ISE 1.2 Guest Portal Profiling Certainty Factor not Increase

Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
Profiling Configure and Endpoint Detail in attachment below

Hi salodh
as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

Similar Messages

  • ISE 1.2 Guest Portal - This device has not been registered.

    I have setup and SSID on my WLC. I got the redirecting to my ISE guestportal working.
    However when I sign in I get a Device regitration Page
    "This device has not been registered"
    Unable to obtain the user information needed for network access.
    The device ID is grayed out and blank.
    Any assistance in this matter would be greatly appreciated

    Thanks Johnston,
    P.S for those who needs the path ISE 1.2 Administration -> Web Portal Management -> Settings -> Multi-Portal Configurations -> DefaultGuestPortal -> Operations.
    On another note
    When I login - I get my acceptable usage policy.
    Accept
    Then get a Device registration Portal where I can add the MAC address.
    Now I have two quistions.
    When I add my test mac address the url redirects to myservername:8443/guestportal/AfterDevReg.action - unable to connect <- that's the one issue.
    The other is - Can't I by pass the MAC? ie once the user is signed on to get access.
    Curretly I have the following settings enabled.
    Enable Mobile Portal
    Allow guest users to change password
    Guest users should be allowed to do device registration <- if I disable that after signon the page just flash back to the guest portal.

  • Cisco ISE 1.2 Guest Portal customization with vWLC redirect

    Hello Support Community,
    we have a problem regarding customized web authentication on ISE 1.2 with Package ISE12CustomPortalPackage-v4.zip. We have a Virtual Wireless Controller where we do a redirect to ISE. When we use default guest portal on https://x.x.x.x:8443/guestportal/Login.action authentication and authorization works fine. When we do redirect to Cisco templates on https://x.x.x.x:8443/guestportal/portals/example/Login.html customized login page is displayed and after correct authentication guest successful page is displayed but we can't go to any webserver although ISE shows authentication and authorization as successful. When we try to reach a webserver after successful authentication we get redirected to customized login site. Virtual Wireless Controller shows client aus "Webauth Required" after successful authentication. Central Web Authentication isn't possible because we have a different AAA Server for 802.1X and only use wired guest access on a particular VLAN from WLC. Are there any known issues regarding customization template or is there something wrong regarding our redirect?
    I hope somebody can help us.
    Best Regards
    Benjamin

    Hello Neno,
    1. I attached screenshots below.
    2. There is nothing related to this client.
    3. I attached Debug below.
    We are currently using MAB on our switches as a fallback to our 802.1X on our wired access. Order and Priority currently is 802.1X/MAB/Auth-Fail-VLAN. CWA is based on a failed MAC-Authentication which leads to an Authorization Profile to permit access with Webauth.
    If you configure Wired guest access on WLC there isn't a possibility to configure MAC-Authentication.
    CWA on our switches isn't possible because we are currently using failed MAC-Authentication to direct clients to our Auth-Fail-VLAN which has restricted access secured by SVI-ACL which allows us HTTP Access to printers (manual Cert Deployment) and automated Cert enrollment to our computers.
    Best Regards
    Benjamin

  • ISE 1.2 Guest Portal - Device registration portal

    Hello,
    I have a problem with the following setup:
    - Cisco ISE 1.2 (latest patch)
    - Cisco WiSM with 7.0.220.0 (first generation)
    I have build Guest access via ISE. Because the WiSM's highest version is 7.0.X I used LWA with a redirect to the ISE guest portal. When using the Guest SSID with a iPad the client is redirected to the ISE guest portal and the user can enter his credentials (deliverd by the Sponsor). After clicking "Sign On" the client is forwarded to the "Device Registration Portal" of ISE and need to register his MAC address.
    We have try a lot of differend settings but we cannot switch off the forward to the "Device Registration Portal". We only want to use the Guest User portal.
    Please can someone help me to find a solution for this problem?
    Thank you in advance.

