ISE 1.1.1.268 - Red X after attempting to log in to guest portal for self-provisioning flow

Hi All,
We get a lone red X on certain andrid devices after they click login on the guest portal.  No message or anything.  Anyone seen this before?  I've been able to get around this in the past by just closing the browser completely and turning off wireless and starting over, but it sounds like this user has tried these things and it keeps happening.  It would be good to at least know what the error is.  Image below.
Thanks,
Wil

After biting the bullet and ordering more RAM, my computer now is working a ton better. So that must have been the main issue. With 8 GB RAM, I can now even run Parallels fluidly (better than my work PC!) where before simple things like logging in to my MBP after reboot could take forever.
The place I went to had several other people getting RAM upgrades at the same time as me, so between this and other comments I've seen in discussions here and elsewhere on the Internets, I take it to mean that either Apple should bump up the base RAM on its new machines, and/or stop charging so much for additional RAM.
I refused to believe a Pro machine bought with Lion installed would come with too little RAM for light to medium usage, but it was apparently the case. I'll mark this as a correct answer and hope some other poor soul will come across this thread and be helped by it.

Similar Messages

  • How to use ISE Guest Portal for AD users

    Hi there,
    As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
    Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
    Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
    Am I missing something??
    I am running WLC 5760 with ISE 1.2
    Thanks in advance..

    Hi,
    Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
    In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Adobe Flash plug in still crashing after attempting both solutions posted here. Works for a day then crashes again.

    My Adobe Flash plug in is still crashing. I first attempted the Update Flash. It worked for a day before it started crashing again. So I went back to the page and attempted the 2nd solution of downgrading flash to 10.3. Again it worked for a day or two but now is giving me the same issue. I am getting extremely frustrated.

    Thank you. I uninstalled both and reinstalled 11.5. It is working currently. Hopefully it will continue!

  • ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)

    I'm trying to achieve the following for our employees, contractors and guest.
    Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.
    contractors (ldap contractor group) -> webauth -> internet
    guest (internal ise db via sponsorportal) - webauth -> internet
    Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours. 
    employee (ldap employee group) -> webauth -> nsp -> internet
    In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
    I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated. 
    Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.

    Hi Patrick,
    I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.
    for the devices registration , I have set  the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
    my authorization rules as follows :
    1- rules name : Vendor-wired  :  identity : registerddevices AND identitygroup: VENDOR  authorization profile: VENDOR-ACCESS
    2-  rules name : WIRED-CWA  :  identity : any  condition: device-type:SWITCH  authorization profile: CWA-PORTAL
    It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .
    did you find any hint for this problem ?

  • ISE 1.2 customizing guest portal

    I am having some issues trying to customize colours on the default guest portal in ISE 1.2.
    Is there really no way to change the entire page background colour, except going through creating a complete set of html files ?
    It seems if i upload a transparent background image for both the banner and the logo, and then change the all the gackground coulour settings, the colour only affects the area where the cisco splash logo is, and not the entire page.
    I attached my settings, and how the page looks with those, what i am after is the entire page black, and then white text.

    Hello Jan
    You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
    These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
    Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
    Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
    Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
    Step 4 Click Save.

  • ISE 1.2 - MAB Guest and MAB Supplicant Provisioning

    In short trying to provide a configuration whereby a Guest utilises MAB and a set of sponsor created credentials to gain access to Internet via the portal. In addition to this I am also trying to provide MAB for "Corporate BYOD" utilising AD credentials resulting in supplicant provisioning. I am aware of other ways of doing this in terms of utilising PEAP and a NSP redirect but in this instancemy only real option is MAB. Could anyone provide me with an example of how they have approached this situation.
    I tried to to do CWA redirect for both use cases but provided a separate "2nd auth" for each of them. My BYOD 2nd auth was the actual NSP redirect - which worked except the MAC address could not be populated into the field (See flow below for BYOD redirect).
    MAB > CWA Redirect (AD credentials) > "2nd Auth"  = NSP Redirect

    Please disregard I have it fixed. Long story short I was over engineering it. I was unaware that ISE was able to differentiate between Guest users and other users with regards to the "Enable Self Provisioning flow".
    Thanks

  • ISE 1.1.3 Guest portal (Web redirection) what worked for me !!!

    Hello,
    this document lead to multiple failure !!!!
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
    This guy really helps !!!
    https://www.youtube.com/watch?v=TW2ZJVIZ8bs
    See attached screen captures.
    ISE documentation, even published by TAC is not reliable.
    Bring back the Cisco we liked so much 15 years ago !!!!!

    Hello Jan
    You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
    These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
    Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
    Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
    Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
    Step 4 Click Save.

