ISE 1.2 customizing guest portal
I am having some issues trying to customize colours on the default guest portal in ISE 1.2.
Is there really no way to change the entire page background colour, except going through creating a complete set of html files ?
It seems if i upload a transparent background image for both the banner and the logo, and then change the all the gackground coulour settings, the colour only affects the area where the cisco splash logo is, and not the entire page.
I attached my settings, and how the page looks with those, what i am after is the entire page black, and then white text.
Hello Jan
You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
Step 4 Click Save.
Similar Messages
-
ISE 1.1 - Error Custom Guest Portal
Ciao,
we are facing a strange problem on ISE Custom Guest Portal.
After pressing the login button it returns an error:
Error:
Resource not found.
Resource:/guestportal/
It seems like that te function "/guestportal/LoginCheck.action" is not able to return the succesfull login page.
It's quite strange because user are authenticating without problem.
Any clue?
Ciao e grazie!
LucianoCiao,
we faced the problem on clients connected in wireless, where WLC redirect to the custom guest portal.
The setup works fine for almost 2 months, than it stop working; then we re-imaged the device (1st time).
Digging in the log with SE of TAC (621986639) we found these errors:
2012-06-06 13:55:32,152 ERROR 2012-06-06 13:55:32,152 [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
2012-06-06 13:57:43,839 ERROR 2012-06-06 13:57:43,839 [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:8080/guestportal/gateway?sessionId=SessionIdValue&action=cpp
2012-06-06 13:59:39,923 ERROR 2012-06-06 13:59:39,923 [http-443-5][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
And during the test these errors were generated:
2012-06-07 16:05:58,448 ERROR 2012-06-07 16:05:58,448 [http-8080-2][] org.apache.struts2.dispatcher.Dispatcher- Could not find action or result
There is no Action mapped for action name Login. - [unknown location]
at com.opensymphony.xwork2.DefaultActionProxy.prepare(DefaultActionProxy.java:186)
at org.apache.struts2.impl.StrutsActionProxyFactory.createActionProxy(StrutsActionProxyFactory.java:41)
at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:494)
at org.apache.struts2.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:422)
So we performed another re-image (2nd time) with a different media (not sure the problem was the media, it should be some script fail) today I'm performing some test ... I'll update this discussion asap.
Ciao!
Luciano -
Activate custom guest portal in ISE
This question must sound stupid, but I'm struggling with it four two days now without success:
I've managed to upload custom HTML files for a custom guest portal via
Administration -> Web Portal Management ->Settings -> Guest -> Multi-Portal Management
and assigned files for the four required File Mappings (Login, AUP, Guest Success, Error)
However, where do I configure that this custom portal is actually used?
The only observable Difference to the DefaultGuestPortal I find is that under Authentication, it has the setting Identity Store Sequence = Guest_Portal_Sequence (greyed out) while my custom portal has this field empty (and also greyed out).
I merely found in the docs that the redirection URL should be schanged to mathc the portal name. However, my guess is that this URL is a RADIUS option and should thus be configurable on the ISE - somewhere, but I found nothing.
(While we're at it: Where can I configure the redirection to take place with hostname instead of ip? All examples in docs seem to use ip, but that is of course ridiculous in connection with https as it makes the use of certificates from well-known CAs impossible)Andreas:
You better move your discussion to Security -> AAA forums. They will be able to help you better.
Rating useful replies is more useful than saying "Thank you" -
Hello,
this document lead to multiple failure !!!!
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
This guy really helps !!!
https://www.youtube.com/watch?v=TW2ZJVIZ8bs
See attached screen captures.
ISE documentation, even published by TAC is not reliable.
Bring back the Cisco we liked so much 15 years ago !!!!!Hello Jan
You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
Step 4 Click Save. -
Hello. Can I change default web guest portal: change background picture, logo, and add some-things.
Thansk.You can customize a portal theme, changing text, banners, background color, and images.
This section shows you how to create a custom portal theme, by setting and applying customized options.
You can follow the same steps to modify an existing customized portal theme.
Note: Supported image formats include jpg, jpeg, gif, and png.
To customize a portal theme, complete the following steps:
Step 1: From the Cisco ISE Administrator interface choose:
Administration > Guest Management > Settings.
Step 2: In the Settings panel on the left, Select
General > Portal Theme. (The Portal Theme page appears on the right.)
Step 3: Customize the portal theme in the following ways:
Change the Login Page Logo.