    I know this might be reaching, but have you turned off the My Devices portal?
    If so, an idea of the different settings you have already tried might help.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE 1.2 Guest portal user cannot change their passwords

    I have a WLC 5508(version 7.6) and a server installed  the ISE (version 1.2.1.198),Now we configured the CWA,Use guest portal as an employee and guest login url,We can use the manually create internal user and password successfully logged in, and we set up allow guest users to change password in Multi-Portal, but the user can not change the password in the guest portal ,I suspect the change password option on the Guest  Portal actually works? Can anyone tell me how to change their own username password in the guest portal ?

    Requiring Guests to Change Password
    You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
    You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
    Before You Begin
    Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
    Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
    Step 2 Check the Guest portal to update and click Edit .
    Step 3 Click the Operations tab.
    Step 4 Check either or both options:
    Allow guest users to change password
    Require guest users to change password at expiration and first login
    Step 5 Click Save .

  • Cisco ISE - cannot reach Guest Portal

    Hi all,
    I have a Cisco ISE server, which is installed on a VMWare plattform. On the ISE server, I configured 2 network cards. One for the Corporate network ( Gigabit Ethernet 0) and one for the Guests (Gigabit Ethernet 1). Because I had problems, I put a client into the Guest VLAN (Wired) and tried to access the guest portal which was not working.
    I recognized that the port 8443 for the guest portal is blocked. But I was able to ping the address, and the port 443 and 22 are open as well. On the Gigabit Ethernet 0 network everything works.
    All interfaces are activated at the Web Portal Management Settings, for the ports 8443 and 8444.
    Anybody an idea??
    T&R
    Frank

    Please use the below ISE- guest URL redirection tshoot doc. below
    http://www.cisco.com/en/US/docs/security/ise/1.2/troubleshooting_guide/ise_tsg.html

  • ISE 1.3 - guest portal Password only athentication

    Hi Guys,
    Does anyone know if this can be done? I know not a common requirement, but is it possible on 1.3 to allow the guest portal to only ask for a password rather than a user and password combination?

    Refer the link : http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_011100.html#reference_209B2C8E8F9B4A7E862875A4CB4911E9

  • Cisco ISE 1.1 Guest Portal Services

    Do you have to have separate ISE appliances or VM clusters to have have 2 separate "Guest Portal" services?
    I have two sites that have their own equipment (Arizona / Illinois):
    - Cisco ISE Server
    - Cisco Wireless LAN Controller
    - Cisco Wireless Anchor Controller
    - Cisco ASA
    My understanding is that I'd need to have the ISE boxes running in "STAND ALONE" mode in order to have two separate "Guest Networks / Portal".
    Thanks in advance!!!

    Hi,
    Each Cisco ISE policy services node can run a guest portal also if they run in one deployment.
    Depending on the way you mean "separate", your requirement can be met in one deployment or in two stand alone deployments.
    Depending on your approach you need four Cisco ISE machines to build the in "one deployment" option.
    2 Admin/Monitoring Nodes (Admin is Active/Standby, Monitoring is Active/Active) and two Policy Services Nodes (RADIUS Servers).  Both Policy Services Nodes can run the guestportal. The configuration of the WLC determines which Policy Services Node is being used. ISE use RADIUS URL redirect is used to redirect to it's own guest portal.
    Hope that helps.

  • ISE 1.3 Guest Portals

    Hi All
    Anyone know of a bug in ISE 1.3.0.876 that prevents you from setting fields on the self-registration portal as mandatory?
    It also appears impossible to get rid of the 'Reason for Visit' field.
    Regards
    Roger

    Try these:
    CSCur89449
    CSCus35686
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE 1.3 MyDevices Portal issue: You are not owner of this device

    Hello there,
    I'm facing an issue with MyDevices portal. 
    The BYOD On-Boarding registration works pretty good, and the users get access to the network as they have to do.
    However, when the user accesses the MyDevices portal, some registered devices (which already have access to the network) is showed as in "Pending" state. But it I dont think it could not be an issue because the users can connect any time and get access to the network normally.
    The problem is: when the user tries to edit or change the state of the device (mark as Lost, Stolen or Delete), they get the error message "You are not owner of this device; it belongs to someone els. Contact the help desk if you need assistance".
    P.S.: the users are allways facing this error message, despite the device is in pending or registered state.
    Does someone has faced a problem like this, or have an idea to help me solve it?
    Thanks in advance.
    Error message attached.