  • Cisco ISE 1.1 Guest Portal Services

    Do you have to have separate ISE appliances or VM clusters to have have 2 separate "Guest Portal" services?
    I have two sites that have their own equipment (Arizona / Illinois):
    - Cisco ISE Server
    - Cisco Wireless LAN Controller
    - Cisco Wireless Anchor Controller
    - Cisco ASA
    My understanding is that I'd need to have the ISE boxes running in "STAND ALONE" mode in order to have two separate "Guest Networks / Portal".
    Thanks in advance!!!

    Hi,
    Each Cisco ISE policy services node can run a guest portal also if they run in one deployment.
    Depending on the way you mean "separate", your requirement can be met in one deployment or in two stand alone deployments.
    Depending on your approach you need four Cisco ISE machines to build the in "one deployment" option.
    2 Admin/Monitoring Nodes (Admin is Active/Standby, Monitoring is Active/Active) and two Policy Services Nodes (RADIUS Servers).  Both Policy Services Nodes can run the guestportal. The configuration of the WLC determines which Policy Services Node is being used. ISE use RADIUS URL redirect is used to redirect to it's own guest portal.
    Hope that helps.

  • ISE 1.1.1.268 server not running

    Hi Folks,
    I have a old ISE appliance 3315, ISE application server is not running even after restart of ISE. ISE ver is 1.1.1.268 
    Not able to access this appliance through web also.
    Can anyone advise if I can upgarde this ISE directly to 1.2 through bootable DVD? Or do I need to upgrade this with latest patch?

    you can upgrade to Cisco ISE, Release 1.2, from any of the following releases:
        Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)
        Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)
        Cisco ISE, Release 1.1.2, with the latest patch applied
        Cisco ISE, Release 1.1.3, with the latest patch applied
        Cisco ISE, Release 1.1.4, with the latest patch applied
    Upgrade Roadmap
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/upgrade_guide/b_ise_upgrade_guide/b_ise_upgrade_guide_chapter_01.html#ID7

  • ISE Wired guest portal redirect even after authentication

    Hi
    I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
    I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
    Here is what I see on the interface
    ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
                Interface:  GigabitEthernet4/0/19
              MAC Address:  a0b3.ccca.2ab1
               IP Address:  10.1.3.16
                User-Name:  A0-B3-CC-CA-2A-B1
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC14011F000001571E52779F
          Acct Session ID:  0x00000309
                   Handle:  0xE6000158
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success
    Here is the ACL
    Extended IP access list ACL-WEBAUTH-REDIRECT
        10 deny udp any any eq domain (1344 matches)
        20 deny ip any host 172.20.5.12 (8122 matches)
        30 deny ip any host 172.20.5.14
        40 permit tcp any any eq www (3124 matches)
        50 permit tcp any any eq 443 (202927 matches)
        60 permit tcp any any eq 8080 (114 matches)
        70 permit ip any any (8056 matches)

    Hi Mohannad,
    Thanks for your response.
    Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
    We need to find out why the next Auth policy is not hitting once user is authenticated.
    Here is the port configuration and the authen status of the port.
    ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
    Building configuration...
    Current configuration : 427 bytes
    interface GigabitEthernet4/0/19
    switchport access vlan 103
    switchport mode access
    switchport voice vlan 135
    authentication event fail action next-method
    authentication host-mode multi-auth
    authentication order dot1x mab
    authentication priority dot1x mab webauth
    authentication port-control auto
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    end
    ABQT-3FLR-ACC-01#
    Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
    ABQT-3FLR-ACC-01#
    ABQT-3FLR-ACC-01#sh atuh
    ABQT-3FLR-ACC-01#sh atu
    ABQT-3FLR-ACC-01#sh authe
    ABQT-3FLR-ACC-01#sh authentication se
    ABQT-3FLR-ACC-01#sh authentication sessions in
    ABQT-3FLR-ACC-01#sh authentication sessions interface gi
    ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
                Interface:  GigabitEthernet4/0/19
              MAC Address:  0015.c5b4.fd4a
               IP Address:  10.1.3.23
                User-Name:  00-15-C5-B4-FD-4A
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC14011F0000018A32B4D906
          Acct Session ID:  0x00000394
                   Handle:  0x3E00018B
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success

  • Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

    Hi to all,
    I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
    I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
    Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
    Error: Resource not found.
    Resource: /guestportal/
    Does anyone have any ideas why the portal is doing this?
    Thanks
    Paul

    Hello,
    As you are not able to  get the guest portal, then you need to assure the following things:-
    1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
    –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
    –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
    2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
    Admission feature : DOT1X
    AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
    URL Redirect ACL : ACL-WEBAUTH-REDIRECT
    URL Redirect :
    https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
    0000A45A2444BFC2&action=cpp
    3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    remark ping
    permit icmp any any
    permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
    permit tcp any host 80.0.80.2 eq www --> Provides access to internet
    permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
    port
    permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8906 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    deny ip any any
    Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
    4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
    ip access-list extended ACL-WEBAUTH-REDIRECT
    deny ip any host 80.0.80.2
    permit ip any any
    5) Ensure that the http and https servers are running on the switch:
    ip http server
    ip http secure-server
    6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
    7) Ensure that the client machine browser is not configured to use any  proxies.
    8) Verify connectivity between the client machine and the Cisco ISE IP  address.
    9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
    10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
    11) Or you need to do re-image again.

