ISE 1.1.1.268 - Red X after attempting to log in to guest portal for self-provisioning flow
Hi All,
We get a lone red X on certain andrid devices after they click login on the guest portal. No message or anything. Anyone seen this before? I've been able to get around this in the past by just closing the browser completely and turning off wireless and starting over, but it sounds like this user has tried these things and it keeps happening. It would be good to at least know what the error is. Image below.
Thanks,
Wil
After biting the bullet and ordering more RAM, my computer now is working a ton better. So that must have been the main issue. With 8 GB RAM, I can now even run Parallels fluidly (better than my work PC!) where before simple things like logging in to my MBP after reboot could take forever.
The place I went to had several other people getting RAM upgrades at the same time as me, so between this and other comments I've seen in discussions here and elsewhere on the Internets, I take it to mean that either Apple should bump up the base RAM on its new machines, and/or stop charging so much for additional RAM.
I refused to believe a Pro machine bought with Lion installed would come with too little RAM for light to medium usage, but it was apparently the case. I'll mark this as a correct answer and hope some other poor soul will come across this thread and be helped by it.
Similar Messages
-
How to use ISE Guest Portal for AD users
Hi there,
As subject explains all, I want to use ISE Guest Portal for my domain users. I have tried many different ways to authenticate users and finally I came to the conclusion that ISE CWA works pretty well and is very stable. WLC Webauth sucks alot, does not redirect to the login page always.
Can you please share what other ways are stable ways to authenticate AD users? I know about WPA 802.1x authentication but that requires a CA in the network which is not available at the moment. So can you please Suggect?
Otherwise, I want to use ISE Guest Portal for my AD users as well. AD is already integrated to ISE, the issue happens when I attempt to athenticate using AD user account, the user gets authenticated but the Guest Portal redirects me to Device Provissioning page and there it shows an error saying "there is not policy to register the device, contact system admin"
Am I missing something??
I am running WLC 5760 with ISE 1.2
Thanks in advance..Hi,
Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
Thanks,
Tarik Admani
*Please rate helpful posts* -
My Adobe Flash plug in is still crashing. I first attempted the Update Flash. It worked for a day before it started crashing again. So I went back to the page and attempted the 2nd solution of downgrading flash to 10.3. Again it worked for a day or two but now is giving me the same issue. I am getting extremely frustrated.
Thank you. I uninstalled both and reinstalled 11.5. It is working currently. Hopefully it will continue!
-
ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)
I'm trying to achieve the following for our employees, contractors and guest.
Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.
contractors (ldap contractor group) -> webauth -> internet
guest (internal ise db via sponsorportal) - webauth -> internet
Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours.
employee (ldap employee group) -> webauth -> nsp -> internet
In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces.
I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated.
Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.Hi Patrick,
I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.
for the devices registration , I have set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces.
my authorization rules as follows :
1- rules name : Vendor-wired : identity : registerddevices AND identitygroup: VENDOR authorization profile: VENDOR-ACCESS
2- rules name : WIRED-CWA : identity : any condition: device-type:SWITCH authorization profile: CWA-PORTAL
It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .
did you find any hint for this problem ? -
ISE 1.2 customizing guest portal
I am having some issues trying to customize colours on the default guest portal in ISE 1.2.
Is there really no way to change the entire page background colour, except going through creating a complete set of html files ?
It seems if i upload a transparent background image for both the banner and the logo, and then change the all the gackground coulour settings, the colour only affects the area where the cisco splash logo is, and not the entire page.
I attached my settings, and how the page looks with those, what i am after is the entire page black, and then white text.Hello Jan
You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
Step 4 Click Save. -
ISE 1.2 - MAB Guest and MAB Supplicant Provisioning
In short trying to provide a configuration whereby a Guest utilises MAB and a set of sponsor created credentials to gain access to Internet via the portal. In addition to this I am also trying to provide MAB for "Corporate BYOD" utilising AD credentials resulting in supplicant provisioning. I am aware of other ways of doing this in terms of utilising PEAP and a NSP redirect but in this instancemy only real option is MAB. Could anyone provide me with an example of how they have approached this situation.
I tried to to do CWA redirect for both use cases but provided a separate "2nd auth" for each of them. My BYOD 2nd auth was the actual NSP redirect - which worked except the MAC address could not be populated into the field (See flow below for BYOD redirect).