    robertbrink1,
    I've tried to reproduce the problem in my lab environment, however every thing have worked perfectely. So I'm guessing if this issue is not regarding the ISE implemented in a Distributed Deployment. Because the real implementation I'm working is a Distribuited Deployment and the LAB I tested is a Standalone.
    So, for the next steps I'll replicate the tests to a Distributede deployment.
    Thanks in advance,
    Paulo

  • LWA guest portal ISE & 4400 7.0.x

    Has anyone managed to guest LWA working with ISE for wireless guest portal access?  Examples seem to skip bits and I can't find anyone that has managed to get it working.  I have Cisco 4400 WLCs running latest 7.0 code and ISE 1.1.2.
    All guest portal examples seem to be CWA which only works on 7.2 code.
    Am I without hope getting this working on 7.0 code?

    We got LWA guest portal to work between ISE & 4400 7.0, before we migrated to CWA w/ a 5508.
    Can't remember exactly which documents we used, but your best bet is the TrustSec 2.0 (not 2.1) guide:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
    and the WLC example:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml
    Keep in mind if you use LWA, you'll need two SSL certs - one on WLC, and one on ISE.
    With CWA, only one cert is needed on ISE.

  • ISE 1.1.1 - Guest Portal CWA - No username required, only AUP?

    We utilize a guest wireless NET that does not require a username/pass, rather, it only requires acceptance of the AUP. Is it possible to do this from ISE's CWA?
    Thanks, -b

    Do you have any links to describe these steps in detail? I have time today to build this out and test. At this point, in order to get to the "device registration" portal, I am still required to enter my username and password on the guest portal. I am not sure how to redirect directly to the device registration portal.
    Thanks,
    -b

  • ISE Guest Portal Time Profiles

    G'day All,
    Could someone advise if it is possible to extended or change the time profile of a guest account that has already been created? I am trying to understand using time profiles from within the Sponsor Portal. Imagine a guest user has an account created that gives them 2 weeks access, towards the end of the 2 weeks the user requires another week of access.
    From what I can see in both the ISE time profiles config page and from within the sponsor portal, either the user would have to wait until the existing account expired and have a new account created or a new account would have to be created to grant the additional access, and the existing account could be deleted, I am just seeking clarification of whether time extensions for Guest Accounts is possible prior to the account expiring.
    Currently using ISE 1.1.3
    Thanks in advanced guys.
    James.      

    Please follow the below steps to edite the time profile:
    Adding, Editing, or Duplicating Time Profiles
    To add or edit a time profile, complete the following steps:
    Step 1 From the Cisco ISE Administration interface, select Administration > Guest Management > Settings > Guest > Time Profiles.
    Step 2 Click one of the following:
    • Add—to create a new time profile
    • Edit—to edit an existing time profile
    • Duplicate—to duplicate an existing time profile
    Step 3 Enter the name and description of the new time profile.
    Step 4 Select a Time Zone for Restrictions. Time Restrictions are a set of time periods during which a guest account associated with that time profile would not be granted access to the network or guest portal.
    Step 5 From the Account Type drop- down menu, choose one of the predefined options:
    • StartEnd—allows sponsors to define start and end times for account durations
    • FromFirstLogin—allows sponsors to define the duration of time that guests can have access after login
    • FromCreation—allows sponsors to define the duration of time that guest can have access after account creation
    Step 6 Set the Duration for which the account will be active. The account expires after the duration set here has expired. This option is available only if you select the Account Type as FromFirstLogin or FromCreation.
    Step 7 Set the Restrictions for the guest access.
    These restrictions are composed of a day of the week and a start and end clock time. The Time Zone value specified in the time profile affects the clock times set in any of the Time Restrictions within the time profile. For example, a Time Restriction that specifies Monday 12:00 am to 8:00 am and Monday 6:00 pm to 11:59 pm would only grant system access between 8:00 am and 6:00 pm on Mondays within the time zone of the time profile. Any other day of the week would have no time restriction in this example and system access would be granted at any time.
    Step 8 Click Submit.