This setting allows you to change the logo on the portal Login page. You can choose the default Cisco
Logo or upload a custom image.
To upload a custom login page logo, complete the following steps:
Step 1: Select Upload New File from the drop-down menu.
Step 2: Click Browse, navigate to and select the desired image file.
Step 3: Click Open.
Recommended guidelines for a login page logo image are as follows:
• Height: 16-480 pixels
• Width: 16-480 pixels
Change the Login Page Background Image.
This setting allows you to change the background image on the portal login page. You can choose the
default Cisco background or upload a custom background image.
To upload a custom background image, complete the following steps:
Step 1: Select Upload New File from the drop-down menu.
Step 2: Click Browse, navigate to and select the desired image file.
Step 3: Click Open.
Customize the Banner Logo
This setting allows you to change the portal banner logo. You can choose the default Cisco banner or
Upload a custom banner logo.
To upload a custom banner logo, complete the following steps:
Step 1: Select Upload New File from the drop-down menu.
Step 2: Click Browse, navigate to and select the desired image file.
Step 3: Click Open.
Customize the Banner Background Image
This setting allows you to change the portal banner background image. You can choose the default Cisco
Background or upload a custom background image.
To upload a custom banner background, complete the following steps:
Step 1: Select Upload New File from the drop-down menu.
Step 2: Click Browse, navigate to and select the desired image file.
Step 3: Click Open.
Change the Login Background Color
This setting allows you to change the background color of the portal login page.
To change the login page background color, complete the following steps:
Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format, such as the following: FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
Step 2: Click Show Color to display the specified color.
Customize the Banner Background Color
This setting allows you to change the banner background color of the portal. To set the login background color, complete the following steps:
Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format, such as the following: FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
Step 2: Click Show Color to display the representative color.
Sponsor Settings
Customize the Content Background Color
This setting allows you to change the content background color for the portal pages.
To change the content background color for the portal, complete the following steps:
Step 1: Enter the color value as a RGB (Red Green Blue) hexadecimal value in HTML color format such as FFFFFF. Each pair of hexadecimal digits expresses an RGB value from 0-255.
Step 2: Click Show Color to display the representative color. -
ISE 1.3 Sponsored Guest Portal Login Failure
Hello Team,
Ive created a guest account in the sponsor portal for a test guest user, however the state remains in "created" state.
Now when the user tries to log on via the sponsored guest portal the error back is "invalid username or password".
In ISE logs it says :
Overview
Event
5418 Guest Authentication Failed
Username
bnawaz01
Endpoint Id
Endpoint Profile
Authorization Result
Actions
Troubleshoot Authentication
View Diagnostic Messages
Audit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
-->Authentication Details
Source Timestamp
2014-12-24 08:49:05.551
Received Timestamp
2014-12-24 08:49:05.553
Policy Server
DC1-ISE-DMZ01
Event
5418 Guest Authentication Failed
Failure Reason
Account is not yet active.
Resolution
Root cause
Username
bnawaz01
User Type
GuestUser
Endpoint Id
Endpoint Profile
IP Address
Authentication Identity Store
Guest Users
Identity Group
GuestType_Contractor (default)
Audit Session Id
Authentication Method
PAP_ASCII
Authentication Protocol
PAP_ASCII
Service Type
Network Device
Device Type
Location
NAS IP Address
NAS Port Id
NAS Port Type
Authorization Profile
Posture Status
Security Group
Response Time
Any ideas why this might be, if im doing something wrong and how to fix?
Thank you
BilalI have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration
To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group
One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups -
ISE 1.1.1 - Guest Portal CWA - No username required, only AUP?
We utilize a guest wireless NET that does not require a username/pass, rather, it only requires acceptance of the AUP. Is it possible to do this from ISE's CWA?
Thanks, -bDo you have any links to describe these steps in detail? I have time today to build this out and test. At this point, in order to get to the "device registration" portal, I am still required to enter my username and password on the guest portal. I am not sure how to redirect directly to the device registration portal.
Thanks,
-b -
ISE, guest portal on WLC
Hi,
Currently we have wireless guest login through a guest portal in the WLC. Is it possible to implement ISE and keep the guest portal in the WLC?
Example:
User connects to a SSID with an laptop. That laptop is profiled as not belogning to the company network and is then redirected to the WLC guest portal.
All the guides I find is about having the guest portal in the ISE.