  • Go RED again after PUBLISHED...getting WORSE after updated!!!

    Hi,
    Recently i've just updated the iWeb software, but getting worse while working on iWeb now. Sad and Too Bad to me...
    Yesterday when i open my iWeb...every Pages from Blue turn to RED and after re-published..still RED.
    Not only that problem, i thought some of my pages caused the problem..so i try to create a new SITE and drag all my pages into the New Site and try to Drag and Drop back the Pages 1 by 1 and updating/publishing to check the that where's the problem from...
    But,
    I can't even Drag my BLOG page now...however i delete the .plist from the preferences or from the ByHost...FAILED me again!!!!
    I'm so disapointed to this so call "updated software" !!!!
    What s'ld i do now? Help Help..need help!!!
    I'm actually ready to publish my updated Website...
    I feel sad that nowaday apple doesn't take care of customer and the Quality anymore..worse and worse from Hardware to software...Too Bad!!!!! sorry for my frustrated words...

    Don't feel bad. I have weather widgets and countdown code imbedded in my site via text edit and idisk. So not only does it take forever to upload when I make a change but I have to go back into all the pages with the weather widgets and countdown clocks via text edit and add the code again. Iweb Version 1.1.2. Worked for years and then all of a sudden this. It's not a software problem, but a problem on Apples end communicating back to your computer that the pages have been successfully uploaded and should stay blue leaving only pages with changes to be uploaded next time unless you say different. It has been 6 weeks since Apple told me of this problem and still no solution. I can only wonder how much more trouble is coming when .mac is officially gone. I don't have publish to mobile me in my version 1.1.2 pull down menus, only publish to .mac. I hope a free software update will add these things to my version and take care of this, but I'm not holding my breath.Will they say I need to buy a new version of Iweb. It worked great till they screwed something up on their end. I don't want anythiing more than version 1.1.2 It worked great! It seems to have started when mobile me started running. The two systems maybe are conflicting with each other. Figure it out soon Apple or .mac/mobileme will be something to dump and move to something that works.

  • Clips goes over red color after importing movies clips

    Clips goes overdosed by red color after importing movies clips

    I guess it doesn't look like that in the QuickTime player. 640x480? That's a computer form of NTSC yet you're using a PAL frame rate. That's very weird. What's the codec?
    You might also check the color space your display is set to, though the clip below it in the browser doesn't show the problem.

  • ISE 1.2.1 - RADIUS service down after Promoting Secondary PAN

    Hi Experts,
    I have currently a ISE deployment where I run a Dual Node construct (both 3495)
    ISE-1: PAN (Primary), MNT (Secondary), PSN
    ISE-2: PAN (Secondary), MNT (Primary), PSN
    When ISE-1 fails and ISE-2 is promoted to Primary PAN then the services are restarted. This causes also the radius service to go down which causes a full RADIUS outage. Also if ISE-1 is online again and is re-promoted, also both ISE instances restart simultanious the services which includes the RADIUS service. Again full RADIUS outage.
    A ISE service restart takes about 10-15 minutes.
    Is this "workes as designed" or a bug? I think this behavior was different in ACS 5.X
    Best Regards Michael

    List of working (Y) and Non Working (N) if Primary PAP is down
    Existing internal user radius auth : Y
    Existing/New AD user radius auth : Y
    Existing endpoint with no profile change : Y
    Existing endpoint with profile change : Y
    New endpoint learned via profiling : Y
    Existing guest (LWA) : Y
    Existing guest (CWA) : Y
    Guest - Change Password : N (user must log in using old password)
    Guest - AUP : Y (displayed for every login)
    Guest - Max Failed Login Enforcement : N
    New guest (Sponsored or Self-Registration) : N
    Posture : Y
    New Device Registration : N
    Existing registered device : Y

  • ISE 1.2 Guest Portal Profiling Certainty Factor not Increase

    Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
    Profiling Configure and Endpoint Detail in attachment below

    Hi salodh
    as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

Maybe you are looking for