  • ISE 1.3 Sponsored Guest Portal Login Failure

    Hello Team,
    Ive created a guest account in the sponsor portal for a test guest user, however the state remains in "created" state.
    Now when the user tries to log on via the sponsored guest portal the error back is "invalid username or password".
    In ISE logs it says :
    Overview
    Event
    5418 Guest Authentication Failed
    Username
    bnawaz01 
    Endpoint Id
    Endpoint Profile
    Authorization Result
    Actions
    Troubleshoot Authentication
    View Diagnostic Messages
    Audit Network Device Configuration
    View Network Device Configuration
    View Server Configuration Changes
    -->Authentication Details
    Source Timestamp
    2014-12-24 08:49:05.551
    Received Timestamp
    2014-12-24 08:49:05.553
    Policy Server
    DC1-ISE-DMZ01
    Event
    5418 Guest Authentication Failed
    Failure Reason
    Account is not yet active.
    Resolution
    Root cause
    Username
    bnawaz01
    User Type
    GuestUser
    Endpoint Id
    Endpoint Profile
    IP Address
    Authentication Identity Store
    Guest Users
    Identity Group
    GuestType_Contractor (default)
    Audit Session Id
    Authentication Method
    PAP_ASCII
    Authentication Protocol
    PAP_ASCII
    Service Type
    Network Device
    Device Type
    Location
    NAS IP Address
    NAS Port Id
    NAS Port Type
    Authorization Profile
    Posture Status
    Security Group
    Response Time 
    Any ideas why this might be, if im doing something wrong and how to fix?
    Thank you
    Bilal

    I have had the same issue, the fault is caused by the time zone in the sponsor groups being set by default to UTC, so if you are in London the accounts wont become available until UTC time. The best practice is to add a local time zone and remove UTC at initial configuration
    To resolve this create a new local time zone in Guest Access>Settings>Guest Locations and SSIDs then under Guest Access>Configure>Sponsor Groups amend the time zone properties in each sponsor group
    One other problem is if you do not remove this at initial configuration you don't seem to be able to get rid of UTC, not really an issue unless you forget when creating new sponsor groups

  • Cisco ISE Guest Portal - DNS Issue - External Zone

    Hello,
    I have a customer that has the following sceanrio :
    In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
    I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
    cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
    since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
    My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
    Thank-you in advance for your replies.
    Robert C.

    Robert,
    Manual assignment has been made available in ISE 1.2 release.
    M.

Maybe you are looking for

  • Bootcamp problems on 24" Imac

    So I installed windows 7 ultimate on my 24" Imac 2.93GHZ with a Nvida GT 120. I installed the boot camp software on windows, which installed the graphics driver and everything. Anyway so I downloaded Dungeons and Dragons online cause I wanted to see

  • Missing fonts when saving in another directory

    I made a page (the index), put a web font, the css and font is saved in a directory and is ok, the page looks perfect in browser, now i save the same page with another name in another directory and dreamweaver ask me "Do you want to update the links?

  • Suddenly I cannot receive or send e-mail

    Suddenly I cannot receive or send e-mail. Everything has been working just fine until two days ago. I hadn't changed anything in Settings, now I have removed and reinstalled my mail account, with same result though. The only thing I can think of is t

  • Does the leather cover for ipad 2 fit ipad 3?

    as above, Ive recently purchased iPad 3 and wondering will the leather cases for ipad 2 fit new ipad 3?  I cant see it in product descriptions... Thank you

  • Transfer a final cut pro project to another computer

    I would like to take an entire project and open it on another computer (final cut pro). It's a 30-second spot, so there's not a lot of content, but I'm not sure how to go about saving all the pertinent files to DVD. What files do I need to copy to en