MAB > CWA Redirect (AD credentials) > "2nd Auth" = NSP RedirectPlease disregard I have it fixed. Long story short I was over engineering it. I was unaware that ISE was able to differentiate between Guest users and other users with regards to the "Enable Self Provisioning flow".
Thanks -
Hello,
this document lead to multiple failure !!!!
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
This guy really helps !!!
https://www.youtube.com/watch?v=TW2ZJVIZ8bs
See attached screen captures.
ISE documentation, even published by TAC is not reliable.
Bring back the Cisco we liked so much 15 years ago !!!!!Hello Jan
You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
Step 4 Click Save. -
Cisco ISE 1.1 Guest Portal Services
Do you have to have separate ISE appliances or VM clusters to have have 2 separate "Guest Portal" services?
I have two sites that have their own equipment (Arizona / Illinois):
- Cisco ISE Server
- Cisco Wireless LAN Controller
- Cisco Wireless Anchor Controller
- Cisco ASA
My understanding is that I'd need to have the ISE boxes running in "STAND ALONE" mode in order to have two separate "Guest Networks / Portal".
Thanks in advance!!!Hi,
Each Cisco ISE policy services node can run a guest portal also if they run in one deployment.
Depending on the way you mean "separate", your requirement can be met in one deployment or in two stand alone deployments.
Depending on your approach you need four Cisco ISE machines to build the in "one deployment" option.
2 Admin/Monitoring Nodes (Admin is Active/Standby, Monitoring is Active/Active) and two Policy Services Nodes (RADIUS Servers). Both Policy Services Nodes can run the guestportal. The configuration of the WLC determines which Policy Services Node is being used. ISE use RADIUS URL redirect is used to redirect to it's own guest portal.
Hope that helps. -
ISE 1.1.1.268 server not running
Hi Folks,
I have a old ISE appliance 3315, ISE application server is not running even after restart of ISE. ISE ver is 1.1.1.268
Not able to access this appliance through web also.
Can anyone advise if I can upgarde this ISE directly to 1.2 through bootable DVD? Or do I need to upgrade this with latest patch?you can upgrade to Cisco ISE, Release 1.2, from any of the following releases:
Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)
Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)
Cisco ISE, Release 1.1.2, with the latest patch applied
Cisco ISE, Release 1.1.3, with the latest patch applied
Cisco ISE, Release 1.1.4, with the latest patch applied
Upgrade Roadmap
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/upgrade_guide/b_ise_upgrade_guide/b_ise_upgrade_guide_chapter_01.html#ID7 -
ISE Wired guest portal redirect even after authentication
Hi
I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
Here is what I see on the interface
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: a0b3.ccca.2ab1
IP Address: 10.1.3.16
User-Name: A0-B3-CC-CA-2A-B1
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F000001571E52779F
Acct Session ID: 0x00000309
Handle: 0xE6000158
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Here is the ACL
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain (1344 matches)
20 deny ip any host 172.20.5.12 (8122 matches)
30 deny ip any host 172.20.5.14
40 permit tcp any any eq www (3124 matches)
50 permit tcp any any eq 443 (202927 matches)
60 permit tcp any any eq 8080 (114 matches)
70 permit ip any any (8056 matches)Hi Mohannad,
Thanks for your response.
Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
We need to find out why the next Auth policy is not hitting once user is authenticated.
Here is the port configuration and the authen status of the port.
ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
Building configuration...
Current configuration : 427 bytes
interface GigabitEthernet4/0/19
switchport access vlan 103
switchport mode access
switchport voice vlan 135
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
ABQT-3FLR-ACC-01#
Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
ABQT-3FLR-ACC-01#
ABQT-3FLR-ACC-01#sh atuh
ABQT-3FLR-ACC-01#sh atu
ABQT-3FLR-ACC-01#sh authe
ABQT-3FLR-ACC-01#sh authentication se
ABQT-3FLR-ACC-01#sh authentication sessions in
ABQT-3FLR-ACC-01#sh authentication sessions interface gi
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: 0015.c5b4.fd4a
IP Address: 10.1.3.23
User-Name: 00-15-C5-B4-FD-4A
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F0000018A32B4D906
Acct Session ID: 0x00000394
Handle: 0x3E00018B
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
Go RED again after PUBLISHED...getting WORSE after updated!!!
Hi,
Recently i've just updated the iWeb software, but getting worse while working on iWeb now. Sad and Too Bad to me...
Yesterday when i open my iWeb...every Pages from Blue turn to RED and after re-published..still RED.
