ISE 1.2 Client Provisioning Page Customization

Similar Messages

• Cisco ISE 802.1X Client Provisioning

  Hi,
  I have a requirement for ISE client provisioning for both Windows and mac. I have the following setup:
  1. 2 SSIDs, Guest and Employee
  2. Guest is open access
  3. Employee is 802.1x eap-peap (username/password)
  I was wondering if client local administrator privillege is required for 802.1x provisioning for windows client? I believe it is required for MAC OS however not too sure if it may be required for Windows?
  Example Employee A connect to Guest SSID and is redirect to the guest web portal. Upon login, they will be presented with the device registration portal. Upon being presented by the ISE on the supplication wizard, will they be requested for local administrator/domain admin privillege to install the supplicant wizard package/provisioning agent successfully?
  Any suggestion is appreciated.
  Thanks.

  Hi,
  Appreciate for the feedback.
  Thanks

• ISE, BYOD: guest clients provisioning

  Hello!
  The question is about provisioning different types of wifi clients through the ISE Guest portal.
  ISE 1.1.4, WLC 7.4.100 (Guest WLAN uses MAB)
  Suppose, there are two groups of wireless clients:
  1) guest user, which credentials are created through the ISE Sponsor Portal
  2) domain user, who has credentials in ActiveDirectory
  The aim is to provision domain user, and not provision guest user.
  When client connects to Guest SSID and opens the browser, he is redirected to ISE Guest portal.
  When client uses domain user, he is provisioned, and when uses guest credentials he is not provisioned
  How ISE understands, that domain user must be provisioned and guest user must not be provisioned if Web portal is configured to provision everyone?
  (Web Portal -> Settings -> Enable Self-Provisioning flow)

  The answer is that typically you either know that MAC address or you have someting installed (NAC agent?) and fulfill some requirements.
  Alternative, you can perform CWA first (and...)
  Then if user is part of guest users -> allow internet only access
  If user is part of AD -> send him to do registration.
  Authorization policy allows you to use "identity group" as part of condition.
  If device registered -> allow full access. (just an idea).
  M.

• ISE 1.0 Posture and Client provisioning

  I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
  1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
  2. How can I bind existing 802.1x authorization profile and posture policy?
  3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
  4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• Supplicant Client Provisioning for Windows + NAC - is it supported?

  Hello,
  I'm testing out a scenario where it would be most interesting to be able to provision a windows laptop from connecting to a Guest SSID with it the wireless settings it would need to access a secure SSID where then it would be Posture assessed. Like when someone brings their laptop from home to work in the company, and you want to make sure the laptop is not carrying any bad stuff, while still assisting the user with its configuration..
  As the NAC provisioning rules and the supplicant provisioning rules are done from the same page, I'm having trouble being able to differentiate the initial supplicant client provisioning (SPW) and the posture verification done after the the association to the secure SSID.
  The choices that we have on the client provisioning pages seem to be too limited to do this.
  Can anyone confirm if this scenario is supported?
  Thanks for any insight
  Gustavo Novais

  Hi Tarik, I managed to do what I wanted - same client being provisioned and NAC'd in two steps, as you were suggesting.
  One limitation that I found though is that as soon as you mark a device as registered (part of RegisteredDevices endpoint group), you stop being able to distinguish an iPad from a Windows workstation, if both of them have been registered by the same user - both of them will belong to RegisteredDevices group (assuming initial registration via webguest portal), both of them will have the similar certificate (same common name) and profiling group matching will no longer work.
  Do you know if there is any workaround to it? - I can see the common case where people bring their laptop from home as well as their iPad.
  A possible way would be to register to two different devRegPortals (two different endpoint groups) depending on the initial profiling option, but I saw no option on the guest portal to be able to choose multiple devRegPortals only self provisioning flow. I guess the best possible way would be to not merge guest portal and provisioning portals and use different authZ rules depending on the initial profiling of the devices, on a separate SSID dedicated to provisioning.
  Thanks for your insight
  Gustavo Novais

