ISE 1.1 sponsor portal different type of guest accounts
Hi there
I just played around with the ISE 1.1.2.145 sponsor portal. I have the following 3 requirements, but I don't see a way the get there with the actuals sponsor portal features:
1. I would like to create a event user (one single user for multiple logins) with a given username and a given password
2. I would like to create a single user with a given username and a given password
3. How can I change the password of such a user
At the moment I am a little disappointed from the sponsor portal, there are not that features or I can't see the way to get there ;-)
Can anybody confirm the above problems?
Best regards
Dominic
It is possible to use internal users as well as AD users for admin.
I'm not actually sure whetehr it's possible to stop using Internal Users.
I have it working using both, primarily as I don't have AD credentials on customer site, so they use AD credentials and I stick to using Internal Admin User.
I still haven't understood your original question entirely, but if you select the guest username to be created based on email address (rather than first name/last name), then you can create a single username using a fictional email address, and allow the user to change the password on first login. You can then change the password to whatever you want.
Does that fit?
Similar Messages
-
Cisco ISE sponsor Portal email notification of guest account
Is there anyway to not have the email button be displayed in the sponsor portal? We don't have email or SMS enabled and sponsor users are complaining that the button is there but doesn't work, it woul be really good if you could just remove it. I have looked at the sponsor language template configuration but it doesn't appear to be able to not display the button just rename it?
any information would be much appreciated.
CraigMartin,
thank you very much for the information, I don't think I would ever have checked there for this configuration. It is taking me awhile to get used to the ISE GUI, I don't find it particularly intuitive but hopefully I will get there.
thanks
Craig -
ISE 1.3 Sponsor Portal.
Hi There, Just trying out ISE Version 1.3 and encountering some issues getting access to the sponsor portal.
Just checking about a Standalone deployment is it OK to have the sponsor portal interface the same as you manage the ISE from?
I cant seem to get to the sponsor portal on 8443 it just doesn't display the page. It doesn't even fill out the URL at the end.
When I fill in the URL for it. I get this.
The Portal is set up like this So from what I see it should work. If I use the preview button in the portal set up I can get to it fine. Am I missing something?Graham,
I've seen this a few times. Do you have separate PSNs? Note that the DNS entry (Alias) for the Sponsor Portal needs to point to a PSN and NOT the Admin Node. This usually fixes the issue. Create an alias in DNS for sponsor.domain.com (replace domain.com to reflect your domain name) and point it to a PSN. Then type sponsor.domain.com into your browser. The system will redirect to the default Sponsor Portal.
Note this Capture from the ISE 1.3 Admin Guide:
The full guide can be found here:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13.pdf
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
ISE 1.3 Sponsor Portal mandatory fields
Hello,
in the ISE 1.2 version it was possible to say that some fields are mandatory like first name or company.
I cannot find this setting in the ISE 1.3 version.
Regards
filipLeoni,
These settings are found by going to Guest Access > Configure. Select Sponsor Portals and choose the Sponsor Portal in which you are working. Click Portal Page Customization
Once there, select your Guest Type. I chose Create Account for Known Guests. Then choose Settings over the preview image.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
ISE 1.2 Sponsor portal port change not working
Hi,
Has anyone else had an issue where they change the default port number of the sponsor portal on the Admin node, all ISE restart, but the sponsor portal still only works on the default 8443 port?
Thanks,
CtHi,
As you know that default port is 8443, but you can change this value so ensure that the same value you assign to the switch and it matches the setting in Cisco ISE. -
ISE 1.2 Sponsor Portal issue
Hi
we have an ISE version 1.2 installation and are trying to customise the Sponsor Portal login page to show the Terms and conditions for staff whan accessing the page, by using the display pre-loign banner under the sponsor portal themes settings.
We have added the text for both pre and post login banners and have selected the check boxes for both but for some reason when saved the text does not display and the check boxes show as being un checked when going back to the page. Is this a bug ?? i have reset to factory defulats and re tried but still not working.. any help would be appreciatedIt may be a browser issue. Please check the supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals:
These Cisco ISE portals support the following operating system and browser combinations. These portals require that you have cookies enabled in your web browser.
Table 8 Supported Operating Systems and Browsers
Supported Operating System Browser Versions
Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
•Native browser
Apple iOS 6, 5.1, 5.0.1, 5.0
•Safari 5, 6
Apple Mac OS X 10.5, 10.6, 10.7, 10.8
•Mozilla Firefox 3.6, 4, 5, 9
•Safari 4, 5, 6
•Google Chrome 11
Microsoft Windows 82
•Microsoft IE 10
Microsoft Windows 73
•Microsoft IE 9
•Mozilla Firefox 3.6, 5, 9
•Google Chrome 11
Microsoft Windows Vista, Microsoft Windows XP
•Microsoft IE 6, 7, 8
•Mozilla Firefox 3.6, 9
•Google Chrome 5
Red Hat Enterprise Linux (RHEL) 5
•Mozilla Firefox 3.6, 4, 5, 9
•Google Chrome 11
Ubuntu
•Mozilla Firefox 3.6, 9 -
ISE 1.2 Sponsor Portal- Account Expiration Date Defaults to same time as Start Date
We have a time profile setup for ISE Sponspr Portal with Start/End. I understand this allows the sponsor to specifially set the start and end time for the guest account. When creating an account, the Start/End time is the same time. If a Sponsor forgets to set the end time, then the guest account will be created, but will expire not allowing the guest to login. It would be nice to have the end time default to something other than the start time, like 8 hours default. Is this possible? Can the expiration time default to something like 8 hours, but still give the Sponsor the ability to adjust the start/end times if needed? This is very simple, and I cannot believe this is not available.
Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.
Upon expiration of their account per their assigned time profile, they will no longer be able to login or access the company network.
If a guest were to return to the network, the sponsor can change the account duration via the sponsor portal to grant them access again and then require them to change their password if deemed necessary (depending on the settings). Changing account duration can be used for extending a guest users access longer than the original setup.
If you upgrade to Cisco ISE 1.2, the older time profiles are still available, but you can delete them if you are not using them. If the older time profiles are assigned to a sponsor group, a message alerts you before deleting. If you perform a new installation of Cisco ISE 1.2, only the new time profiles display. -
ISE 1.2 sponsor portal - disabling default languages
Hi,
We are implementing Cisco ISE 1.2 and have a question on the sponsor portal languages.
The client company's official language is English and so we would like to disable all other languages from the sponsor portal. If we don't do it, the users might select their native language (on the sponsor settings and/or the guest notification language) meaning that we have to customize and maintain all 15 language templates.
It has alread happened during the tests: a sponsor created a guest account and choose a notification language other than English - the SMS was not sent because the "Destination" on the "SMS text message notification" default value is "[email protected]".
Thanks in advance.
Regards,
Telmo OliveiraHi all,
This reply to myself is done for documentation proposes, it can help someone with the same challenge.
Today I was at an event at Cisco where ISE 1.3 beta was presented. This version will have already the option to choose between browser locale or static language template. Talking to the Cisco eng. responsible for the presentation, he told me that 1.2 had no way to do it.
Cisco ISE 1.3 is now planned to be release end of 2014.
Regards,
Telmo Oliveira -
ISE 1.3 Sponsor Portal problem
Hello Guys,
I configured one Guest WLAN to authenticate via ISE Web Portal.
The wlan, the redirect, everything is working fine. Y
Yesterday i created one user and password using the sponsor portal normally, but today, i tried to connect on the sponsor page and i got the error:
Sponsor Portal Internal Error
Please contact System Administrator. If you are the System Administrator please consult the logs.
I tried to restart the application ise via cli but didin't works.
Can you help me? Where these logs are located?
Thank you.Look at you Rafael, coming up with problems and solving them yourself! :) Thanks for sharing the solution with everyone (+5 from me). Let's close the thread if the issue is resolved :)
-
**after receiving iphone6 and signing 2 year contract, negotiated for a change in plan with lower cost and discount... not seen on october bill as promised..totally unable to obtain help on phone to verizon. thanks
Thanks for the response. I had the 65 advantage plan for 2 years. Service rep at Verizon store assisted me when I activated my new iPhone 6. She noted that over the 2 years i had used only a few minutes of talk, one to 2 texts per month ( at a fee of $. 20 each ) and a minuscule amount of data... and that the phone was for emergency contact to me from my disabled invalid wife only. She searched and found a discount special plan for a savings of $15.00 per month with a final monthly fee before taxes of $45 and not $59 per month to start on Oct 1st. It does not have a name to the plan just that it carries this special discount. That is all I can tell you. Thanks for the assistance. Await your reply. Thanks
Bob Bonus
[email protected] <mailto:[email protected]> this is Incorrect email........... should be [email protected] Wednesday oct 8th, 2014... do not know if you received this response to your email a few days ago. Sorry for the mistake. Await your response. thanks
bob bonus -
The different types of User accounts
Hello,
This mainly stems from the fact I would like to add a Router to my CNA (Cisco Network Assistant) community. And am not sure which user credentials I need to apply on CLI.
To note I have enabled IP http server.
So from the list below what are the credentials used for and when should they be used for accessing the device via ssh / telnet / http / cna ??
enable password - ??
enable secret - ???
username abc privilege 15 secret 0 xyz - ?? ( I thought it would be this, but does not appear to work with HTTP or CNA.)
login console or VTY there is the option for......
password - ??
login - ??
login local - ??
If there are more please advise, however note this is the "Getting started with LANS" so no need to go overboard :)
I hope I have explained myself properly.
regardsThis should get you going:
username bob priv 15 password changeme
enable secret changeme
ip http server
ip http authentication local
line con 0
login local
line vty 0 4
login local -
ISE 1.3 Sponsored Guest Portal Login Failure
Hello Team,
Ive created a guest account in the sponsor portal for a test guest user, however the state remains in "created" state.