Not only that problem, i thought some of my pages caused the problem..so i try to create a new SITE and drag all my pages into the New Site and try to Drag and Drop back the Pages 1 by 1 and updating/publishing to check the that where's the problem from...
But,
I can't even Drag my BLOG page now...however i delete the .plist from the preferences or from the ByHost...FAILED me again!!!!
I'm so disapointed to this so call "updated software" !!!!
What s'ld i do now? Help Help..need help!!!
I'm actually ready to publish my updated Website...
I feel sad that nowaday apple doesn't take care of customer and the Quality anymore..worse and worse from Hardware to software...Too Bad!!!!! sorry for my frustrated words...Don't feel bad. I have weather widgets and countdown code imbedded in my site via text edit and idisk. So not only does it take forever to upload when I make a change but I have to go back into all the pages with the weather widgets and countdown clocks via text edit and add the code again. Iweb Version 1.1.2. Worked for years and then all of a sudden this. It's not a software problem, but a problem on Apples end communicating back to your computer that the pages have been successfully uploaded and should stay blue leaving only pages with changes to be uploaded next time unless you say different. It has been 6 weeks since Apple told me of this problem and still no solution. I can only wonder how much more trouble is coming when .mac is officially gone. I don't have publish to mobile me in my version 1.1.2 pull down menus, only publish to .mac. I hope a free software update will add these things to my version and take care of this, but I'm not holding my breath.Will they say I need to buy a new version of Iweb. It worked great till they screwed something up on their end. I don't want anythiing more than version 1.1.2 It worked great! It seems to have started when mobile me started running. The two systems maybe are conflicting with each other. Figure it out soon Apple or .mac/mobileme will be something to dump and move to something that works.
-
Clips goes over red color after importing movies clips
Clips goes overdosed by red color after importing movies clips
I guess it doesn't look like that in the QuickTime player. 640x480? That's a computer form of NTSC yet you're using a PAL frame rate. That's very weird. What's the codec?
You might also check the color space your display is set to, though the clip below it in the browser doesn't show the problem. -
ISE 1.2.1 - RADIUS service down after Promoting Secondary PAN
Hi Experts,
I have currently a ISE deployment where I run a Dual Node construct (both 3495)
ISE-1: PAN (Primary), MNT (Secondary), PSN
ISE-2: PAN (Secondary), MNT (Primary), PSN
When ISE-1 fails and ISE-2 is promoted to Primary PAN then the services are restarted. This causes also the radius service to go down which causes a full RADIUS outage. Also if ISE-1 is online again and is re-promoted, also both ISE instances restart simultanious the services which includes the RADIUS service. Again full RADIUS outage.
A ISE service restart takes about 10-15 minutes.
Is this "workes as designed" or a bug? I think this behavior was different in ACS 5.X
Best Regards MichaelList of working (Y) and Non Working (N) if Primary PAP is down
Existing internal user radius auth : Y
Existing/New AD user radius auth : Y
Existing endpoint with no profile change : Y
Existing endpoint with profile change : Y
New endpoint learned via profiling : Y
Existing guest (LWA) : Y
Existing guest (CWA) : Y
Guest - Change Password : N (user must log in using old password)
Guest - AUP : Y (displayed for every login)
Guest - Max Failed Login Enforcement : N
New guest (Sponsored or Self-Registration) : N
Posture : Y
New Device Registration : N
Existing registered device : Y -
ISE 1.2 Guest Portal Profiling Certainty Factor not Increase
Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
Profiling Configure and Endpoint Detail in attachment belowHi salodh
as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)
Maybe you are looking for
-
8.3 Is Not Just for New Camera Support
I read all through the gumph when DPReview announced that ACR8.3 was available, and decided not to bother because it only seemed to support some new camera models. But just seen a post in John Nack's blog that suggests there's a bit more to it. So
-
Sequence Settings, HD Export problems.
1. I'm importing a perfectly good quality Quicktime Movie segment of about 150 MB 1344x840 H.264 codec Duration 00'55 ...in which it's perfectly easy to read small print in the movie. The source audio/video comes from the game World of Warcraft, and
-
Did the update in iPhone and my mail icon is gone? How do I get it back?
did the update in iPhone and my mail icon is gone? How do I get it back?
-
RFC: Meaning of program-ID ?
Hello everybody, what is the program-id? Does the name of the program-id has to meet special requirements? Background: I have to maintain a RFC destination (tcp/ip) for rfc-sender to XI. Regards Mario
-
Vulnerability protection error message
How can i uninstall norton from my mac with Lion?