• ISE 1.2 device registration with MAB only, no client provisioning

  Hello,
  Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
  I do not want to push certificates or native supplicant profiles to client devices.
  I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
  Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
  Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
  Am i really obliged to use native supplicant provisioning to register my device ?
  GN

  Hi
  Device Registration web auth is a process where you can configure user without client provisioning.
  In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
  1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
  2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
  3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
  4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
  5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
  6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

• Client provisioning not working on ISE after 1.2 Migration

  Working on an initial piloted roleout of ISE with a customer. We initially had a single server setup as a pilot using 1.1.1.4 to pilot things like client supplicant provision, and then stood up a new VM as a secondary and upgraded that to 1.2. Today we tested client provisioning that work fine before, and it is failing for iOS (we haven't gotten to the other OS'es yet). What occurs is the user authenticates using PEAP and the client gets the request to install the root certificate. After this the client accepts the root certificate the connection drops. When you click the SSID to start the process again we see the redirect to the mydevices portal, but before you can click to register the client it redirected to accept the root certificate again, creating an endless loop. Has anyone else run into this bug?

  Please update the patch useing the below details and try it.
  To upload offline client provisioning resources, complete the following steps:
  Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
  Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
  Choose from the following Off-Line Installation Packages available for download:
  •win_spw--isebundle.zip— Off-Line SPW Installation Package for Windows
  •mac-spw-.zip — Off-Line SPW Installation Package for Mac OS X
  •compliancemodule--isebundle.zip — Off-Line Compliance Module Installation Package
  •macagent--isebundle.zip — Off-Line Mac Agent Installation Package
  •nacagent--isebundle.zip — Off-Line NAC Agent Installation Package
  •webagent--isebundle.zip — Off-Line Web Agent Installation Package
  Step 3 Click Download or Add to Cart.

• Cisco ISE (1.3) Posture without Client Provisioning

  Hello readers,
  Is it possible to set up Cisco ISE with posture without Client Provisioning?
  My customer deploys the NAC Agent via MS SCCM. We prefer a access accept + DACL during the pending state instead of redirecting to client provisioning. But the NAC Agent will only communicate when we redirect to client provisioning.
  Regards,
  Dennis

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE , BYOD iphone issue!! client provisioning

  Guys, when i sent down a profile using native suplicant for iphone, iphone gets it but it does not automatically selects TLS on the SSID.
  Here is what happens:
  Iphone connects to BOYD-SSID
  credentials enter
  client provision process
  ** if Auto-Login is selected problem with self registration!!!!!!!!
  bunch of security errors, profile is downloaded
  iphone reconnects to BOYD_SSID with credentials initilly entered (therfor MSCHAPv) not TLS
  in client provisining cycle.
  NOW!!!!
  go back to BYOD-SSID and "forget the network", reconnect again, and manually selecting TLS and using the profile previously downloaded, and everything works!!!!
  Too many freaking steps for BYOD!!!! I can't have my client tell his employees to do that.
  ANy ideas.....

  Marcin,
  I have not had the problems you are discussing, what version of code are you running and I assume you are using the single-ssid method? In my experience I have seen where the new profile over-writes the old peap profile and after COA hits the client then uses eap-tls to connect.
  Can you provide screenshots of the experiences you are having?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Client provisioning exception for guest flow - bug?

  hi all,
  I encounterd one problem with guest flow and client provisioning.
  Please if someone could confirm that this can or can't be done 
  I want to accomplish such a scenario:
  - AD user have to download the full nac agent
  - AD user from specific group when using webauthentication (as a fallback) doesn't need to downlaod webagent (so no posture at all - the default status is compliant)
  - all guest users need to download webagent
  It seems that it can't be done cause:
  First of all to make it work we need to enable "guest users should download the posture client"
  I created the "client provisioning policy" in a way that:
  If it is AD user and its not a guest flow (2) then NAC agent should be applied
  If it is a guest user webagent should be downloaded
  It works with an exception that when AD user logs in using webauthentication (guest portal), no download page is displayed (as expected) but instead of normal access there is a blank page with the following URL
  https://ise-nfr.sevenetdemo.local:8443/auth/CppSetup.action
  so it seems that even though there is no match in "client Provisioing Policy" (again, as expected) ISE still tries to redirect to the cpp portal as this checkbox in multiportal configuration says so.
  As a result no CoA is initiated to the switch and switch authentication hangs on the last default policy -  CWA_POSTURE_REMEDIATION
  Is it possible to do it?
  regards
  Przemek

