ISE 1.2 Employee Portal

Hi Guys,
I'm a little bit new with this Cisco ISE and I'm wondering if you can help me.
My setup is a WLAN 802.1x and I'm planning to deploy in the ISE just Device Registration WebAuth (only showing AUP) since the username and password authentication are checked via the WLAN settings of the computer.
My question are these, if I do that setup and when the employee logs out and in again does that employee needs to see again the AUP? Also, how the ISE checks if the device registration has been successfully done? Does the attribute Endpoint: BYODRegistration = YES will took effect?
Thank you very much in advance.

If you had selected every login in multiportal then, the user needs to accept AUP with every login:
And in Sponsor portal you will be able to see the device status

Similar Messages

  • ISE 1.2 Multi-Portal Identity Group Mapping

    Hi,
    Quick question regarding the use of Multi-Portal on ISE 1.2: Is it possible to map a single portal to a certain identity group? e.g. I have a portal for guest users, to which only users in the "ACME_guests" identity group can authenticate. I have a separate Portal for employees, where only users of the "ACME_employees" group can authenticate.
    I know that I can specify a separate authentication sequence for each portal (e.g. internal, guests, AD), but I cant find a possibility to map a group to a certain portal. This has the consequence that e.g. guest users can log into the employee portal, and getting a successful authentication message. Of course I can further restrict the access in another policy rule, but this isnt a very neat solution.
    Anybody have any ideas? It seems so basic that it has to be possible somehow?!
    Regards

    You can redirect users so they can "stick" to one portal once they have successfully authenticated. There is a document regarding device registration web authentication. Basically after a user connects successfully you can redirect them to an AUP specially designed to statically assign users to a specific endpoint identity group.
    In the end if a user logs into portal A they hit the DRW and accept, ISE dumps them into a endpoint group called PortalA, you can then tie this into a policy where the PortalA endpoint is denied association to any other open ssid you have in your design.
    Here is the document -
    https://supportforums.cisco.com/docs/DOC-26667
    Tarik Admani
    *Please rate helpful posts*

  • ISE 1.2 Guest Portal Profiling Certainty Factor not Increase

    Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
    Profiling Configure and Endpoint Detail in attachment below

    Hi salodh
    as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

  • Delegation of authority through his Employee Portal (ESS)

    HI Experts,
    We have one scenario where one person gives authority to other to create Travel Request/Expense on his behalf.
    Is this scenario possible through ESS?
    Here user login with his credentials and create Travel Request/Expense for other employee in his employee portal (ESS).
    Regards,
    Ravi

    Dear Somu,
    Based on your reply i have few questions.
    1) How All travel request/Expense stored under Assistant name only?
    Ravi> how all the travel request/Expenses storted under Assistant name. how can she access other employee trip numbers. can you please pour some light.
    2) Whenever the Assistant send for travel request/ Expenses, the assistant has to inform manually (through phone or e-mail).
    Ravi> When Assistant send for travel request/Expense with his/her credentials it will create his/her own travel request but not others, here where i'm stucked, i want Assistant to create travel request/expense on behalf of other employee through his/her ESS credentials.
    3) Please let me know your system version
    Ravi>  EHP6
    Thanks in advance.
    Regards,
    Ravi

  • Building an employee portal w BC. Add'l req incl company calendar+Outlook integration. Done this?

    We are building an employee portal using BC. Additional requirements include a company calendar and a conference room scheduler also a link to Outlook Calendar. Anyone done anything like that?

    Thanks Brett, we just signed up for O365 even though we are a Mac house, did it for compatibility with client stuff and for viewing on tablets. Will check out Sharepoint and see if we can figure out some of these handoffs from BC. Sales guys for our clients aren't going to give up Outlook even if they like our email campaigns :-)

  • ISE 1.2 Guest portal user cannot change their passwords

    I have a WLC 5508(version 7.6) and a server installed  the ISE (version 1.2.1.198),Now we configured the CWA,Use guest portal as an employee and guest login url,We can use the manually create internal user and password successfully logged in, and we set up allow guest users to change password in Multi-Portal, but the user can not change the password in the guest portal ,I suspect the change password option on the Guest  Portal actually works? Can anyone tell me how to change their own username password in the guest portal ?

    Requiring Guests to Change Password
    You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
    You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
    Before You Begin
    Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
    Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
    Step 2 Check the Guest portal to update and click Edit .
    Step 3 Click the Operations tab.
    Step 4 Check either or both options:
    Allow guest users to change password
    Require guest users to change password at expiration and first login
    Step 5 Click Save .