Regards
PhilipYou can use LWA for this . he WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Service Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning.
Refer to the following link for configuration example
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
Hello,
We have some disconfort with Guest web authentication. When WLC redirects a guest user, he views certificate error.
Can I use http instead https for guest portal?
Thanks,
OlegHi,
Is your guest portal on the ISE ? In the ISE , there is only HTTPS port allowed to configure under Guest portal and no option of http port is there , So I dont think so. You also might be using port 8443 in the external web-auth redirection URL under security tab.
Now even if you put a valid certificate on the ISE which hosts external guest portal , still you would receive certificate warning as long as you use local web server of the controller which is its virtual ip address.This is because even if the external web server where page is hosted for example has a valid certificate , even then internal virtual ip address is presented to the client.
So
> either you trust them in your browser so that you dont receive certificate warnings
>or else have a valid certificate on the controller and external web server.
> or use http for web authentication in the controller and also http to external hosted page, then also you can get rid of these certificates.
Regards
Dhiresh -
Hi,
Using WLC and ISE, is it possible to simply present Guest users with an AUP (without having to do any kind of authentication) before granting them Internet access..? Would this be done using Web Passthrough on the WLC or modifying a Portal template on the ISE so that it does not contain a Login page?? Any advice welcome.
Cheers,
Santiyou can customize the guest login portal page:
To support a fully-customized guest portal, you must provide a minimum set of HTML pages based on the features you want to support:
Login Page—Required
Successful Guest Login Page—Required
Error Page—Required
Acceptable Use Policy Page—Required only if you require guests to acknowledge an acceptable use policy.
Change Password Page—Required only if you require guests to change their passwords when signing in for the first time.
Self-Registration Page—Required only if you allow guests to create their own accounts (self service).
Self-Registration Result Page—Required only if you allow guests to create their own accounts (self service).
Device Registration Page—Required if you are supporting device registration for guest users. -
Ise 1.2, cannot access guest portal
I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443
any idea?I had attached the steps to configure the guest portal and hope will address the problem.
Configuring the Guest Portal
Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.
You can add a new Guest portal or edit an existing one.
Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.
Step 2Click Add.
Step 3Update the fields on each of these tabs:
•General—enter a portal name and description and choose a portal type.
•Operations—enable the customizations for the specific portal
•Customization—choose a language template for displaying the Guest portal with localized content
•File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.
•File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.
•Authentication—indicate how users should be authenticated during guest login.
Step 4Click Submit.
Specifying Ports and Ethernet Interfaces for End-User Portals
You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.
You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.
Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.
Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.
Step 4Click Save.
If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
Tips for Assigning Ports and Ethernet Interfaces
•All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.
•You must assign the Blacklist portal to use a different port than the other end-user portals.
•Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.
•You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:
Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals
You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.
Before You Begin
Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:
•Default Sponsor Portal FQDN
•Default My Devices Portal FQDN
Step 3Enter a fully qualified domain name.
Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node. -
Cisco ISE Guest Portal - DNS Issue - External Zone
Hello,
I have a customer that has the following sceanrio :
In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect URL from ISE (URL to access the ISE Guest Portal), this URL is based on the ISE DNS name, not on its IP address; so, the PC can't resolve this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided by the DHCP server, and, so, it can't access the Guest Portal at all ;
I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
Thank-you in advance for your replies.
Robert C.Robert,
Manual assignment has been made available in ISE 1.2 release.
M. -
Cisco ISE 1.2 Guest Portal customization with vWLC redirect
Hello Support Community,
we have a problem regarding customized web authentication on ISE 1.2 with Package ISE12CustomPortalPackage-v4.zip. We have a Virtual Wireless Controller where we do a redirect to ISE. When we use default guest portal on https://x.x.x.x:8443/guestportal/Login.action authentication and authorization works fine. When we do redirect to Cisco templates on https://x.x.x.x:8443/guestportal/portals/example/Login.html customized login page is displayed and after correct authentication guest successful page is displayed but we can't go to any webserver although ISE shows authentication and authorization as successful. When we try to reach a webserver after successful authentication we get redirected to customized login site. Virtual Wireless Controller shows client aus "Webauth Required" after successful authentication. Central Web Authentication isn't possible because we have a different AAA Server for 802.1X and only use wired guest access on a particular VLAN from WLC. Are there any known issues regarding customization template or is there something wrong regarding our redirect?
I hope somebody can help us.