  Please review the below links which might be helpful:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_client_prov.pdf

• Client provisioning issue

                     Hi, I configured client provisioning for guests. and it does not work.
  I checked client provisioning,device registration on defaultguestportal, and configured client provisioning like this
  OS:windows all and nas port type equls wireless802.11
  but when I create guest user id, and login, there is no client provisioning going on. it just shows success page.
  do you know why it is working not propery ?

  Please review the below links which might be helpful:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_client_prov.pdf

• Logon Page Customization in SAP Portal 7.31

  Hi Experts,
  I am planning to change the look and feel of the Logon Page for Portal.
  The current page is already a customized one.
  For making the changes, I requested and got the following files.
  1. tc~sec~ume~logon~ui.war from <drive>:\\usr\\sap\\<SID>\\J00\\j2ee\\cluster\\apps\\sap.com\\com.sap.security.core.logon\\servlet_jsp\\logon_ui_resources\\tc~sec~ume~logon~ui.war
  and
  2.  tc~sec~ume~logon~logic_api.jar from drive>:\usr\sap\<SID>\J00\j2ee\cluster\apps\sap.com\com.sap.security.core.logon\servlet_jsp\logon_app\root\WEB-INF\lib
  The below is the screen shot of nwa/auth properties.
  The file which was sent to me and the properties look like, standard logon module only.
  I am not sure if the file is the custom one. How to find if its customized. In the layout folder, I couldn't fine any images in the current custom logon page.
  I don't have access for deploying the ear. I have to send to the Server team and they only will be able to deploy.
  Kindly advise me on how to proceed with.
  Kind Regards,
  Jelbin

  here is the standard link for logon page customization for NW7.31 check it:
  Developing a Custom Logon Screen - Developing Authentication Enhancements on the AS Java - SAP Library
  if your are modifying a existing custom logon page first you will be requring the source code of that custom logon page ,Get it and import it in NWDS and follow the steps mentioned in standard help.
  if source code is not available ask your server team to provide the custom logon page EAR file ,reverse engineer it by importing the EAR in NWDS and modify it as per your requirement and following the steps mentioned in help.
  to know if you are modifying the correct EAR go to application.xml and check what is the application alias mentioned over there same will be configured in NWA under alias for application for login
  as per your screenshot its mentioned as /new_logon
  <context-root>new_logon</context-root>
  Also check the J2EE engine .xml and check if you have your client name mentioned as company name.
  Other check you can do id check images in the war file if those are present which are appearing on logon page when open,you can right click on image on opened portal logon page and get its name check in NWDS imported project war file if those images are present.you can do other chaecks in rendered code as per your customization to confirm if you are modiftyinfg the correct logon page ear or war file.
  i guess if you dont have any the previous custom ear it might be under your provider location and application alias folder location not sure of it though :
  <Installation drive>:\usr\sap\<SID>\J00\j2ee\cluster\apps\<providername>\com.sap.security.core.logon
  \servlet_jsp\new_logon\tc~sec~ume~logon~ui.war
  you can ask your server team if they found any war file in folder <provider name> or application alias folder or how many war file they found if they search with tc~sec~ume~logon~ui.war file ,aks them to give the one which is situated in your <client/provider.com > folder.
  hope this helps.

• Redirect from client provision to origin url

  hello
  Does anyone know if there is a way to redirect a user to home page from client provision portal?
  we using wired solution.
  the client PC have web browser automatically opens to home page when employees log in. and since we have posture configured to check the antivirus, the web browser be redirected to client provision portal. we would like to have the user redirected to the corporate home page after successfully NAC agent check.

  We finally used our custom login module to solve this.

