ISE 1.2 notifications

Similar Messages

• ISE and SMS notification

  Environment
  ISE 1.1.2
  As already stated in other posts in this forum, it appears there is a kind of limitation when configuring SMS Notification options via the ISE GUI interface under the "Administration ==> Web Portal Management ==> Settings ==> Sponsor ==> Language template ==> English ==> Configuring SMS Text message Notification"  panel :
  the Destination field, in this panel, can only contain explicitely the email address of the SMS Gateway;
  it cannot contain an email address with the %mobilenumber% variable, such as %mobilenumber%@domain.com ;
  this variable is never replaced by ISE;
  I read the ISE User's Guide about that part which explains the Gateway can be an Email/SMS third party service Provider such as clickatell.com ;
  but, it would have been more than nice if CISCO could take into account other kind of SMS gateways, especially those based on "off the rack" hard/soft appliances owned by the customer and whose most common way of working is by sending them an email with destination field based on the previously referred  format  : %mobilenumber%@domain.com ;
  Is this a feature that could appear soon in futures ISE releases ?
  thanks in advance

  Hello,  I'm trying with version 1.3.
  In "SMTP API destination address:"  field I have configured :  [email protected]
  In body field,  I put for example "movil:$mobilenumber$"
  Then, when testing,  ISE don't  put the phone number in "To:" field,  but it's ok in the "body" field.
  ¿I'm doing something wrong or that functionality is not supported ?

• ISE Guest Email Notification (Guest account creation)

  When a guest user creates an account in ISE, it sends a system generated email with the username/password. It says "Welcome to the Guest Portal, your username ise xxx and password is yyy." Is there anywhere in ISE (1.2) to change this text, especially the name 'Guest Portal'? I thought it was in language templates > Configure Miscellaneous Items > Portal Name. But I changed this to the portal name, and it was not reflected in the email. Thanks.

  Josh,
  Right now, it's pretty limited.  Here is the template to be used for formatting the email notifications:
  E-Mail Notification Template
  The following is an example of the login information for the body of an e-mail in an English language template:
  Welcome to the Guest Portal, your username is $username$ and password is $password$
  The $username$ and $password$ strings will be replaced with the username and password values from the Guest User account.
  In the e-mail body, you can use special variables to provide the details for the created guest account. When  using these variables, you must use all uppercase or all lowercase  letters, and you cannot mix them. For example, the string for username  can be either $USERNAME$ or $username%, but it cannot be $UserName$.
  You can use these variables in the e-mail notification template:
  •$USERNAME$ = The username created for the guest.
  •$PASSWORD$ = The password created for the guest.
  •$STARTTIME$ = The time from which the guest account will be valid.
  •$ENDTIME$ = The time at which the guest account will expire.
  •$FIRSTNAME$ = The first name of the guest.
  •$LASTNAME$ = The last name of the guest.
  •$EMAIL$ = The e-mail address of the guest.
  •$TIMEZONE$ = The time zone of the user.
  •$MOBILENUMBER$ = The mobile number of the guest.
  •$OPTION1$ = Optional field for editing.
  •$OPTION2$ = Optional field for editing.
  •$OPTION3$ = Optional field for editing.
  •$OPTION4$ = Optional field for editing.
  •$OPTION5$ = Optional field for editing.
  •$DURATION$ = Duration of time for which the account will be valid.
  •$RESTRICTEDWINDOW$ = The time window during which the guest is not allowed to log in.
  •$TIMEPROFILE$ = The name of the time profile assigned.
  This dicument is found here:
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_custom_portals.html#wp1015657
  ISE v1.3 should have some improvements and quite possibly some HTML tags.
  Charles Moreton

• ISE alarm mail

  There is no way to send a test email from ISE for alarm notification. For more information you can see the below link
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mnt.html#pgfId-1524784

  Thank you for your answer ravsingh.

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE Reports notification

  I’m generating scheduled reports to get Guest Activity sent to an FTP repository every hour.
  The dialog box to schedule, includes a field to indicate an email where a notification should be sent.
  I can get the report on the FTP repository as expected but any email is sent to the address indicated in the dialog box.
  I know the SMTP server is configured and running ok because when an sponsor creates a guest account the password is properly sent.
  So I think , the notification does not work or I’m missing something.
  Another issue is when a report is exported, a pop-up is displayed indicating an email with instructions will be sent. I don’t know who should this email be sent to. Is it possible to configure the destination somewhere?
  The ISE version is 1.2.0.899 (patch 4)
  Anyone can give me an advise or assistance.
  Regards
  Daniel Escalante

  Thank you Charles.
  I wonder which version are you running? Or maybe you have the exception indicated below, set in your server.
  TAC confirmed a bug with the reported issue CSCul76201.
  https://tools.cisco.com/bugsearch/bug/CSCul76201/?reffering_site=dumpcr
  When ISE is configured for an email notification to be sent when a scheduled report is generated, the source email address of the report notification mail is always "root@<ise_hostname>". Some production email servers might reject such source address and exceptions need to be created on the email servers.
  This is why we are unable to receive the email notification that has been sent by ISE.
  Regards.
  Daniel Escalante

• SMS Notification Issue with ISE 1.3

  We have a problem with SMS notification. Please find the attached snapshot of current SMS email gateway configuration. Guest is receiving notification when I am providing the exact mobile number instead of 974$mobilenumber$ in SMTP API destination address: field.
  We are running ISE 1.3 with patch level 2.
  We are using the  the default option (Global Default) SMS Gateway providers for our configuration rather creating a custom. Any luck??
  Also i would like to notice If the guest portal is a self-registration portal, we can choose the providers. But there is no such configuration if it’s a sponsored guest portal. Please find the second attachment.