Best Regards
BenjaminHello Neno,
1. I attached screenshots below.
2. There is nothing related to this client.
3. I attached Debug below.
We are currently using MAB on our switches as a fallback to our 802.1X on our wired access. Order and Priority currently is 802.1X/MAB/Auth-Fail-VLAN. CWA is based on a failed MAC-Authentication which leads to an Authorization Profile to permit access with Webauth.
If you configure Wired guest access on WLC there isn't a possibility to configure MAC-Authentication.
CWA on our switches isn't possible because we are currently using failed MAC-Authentication to direct clients to our Auth-Fail-VLAN which has restricted access secured by SVI-ACL which allows us HTTP Access to printers (manual Cert Deployment) and automated Cert enrollment to our computers.
Best Regards
Benjamin -
Pb to reach ISE Guest portal due to DNS constraints
I have set up a Guest Portal with WLC 5508 7.4 and ISE 1.1.1 ;
everything is OK, except one thing :
the Guest VLAN, associated to the Guest SSID is, actually, a DMZ behind my customer firewall and the DHCP parameters provided to the wireless Guest equipement connected on this VLAN include the public ISP DNS servers addresses, not the customer internal DNS serveurs addresses;
this seems OK since the idea of this Guest SSID is to give a pure Internet access to the Guests, and no connection at all towards the customer internal servers;
the problem is that, when the wireless guest receives the redictect URL from ISE (URL to access the ISE Guest Portal), this URL is based on the ISE DNS name, not on its IP address; so, the PC can't resolve this internal DNS name by using the ISP DNS servers addresses provided by the DHCP server, and, so, it can't access the Guest Portal at all ;
Apart from changing those DNS values in the DHCP server (the customer does not accept this solution), how could we solve this problem ?
I have tried to code manually , in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
cisco-av-pair=url-redirect=https://192.168.1.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa,
but, it does not work, since the sessionIdValue variable is not replaced by its real value when sent to the wireless client
any comment welcomedWe had the same issue. Our solution was to advertise the internal IP address from our external facing DNS server and let it propagate publicly. Our ISE box is in a DMZ and the firewall rules do not allow outside traffic to it, however the clients will get the correct internal IP address and since they are already inside the firewall on the DMZ segment they are able to get to the ISE box with the publicly resolved internal IP address. The other option we entertained was a firewall DNS redirect. That would work by intercepting the DNS request for that specific URL and return the proper internal IP, all other DNS requests would pass through to the public DNS server.
-
ISE Guest portal web page customization
Folks,
Excuse me for being ignorant but I'm curious where I can get a "localization support example with sample HTML pages".
This is what I found in the user guide:
"You can customize the Guest portal by uploading HTML pages to Cisco ISE. When you upload customized pages, you are responsible for the appropriate localization support for your deployment. Cisco ISE provides a localization support example with sample HTML pages, which you can use as a guide. ISE provides the ability to upload, store, and render custom internationalized HTML pages"
Let's say the web page that I want to show on the Guest portal has some style sheets (CSS). How am I going to upload it ?Please review the below link which might be helpful:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_41_guest_services.pdf
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
Maybe you are looking for
-
Delivery Reports, Mail Control: Safe handle has been closed
When i try to open Delivery reports from mail control in exchange i get the following error page, i included the stack trace to help make this easier to track down the problem Safe handle has been closed Description: An unhandled exception occurred d
-
There are many Macs in the network, but only a few are supposed to use the TC. Is there a way to hide a TC from the other users? We also have an Open Directory server. Those users that are allowed to use the TC are also in the OD (i.e. the users mana
-
I have an interactive report that I would like to show in detail view. I have set enable detail view to Yes I have set before rows to <table> I have set for each row to <tr><td>#CREATED_ON#</td></tr> I have set after rows to </table> When I click on
-
Trouble installing w/ Adaptec 2940UW and Seagate ST19101WC
I am running a home built PC w/ an Adaptec 2940UW SCSI card and a Seagate ST1901WC SCSI hard drive. I have loaded and removed Redhat 6.1, Windows 2000, Windows 98 SE. I know that the hardware is installed properly. When I try to load Solaris 8 for In
-
Wrong agent picked if manager not maintained for employee in leave request
Hi All We are using std. workflow WS12300111 for leave request approval which is run from the EP side. It is working all fine, but the problem arises when there is no manager maintained for an employee. Idealy it should have given a error message; bu