  • ISE 1.2: Employee with personal device registration

    Hi experts,
    I'm aware of this discussion https://supportforums.cisco.com/discussion/11962026/ise-12-device-registration-mab-only-no-client-provisioning#comment-9371166
    but looking for a detailed configuration to get following to work:
    Employee's have access to the network with their corporate devices. No problem
    Now employees need to be able to use their own mobile devices to get access. There is no definition of what devices are allowed.
    II guess to let employees register their private devices with  MAC address on MyDevice portal would be the most sufficient solution.
    Does anyone have a detailed configuration or link how to achieve that?
    Thanks,
    Frank

    Having BYOD access be based on mac address only is not really ideal and also not secure. A mac address can easily be spoofed and consequently your security policy can be bypassed. If you have a PKI environment you can take the EAP-TLS with SCEP approach:
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html
    If you don't have a PKI environment and don't want to mess with certificates you can still use a more secure method than MAC addresses. For instance, you can perform PEAP user authentication. You can create a "special" BYOD AD group and place the authorized users there. Then they can use their AD credentials to authenticate. In the authorization policy you can limit the access for those type of authentications via dACLs (switches) or named access lists (WLCs)
    Hope this helps!
    Thank you for rating helpful posts!

  • ISE Using my device Portal , devices still in pending registration status

    Abstract:
    I'm on ISE 1.2 patch 8.
    We want give access wireless to devices mobile using 802.1x with Active Directory. The condition is that he previously the user must register mobile device in "my device portal"
    -The corporate user connected from the LAN network,   login in "my device portal"  using their active directory account and register your device.
    -The policy defined in ISE indicates that 802.1x users in a group of AD and over condition "RegistredDevices" can access to the network (see screen 1)
    -Users access the wireless network from your mobile device by entering its name from AD and finally accesses the network.
    -From my "devices portal" devices always shows “Pending” status. All works as expected except for this situation.
    Can you please help?
    Regards,
    Marco Muñoz

    It looks like you dont have any provisioning profiles configured.
    Under Admin settings make sure client provisioning is enabled. Try to set native supplicant provisioning policy unavailable: to Allow Network Access.

  • ISE 1.2 Guest Portal - Device registration portal

    Hello,
    I have a problem with the following setup:
    - Cisco ISE 1.2 (latest patch)
    - Cisco WiSM with 7.0.220.0 (first generation)
    I have build Guest access via ISE. Because the WiSM's highest version is 7.0.X I used LWA with a redirect to the ISE guest portal. When using the Guest SSID with a iPad the client is redirected to the ISE guest portal and the user can enter his credentials (deliverd by the Sponsor). After clicking "Sign On" the client is forwarded to the "Device Registration Portal" of ISE and need to register his MAC address.
    We have try a lot of differend settings but we cannot switch off the forward to the "Device Registration Portal". We only want to use the Guest User portal.
    Please can someone help me to find a solution for this problem?
    Thank you in advance.

    I know this might be reaching, but have you turned off the My Devices portal?
    If so, an idea of the different settings you have already tried might help.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE 1.2 Sponsor portal port change not working

    Hi,
    Has anyone else had an issue where they change the default port number of the sponsor portal on the Admin node, all ISE restart, but the sponsor portal still only works on the default 8443 port?
    Thanks,
    Ct

    Hi,
    As you know that default port is 8443, but you can change this value so ensure that the same value you assign to the switch and it matches the setting in Cisco ISE.

  • ISE 1.2 Sponsor Portal issue

    Hi
    we have an ISE version 1.2 installation and are trying to customise the Sponsor Portal login page to show the Terms and conditions for staff whan accessing the page, by using the display pre-loign banner under the sponsor portal themes settings.
    We have added the text for both pre and post login banners and have selected the check boxes for both but for some reason when saved the text does not display and the check boxes show as being un checked when going back to the page. Is this a bug ?? i have reset to factory defulats and re tried but still not working.. any help would be appreciated

    It may be a browser issue. Please check the supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals:
    These Cisco ISE portals support the following operating system and  browser combinations. These portals require that you have cookies  enabled in your web browser.
    Table 8     Supported Operating Systems and Browsers
    Supported Operating System Browser Versions
    Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
    •Native browser
    Apple iOS 6, 5.1, 5.0.1, 5.0
    •Safari 5, 6
    Apple Mac OS X 10.5, 10.6, 10.7, 10.8
    •Mozilla Firefox 3.6, 4, 5, 9
    •Safari 4, 5, 6
    •Google Chrome 11
    Microsoft Windows 82
    •Microsoft IE 10
    Microsoft Windows 73
    •Microsoft IE 9
    •Mozilla Firefox 3.6, 5, 9
    •Google Chrome 11
    Microsoft Windows Vista, Microsoft Windows XP
    •Microsoft IE 6, 7, 8
    •Mozilla Firefox 3.6, 9
    •Google Chrome 5
    Red Hat Enterprise Linux (RHEL) 5
    •Mozilla Firefox 3.6, 4, 5, 9
    •Google Chrome 11
    Ubuntu
    •Mozilla Firefox 3.6, 9

  • ISE 1.2 Sponsor Portal- Account Expiration Date Defaults to same time as Start Date

    We have a time profile setup for ISE Sponspr Portal with Start/End.  I understand this allows the sponsor to specifially set the start and end time for the guest account.  When creating an account, the Start/End time is the same time.  If a Sponsor forgets to set the end time, then the guest account will be created, but will expire not allowing the guest to login.  It would be nice to have the end time default to something other than the start time, like 8 hours default.  Is this possible?  Can the expiration time default to something like 8 hours, but still give the Sponsor the ability to adjust the start/end times if needed?  This is very simple, and I cannot believe this is not available.

    Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
    Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
    DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
    DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
    DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.
    Upon expiration of their account per their assigned time profile, they will no longer be able to login or access the company network.
    If a guest were to return to the network, the sponsor can change the account duration via the sponsor portal to grant them access again and then require them to change their password if deemed necessary (depending on the settings). Changing account duration can be used for extending a guest users access longer than the original setup.
    If you upgrade to Cisco ISE 1.2, the older time profiles are still available, but you can delete them if you are not using them. If the older time profiles are assigned to a sponsor group, a message alerts you before deleting. If you perform a new installation of Cisco ISE 1.2, only the new time profiles display.

  • ISE 1.2 sponsor portal - disabling default languages

    Hi,
    We are implementing Cisco ISE 1.2 and have a question on the sponsor portal languages.
    The client company's official language is English and so we would like to disable all other languages from the sponsor portal. If we don't do it, the users might select their native language (on the sponsor settings and/or the guest notification language) meaning that we have to customize and maintain all 15 language templates.
    It has alread happened during the tests: a sponsor created a guest account and choose a notification language other than English - the SMS was not sent because the "Destination" on the "SMS text message notification" default value is "[email protected]".
    Thanks in advance.
    Regards,
    Telmo Oliveira

    Hi all,
    This reply to myself is done for documentation proposes, it can help someone with the same challenge.
    Today I was at an event at Cisco where ISE 1.3 beta was presented. This version will have already the option to choose between browser locale or static language template. Talking to the Cisco eng. responsible for the presentation, he told me that 1.2 had no way to do it.
    Cisco ISE 1.3 is now planned to be release end of 2014.
    Regards,
    Telmo Oliveira

  • ISE 1.2 Guest Portal - This device has not been registered.

    I have setup and SSID on my WLC. I got the redirecting to my ISE guestportal working.
    However when I sign in I get a Device regitration Page
    "This device has not been registered"
    Unable to obtain the user information needed for network access.
    The device ID is grayed out and blank.
    Any assistance in this matter would be greatly appreciated

    Thanks Johnston,
    P.S for those who needs the path ISE 1.2 Administration -> Web Portal Management -> Settings -> Multi-Portal Configurations -> DefaultGuestPortal -> Operations.
    On another note
    When I login - I get my acceptable usage policy.
    Accept
    Then get a Device registration Portal where I can add the MAC address.
    Now I have two quistions.
    When I add my test mac address the url redirects to myservername:8443/guestportal/AfterDevReg.action - unable to connect <- that's the one issue.
    The other is - Can't I by pass the MAC? ie once the user is signed on to get access.
    Curretly I have the following settings enabled.
    Enable Mobile Portal
    Allow guest users to change password
    Guest users should be allowed to do device registration <- if I disable that after signon the page just flash back to the guest portal.

  • Cisco ISE 1.2 Guest Portal customization with vWLC redirect

    Hello Support Community,
    we have a problem regarding customized web authentication on ISE 1.2 with Package ISE12CustomPortalPackage-v4.zip. We have a Virtual Wireless Controller where we do a redirect to ISE. When we use default guest portal on https://x.x.x.x:8443/guestportal/Login.action authentication and authorization works fine. When we do redirect to Cisco templates on https://x.x.x.x:8443/guestportal/portals/example/Login.html customized login page is displayed and after correct authentication guest successful page is displayed but we can't go to any webserver although ISE shows authentication and authorization as successful. When we try to reach a webserver after successful authentication we get redirected to customized login site. Virtual Wireless Controller shows client aus "Webauth Required" after successful authentication. Central Web Authentication isn't possible because we have a different AAA Server for 802.1X and only use wired guest access on a particular VLAN from WLC. Are there any known issues regarding customization template or is there something wrong regarding our redirect?
    I hope somebody can help us.
    Best Regards
    Benjamin

    Hello Neno,
    1. I attached screenshots below.
    2. There is nothing related to this client.
    3. I attached Debug below.
    We are currently using MAB on our switches as a fallback to our 802.1X on our wired access. Order and Priority currently is 802.1X/MAB/Auth-Fail-VLAN. CWA is based on a failed MAC-Authentication which leads to an Authorization Profile to permit access with Webauth.
    If you configure Wired guest access on WLC there isn't a possibility to configure MAC-Authentication.
    CWA on our switches isn't possible because we are currently using failed MAC-Authentication to direct clients to our Auth-Fail-VLAN which has restricted access secured by SVI-ACL which allows us HTTP Access to printers (manual Cert Deployment) and automated Cert enrollment to our computers.
    Best Regards
    Benjamin

Maybe you are looking for