  [email protected] is addressed by CSCtu25982. We do not put $mobilenumber$ while defining a SMTP-to-SMS gateway.
  <Prefix>[email protected] is being addressed by CSCus78802, which is being included in ISE 1.3 patch 3.

• ISE and AD Password Expiration Notification and allow user to change

  We are almost ready to go live with ISE for our VPN users.
  One last thing that has been asked is, how can we make ISE prompt a user when their AD password is about to expire, and allow them the opportunity to change it at that time?
  I know the ASA has the ability if it is authenticating directly against AD, but that functionality goes away with IPN. So what settings are there to prompt users connecting via Anyconnect to the ASA VPN through ISE?
  We do not have ISE setup for internal users/systems yet, this is strictly a VPN only setup for now.
  Thanks,
  Dirk

  Since we are using radius protocol so password expiration notification will not occur. The user will be prompted when password would expire. With ldap over ssl, user will be notified that "your password will be expired in x number of days" but we can't pick that method as it shoud be ASA integrated directly with AD/LDAP.
  Since we have ISE in between acting as a radius server so we have to live with the option where user will not be notified but password can be changed by end-user.
  Procedure for Configuring RADIUS Password Management
  Requires tha tthe Radius server/ISE  be integrated with an Active Directory MS-AD server.
  1. Enable "password-management" in tunnel-group/Connection Profile.
  Note: "password-management password-expire-in-days X" will not work, use just "password-management"
  2. Ensure that MSCHAPv1/MSCHAPv2 is enabled on the RADIUS/ISE server.
  Jatin Katyal
  - Do rate helpful posts -

• ISE and SMS in plain text for Guest Credntial notification

  I have configured a SMS notification for the Guest Credential.
  When the SMS gateway receive the message, it's discarded because it's not in plain text, it's contains some HTML tag.
  We haven't the possibility on the SMS gateway to modify the received message.
  On the ISE I seen that we can choose  the email format only for the system alarm settings and no for SMS message.
  Correct ?
  It's possible to send the message in plain text !!!!
  thank you

  I think it only use HTML.
  Step 6 Type the email body in the Layout text box. This contains the account login information for the guest user.
  You can use HTML tags and special variables for formatting the language template for e-mail notification. The following is an example of the login information for the body of an email in an English language template:
  Welcome to the Guest Portal, your username is %username% and password is %password%
  Jatin Katyal
  - Do rate helpful posts -

• ISE Guest Portal Print Notification

  Hi,
  with the old NAC Guest Server I was able to "design" the guest notification printout with HTML elements. With ISE i can only write down some plain text. Does anyone know how to change things like font size for the printouts?
  Regards,
  Andreas

  Unfortunately, this is not natively supported with ISE 1.2.  However, the guest notification will be customizable using HTML in ISE 1.3.  This version will hopefully be released during the last week of November.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.1.3 - Notification when ISE creates New Endpoint Entries

  Good Morning,
  I am interested in learning how to have notifications sent out to a preset list of recipients when ISE 1.1.3 creates a new endpoint entry.  The ability to know when a foreign device has been connected is imperative for our mission.
  I have looked throughout the entirety of the ISE Settings, but I have yet to find where to enable the functionality to allow for this.
  Can someone please point me to the correct menu/setting for this?
  Thank You,
  David

  Thank you for the response.
  I read through the documentation that you linked me to, and it appears that i *should* be able to create the rules I require. I have tried many different sets of criteria, and I always receive the same Error Message:
  type Status report
  message Request not processed - Possible XSS input
  description The request sent by the client was syntactically incorrect (Request not processed - Possible XSS input).
  From the error, it looks like my criteria set is incorrect, but I have tried numerous different sets, all receive the same error.  According to the "Rules" section, under "Unknown NAD" the only Required Fields are "Category" and "Nad Count".   I have satisfied both of these fields numerous ways, all with the same output of the above error message.
  Any Idea what could be causing this?

• Logo in Guest Email Notification(Cisco ISE sponsorportal)

  Hello Everyone,
  I have some questions regarding ( via Cisco ISE sponsore portal) Guest email notification:
  Right now we have this kind of structure for Guest email notification:
  Welcome to the XYZ Guest Portal.
  Your guest account details:
  Username: aefgh
  Password: 4Z7Pk
  Valid From: Mon Sep 30 10:15:45 CEST 2013
  Valid To: Mon Sep 30 18:15:45 CEST 2013
  Thanks
  Now I want to add my company logo in this notification.(Email as well as in print format).
  Can anybody help me to solve this.
  Thanks

  Please check the below link this may can be helpful for you:
  Link-1
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html

• ISE 1.2 SMS Notification for Self Service Guests

  Is there a way to have guest account credentials created through using the Self Service feature sent via SMS text?  I have read where this can be setup via the sponsor portal, but I have not seen much about self service option
  Also, is there an SMS gateway that can be setup easily for testing this funcionailty?  Thanks.

  ISE 1.2 does not support sending credentials to Self Service Guests via SMS message.
  This feature, sending credentials to Self Service Guests via SMS message and email, will be in version 1.3.  This release is tentatively scheduled for the end of July 2014.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE sponsor Portal email notification of guest account

  Is there anyway to not have the email button be displayed in the sponsor portal?  We don't have email or SMS enabled and sponsor users are complaining that the button is there but doesn't work, it woul be really good if you could just remove it.  I have looked at the sponsor language template configuration but it doesn't appear to be able to not display the button just rename it?
  any information would be much appreciated.
  Craig

  Martin,
            thank you very much for the information, I don't think I would ever have checked there for this configuration.  It is taking me awhile to get used to the ISE GUI, I don't find it particularly intuitive but hopefully I will get there.
  thanks
  Craig

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.