• Encrypted Alert (21) - Windows 7 client web page login falure

  Hello community,
  I have a challenge for you.  This is a very odd issue I am having. 
  Let me outline my basic environment. I have a Windows 2003 Server which serves as the DHCP with a (2-day lease), Windows 7 Clients (fully patched) running IE 11 (fully patched), and a SonicWALL NSA 2400 firewall running the latest firmware 5.8.17xx (SSL
  controls are not enabled).
  Symptoms: From the Win7 client I open a specific secure web page https:// and after I enter my user name and password I get a server side message “cannot connect to our authentication server”. 
  I called the web site support and they said the message will display if the client trying to connect to the remote server for authentication does not use port 4000. 
  I can try to login over and over again but I always get the same message.
  I can see by using the NETSTAT command that port 4000 is being opened on the client but the connection always fails. 
  After running WireShark I discovered that just after the [Login] button is clicked the SSL3.1/TLSv1.2 TCP session is started with the Client and Server saying their respective Hello’s, key exchanges, and cipher change but just after that I get a transmission,
  from the server side, of “Encryption Alert” (21) and then a [FIN] packet which closes the session.
   This is when the “cannot connect to our authentication server” message pops since the session has a fatal error decrypting the packet.
  After hours of trial and error, plus reading online, I found I have the option to peer inside these encrypted packets to maybe see more information about the problem with the “bad” packet. 
  I’m not sure what key to use to put into the SSL preferences in WireShark.
    I have tried many things to find a workaround and have found only one way that works consistently.
   I have about 10 clients that login each day and the problem in intermittent. 
  Normally 1 or 2 clients will have the problem each day; it’s a crap shoot that it will happen to anyone. 
  Well, at least I have not found a pattern yet if there is one.
  Temporary Fix: After the client web page login fails, I can run the following commands. 
  I run the first command to set a static IP and then login to the web site and it suddenly works.
   I then log out of the web site and I run the second command to get the client back to a dynamic IP. 
  I login to the web page again the login works.  After a random number of days go by the problem comes back and I have to run this temporary fix again.
  (1)
  netsh int ip set address "Local Area Connection" static {ip address} {ip mask} {default gw}
  netsh int ip set address "Local Area Connection" dns {ip address}
  (2)
   netsh int ip set address "Local Area Connection" dhcp
  Just renewing the IP address from DHCP will not do the trick; I have to set it static first. 
  Any ideas on what may be happening during the Static IP setting that would fix this? 
  I know that Microsoft just recently patched the SCHANNEL file(s) in November. 
  I started seeing this issue on December 15^th.
  I’m currently assuming that there is a defective packet because according to MSDN and RFC tables the “Encrypted Alert” 21 code means
  decryption_failed – “Decryption of a TLSCiphertext record is decrypted in an invalid way: either it was not an even multiple of the block length or its padding values, when checked, were not correct. This message is always fatal.”
  I really appreciate and insight any may have on how this process works and what may be happening.
  - Dr. Dig

  MeipoXu,
  Thanks for the reply and fantastic link to that detail.  I am seeing events on many workstations, and not just the ones with this problem.  The event ID is 36887 and the message is “The following fatal alert was received: 40”.  I did some
  research on this error and it appears that it is related to the MS kb-2992611 patch.  Apparently the patch, which we did deploy back in December, has caused a number of schannel problems, while trying to fix some.  Our issue started on 12/15/14. 
  There's an article on ZDnet (search for "Microsoft Warns of problems with Schannel security update") where it explains what is happening since the patch.
  I have done two things to fix it, without removing the MS-patch. 
  The one manual fix I mentioned in my first post and I can also uncheck the 3.0 SSL/1.2 TLS in my IE browser. 
  In fact I went back to SSL 2.0 / TLS 1.0 and have not had any problems for 6 days now. 
  I am going to set a PC back to the “problem” settings to confirm 1.2 TLS is my problem. I’ll report back my findings for others. 
  The one thing to note is that we login to multiple secure sites and only one has the issue. 
  I suspect the other side has done, or not done, something to make the issue happen with my settings.
  Dr_Dig