerformer.java:87)
       at oracle.as.install.engine.modules.configuration.action.TaskPerformer.startConfigAction(TaskPerformer.java:104)
       at oracle.as.install.engine.modules.configuration.action.ActionRequest.perform(ActionRequest.java:15)
       at oracle.as.install.engine.modules.configuration.action.RequestQueue.perform(RequestQueue.java:63)
       at oracle.as.install.engine.modules.configuration.standard.StandardConfigActionManager.start(StandardConfigActionManager.java:158)
       at oracle.as.install.engine.modules.configuration.boot.ConfigurationExtension.kickstart(ConfigurationExtension.java:81)
       at oracle.as.install.engine.modules.configuration.ConfigurationModule.run(ConfigurationModule.java:83)
       at java.lang.Thread.run(Thread.java:619)
  oracle.as.provisioning.exception.ASProvisioningException
       at oracle.as.provisioning.engine.Config.executeConfigWorkflow_WLS(Config.java:872)
       at oracle.as.install.classic.ca.standard.StandardWorkFlowExecutor.execute(StandardWorkFlowExecutor.java:65)
       at oracle.as.install.classic.ca.standard.AbstractProvisioningTask.execute(AbstractProvisioningTask.java:26)
       at oracle.as.install.classic.ca.standard.StandardProvisionTaskList.execute(StandardProvisionTaskList.java:61)
       at oracle.as.install.classic.ca.ClassicConfigMain.doExecute(ClassicConfigMain.java:124)
       at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:335)
       at oracle.as.install.engine.modules.configuration.action.TaskPerformer.run(TaskPerformer.java:87)
       at oracle.as.install.engine.modules.configuration.action.TaskPerformer.startConfigAction(TaskPerformer.java:104)
       at oracle.as.install.engine.modules.configuration.action.ActionRequest.perform(ActionRequest.java:15)
       at oracle.as.install.engine.modules.configuration.action.RequestQueue.perform(RequestQueue.java:63)
       at oracle.as.install.engine.modules.configuration.standard.StandardConfigActionManager.start(StandardConfigActionManager.java:158)
       at oracle.as.install.engine.modules.configuration.boot.ConfigurationExtension.kickstart(ConfigurationExtension.java:81)
       at oracle.as.install.engine.modules.configuration.ConfigurationModule.run(ConfigurationModule.java:83)
       at java.lang.Thread.run(Thread.java:619)
  Caused by: oracle.as.provisioning.exception.ASProvWorkflowException: The system cannot find the path specified.
  The system cannot find the path specified.
       at oracle.as.provisioning.weblogic.ASDomain._addTemplate(ASDomain.java:4176)
       at oracle.as.provisioning.weblogic.ASDomain.addTemplate(ASDomain.java:3973)
       at oracle.as.provisioning.engine.WorkFlowExecutor._addTemplates(WorkFlowExecutor.java:1398)
       at oracle.as.provisioning.engine.WorkFlowExecutor.executeWLSWorkFlow(WorkFlowExecutor.java:475)
       at oracle.as.provisioning.engine.Config.executeConfigWorkflow_WLS(Config.java:866)
       ... 13 more
  progress in calculate progress3
  progress in calculate progress3

  I unistalled everything and started over and eliminated Enterprise Manager from the list. Now it cancels at the Application Configuration step in Applying Oracle JRF Template with the same error. Cannot find path specified.
  Does anyone have any idea what path it could be looking for? I can't tell where else to look.
  Extending Domainwith JRF
  oracle.as.provisioning.exception.ASProvisioningException
       at oracle.as.provisioning.engine.Config.executeConfigWorkflow_WLS(Config.java:872)
       at oracle.as.install.classic.ca.standard.StandardWorkFlowExecutor.execute(StandardWorkFlowExecutor.java:65)
       at oracle.as.install.classic.ca.standard.AbstractProvisioningTask.execute(AbstractProvisioningTask.java:26)
       at oracle.as.install.classic.ca.standard.JRFApplicationTask.execute(JRFApplicationTask.java:78)
       at oracle.as.install.classic.ca.standard.StandardProvisionTaskList.execute(StandardProvisionTaskList.java:61)
       at oracle.as.install.classic.ca.ClassicConfigMain.doExecute(ClassicConfigMain.java:124)
       at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:335)
       at oracle.as.install.engine.modules.configuration.action.TaskPerformer.run(TaskPerformer.java:87)
       at oracle.as.install.engine.modules.configuration.action.TaskPerformer.startConfigAction(TaskPerformer.java:104)
       at oracle.as.install.engine.modules.configuration.action.ActionRequest.perform(ActionRequest.java:15)
       at oracle.as.install.engine.modules.configuration.action.RequestQueue.perform(RequestQueue.java:63)
       at oracle.as.install.engine.modules.configuration.standard.StandardConfigActionManager.start(StandardConfigActionManager.java:158)
       at oracle.as.install.engine.modules.configuration.boot.ConfigurationExtension.kickstart(ConfigurationExtension.java:81)
       at oracle.as.install.engine.modules.configuration.ConfigurationModule.run(ConfigurationModule.java:83)
       at java.lang.Thread.run(Thread.java:619)
  Caused by: oracle.as.provisioning.exception.ASProvWorkflowException: The system cannot find the path specified.
  The system cannot find the path specified.
       at oracle.as.provisioning.weblogic.ASDomain._extendDomainWithJRFTemplate(ASDomain.java:3955)
       at oracle.as.provisioning.weblogic.ASDomain.extendDomainWithJRFTemplate(ASDomain.java:3762)
       at oracle.as.provisioning.engine.WorkFlowExecutor._extendDomainWithJRF(WorkFlowExecutor.java:1413)
       at oracle.as.provisioning.engine.WorkFlowExecutor.executeWLSWorkFlow(WorkFlowExecutor.java:437)
       at oracle.as.provisioning.engine.Config.executeConfigWorkflow_WLS(Config.java:866)
       ... 14 more
  progress in calculate progress4
  progress in calculate progress4

• Printing Solutions for Guest Wireless

  So this is something that has been bouncing around the forums for a year or two now.  I have failed to come up with a "best-of-breed" approach that meets the strict security requirments of a government department.
  The scenario is this - the wireless platform is based around centralised Wism controllers in a datacentre and an anchor controller (for guest wireless) in a dmz, we have WCS to manage the components including the Lightweight Access-Points (mainly Cisco 1142N's) with a Cisco NGS to act as both hotspot and as the client credentials RADIUS authority. it works great except for printing which simply isn't currently an option.
  The solution services a wide number of geographic locations - all members of the one guest SSID and mobility group.  Since clients that connect to this are effectively DMZ'd and only able to connect to the internet, I am struggling to find a practical way to provide printing specific to each geographic site without going for a cloud service such as "Drop-box", or "PrinterON" 
  Has anyone out there in the Community come up with any innovative approaches to this connundrum?  If so please join the conversation

  Hi, I've encountered the same issue. Did you find a solution?