Now when the user tries to log on via the sponsored guest portal the error back is "invalid username or password".
In ISE logs it says :
Overview
Event
5418 Guest Authentication Failed
Username
bnawaz01
Endpoint Id
Endpoint Profile
Authorization Result
Actions
Troubleshoot Authentication
View Diagnostic Messages
Audit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
-->Authentication Details
Source Timestamp
2014-12-24 08:49:05.551
Received Timestamp
2014-12-24 08:49:05.553
Policy Server
DC1-ISE-DMZ01
Event
5418 Guest Authentication Failed
Failure Reason
Account is not yet active.
Resolution
Root cause
Username
bnawaz01
User Type
GuestUser
Endpoint Id
Endpoint Profile
IP Address
Authentication Identity Store
Guest Users
Identity Group
GuestType_Contractor (default)
Audit Session Id
Authentication Method
PAP_ASCII
Authentication Protocol
PAP_ASCII
Service Type
Network Device
Device Type
Location
NAS IP Address
NAS Port Id
NAS Port Type
Authorization Profile
Posture Status
Security Group
Response Time
Any ideas why this might be, if im doing something wrong and how to fix?
Thank you
BilalI have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration
To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group
One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups -
Cisco ISE who created a ticket in sponsor portal
Hi I was wondering how to see who created a guest user ticket in Cisco ISE using the sponsor portal without checking the system logs that you have to download.
Is there any better way to do it?
kind regardsoperations > reports >endpoints and users > guest sponsor summary
The Guest Sponsor Summary report displays all guest users created by each sponsor. Click on a sponsor name to display details about the guest users. -
Help needed - setting password policies for different types of accounts
Hello,
We have a situation where we have different types of users created on a solaris server. We have regular users, admins, functional accounts and device accounts. Of course solaris does not differentiate between regular user and other types, i think. The default password policy applies to all the users on the server. I want to configure different policy for different types of user accounts. Is it possible? The difference between the accounts on our side is
Regular user accounts - 8 digit numbers ( 00667265) - expire password every 90 days
Functional accounts - 8 digits starting with F ( F0253466) - do not expire, but password length must be 10-12 and complex
Device Accounts - 8 digits starting with Z ( Z2367249) - do not expire, but password length must be 12 and complex - like upper case, lower case, number, special chars etc.
Is it possible to set up different password policies, is so how?The password expiration policy is pretty easy, it can be set on a per account basis when the account is created. I'm not aware of a simple way to define a complexity policy for groups of accounts but the policy is enforced using pam, so you should be able to write a pam module which would enforce your complexity policy. The pam manual page would be a reasonable starting point for learning about pam.
-
ISE 1.2 Sponsor Group - "View/Edit Accounts" Setting not working as expected
Hi,
we need a sponsor account that is not allowed to see the Account List (so the Accounts that were created) on the sponsor UI. The sponsor should be only allowed to create an account, to send his credentials via E-Mail or to print them.. and that's all
So I configured the rights as you can see in the attachment, but when I choose No for "View/Edit Accounts" the user is able to see ALL ACCOUNTS. When I just choose "Own Accounts" then the user sees just his own Accounts, so the 2nd setting works properly.. the first behaviour seems like a bug to me.. did anyone else have had this problem too?
Thanks!Choose one of the following options for View/Edit Accounts:
–No—Sponsors are not allowed to edit any guest accounts.
–All Accounts—Sponsors are allowed to edit/view all guest accounts.
–Group Accounts—Sponsors are allowed to edit guest accounts created by anyone in the same sponsor user group.
–Own Account—Sponsors are allowed to edit only the guest accounts they created.
Maybe you are looking for
-
How can I look at recently deleted history on my iPod touch 4? Google says to go to settings, go to safari, then go to advanced. Well the problem is my iPods don't say advanced, they say developer. And I don't believe it would do what I'm wanting any
-
I can't view my iTunes purchases!!!
I recently attempted to sync iPad 2 to my iMac. When I started the sync, it seemed like the operation was taking longer than it should, so stopped iTunes, disconnected the iPad and restarted the Mac. When I reconnected my iPad, all of the data wa
-
HT201210 i tried to restore my new iphone 5 but i couldn't, what can i do?
I tried to restore my new iphone 5 but i couldn't, what can i do?
-
How to make Custom Discoverer workbook use Custom Security profile of Apps
We use Discoverer in Oracle Apps setup. We have added Custom security in our HR People Form of Apps. This Custom Security restricts one HR Emplpoyee not view other HR employee record except for himself/herself. Also maintining that they should be abl
-
Unable to create Context3D on Android 5.0 when using latest Air 15 SDK
I have updated my Nexus 5 to the latest developer preview of Lollipop, and I can no longer run our game. The same code worked find in the prev. developer version of Android L. The code I can't get to work is: stage.stage3Ds[0].addEventListener(Event.