ISE 1.2 Patch 6 Bulk account creation Sponsor portal bug

Hi all, not sure whether anyone has this issue but I noticed yesterday when I do a bulk csv import of users into the sponsor portal that it does not hold the user group I specifiy. In summary I select my CSV file, choose my user type as contractor (guest or contractor) and submit. The import succeeds except that all users are placed into the guest group not the contractor group I specified. You then have to manually alter every single one of them to be in the right group.
Any ideas?

Hi -
I also see this when I import a CSV file of accounts for a different guest role.  We have created a second portal (other than the default "guest").  All the new accounts get assigned to Guest regardless of what is specified. The fix has so far been simply reassigning them manually.

Similar Messages

  • ISE Guest Email Notification (Guest account creation)

    When a guest user creates an account in ISE, it sends a system generated email with the username/password. It says "Welcome to the Guest Portal, your username ise xxx and password is yyy." Is there anywhere in ISE (1.2) to change this text, especially the name 'Guest Portal'? I thought it was in language templates > Configure Miscellaneous Items > Portal Name. But I changed this to the portal name, and it was not reflected in the email. Thanks.

    Josh,
    Right now, it's pretty limited.  Here is the template to be used for formatting the email notifications:
    E-Mail Notification Template
    The following is an example of the login information for the body of an e-mail in an English language template:
    Welcome to the Guest Portal, your username is $username$ and password is $password$
    The $username$ and $password$ strings will be replaced with the username and password values from the Guest User account.
    In the e-mail body, you can use special variables to provide the details for the created guest account. When  using these variables, you must use all uppercase or all lowercase  letters, and you cannot mix them. For example, the string for username  can be either $USERNAME$ or $username%, but it cannot be $UserName$.
    You can use these variables in the e-mail notification template:
    •$USERNAME$ = The username created for the guest.
    •$PASSWORD$ = The password created for the guest.
    •$STARTTIME$ = The time from which the guest account will be valid.
    •$ENDTIME$ = The time at which the guest account will expire.
    •$FIRSTNAME$ = The first name of the guest.
    •$LASTNAME$ = The last name of the guest.
    •$EMAIL$ = The e-mail address of the guest.
    •$TIMEZONE$ = The time zone of the user.
    •$MOBILENUMBER$ = The mobile number of the guest.
    •$OPTION1$ = Optional field for editing.
    •$OPTION2$ = Optional field for editing.
    •$OPTION3$ = Optional field for editing.
    •$OPTION4$ = Optional field for editing.
    •$OPTION5$ = Optional field for editing.
    •$DURATION$ = Duration of time for which the account will be valid.
    •$RESTRICTEDWINDOW$ = The time window during which the guest is not allowed to log in.
    •$TIMEPROFILE$ = The name of the time profile assigned.
    This dicument is found here:
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_custom_portals.html#wp1015657
    ISE v1.3 should have some improvements and quite possibly some HTML tags.
    Charles Moreton

  • ISE Sponsor Portal Questions!!!

    Hi Team,
    Few questions!!
    Can we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
    2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE  or in Active Directory?
    3. Advantages of Sponsor portal over NAC guest server?
    Cheers!!
    Minakshi

    Can we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
    Yes you can
    2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE  or in Active Directory?
    They are updated into Local ISE database
    3. Advantages of Sponsor portal over NAC guest server?
    Sponsor portal allows a person ( can be anyone assigned by Admin ) to manage Guest account.
    Refer http://www.cisco.com/c/en/us/td/docs/security/ise/1-0/sponsor_guide/ise10_sponsor_book/ise10_sponsor.html

  • Guest account creation in ISE

    Hello All,
    I am encountering an issue in which I find only when guest accounts are created by sponsor through the sponsor portal, guess access is granted. If I manually add guest account in the same guest role via the administrative UI, instead of guest access authz profile is hit, ISE goes through supplicant provisioning flow. I know that I do have enable self provisioning flow but why would it kick in for guest user created by admin? I see many bugs dealing with guest portal flows but failed in finding one exactly matching to my senario. Any insight is greatly appreciated. version 1.2.
    Fadi

    You can create and manage guest user accounts  to provide temporary network access for guests. If you have numerous  guest user accounts whose account information is stored in an external  database, you can import this information to expedite the account  creation process.
    Please Check the below guide for user’s creations:
    http://www.cisco.com/en/US/docs/security/ise/1.1/sponsor_guide/ise_sponsor_chp2.html

  • ISE 1.2 patch 3 - Sponsor Portal default timezone changed to non-existant ECT

    Hi everybody,
    We've applied patch3 to our ISE 1.2 cluster and after the upgrade all the sponsor accounts (externally autenticated on Active Directory) now have GMT +01:00 Europe/ECT as default Time Zone. Thus all the guest account created have the same time zone and guest authentication fails.
    This is the error from ise-console.log:
    guest:- com.cisco.cpm.guest.exceptions.PortalUserException: java.lang.IllegalArgumentException: The datetime zone id 'ECT' is not recognised
    guest:-        at com.cisco.cpm.guest.edf.GuestUserAdaptor.isAcctValid(GuestUserAdaptor.java:489)
    I checked the admin interface and the 1.2 documentation but could not find any default setting for sponsor users Time Zone
    Time zone for the 3315 is CET:
      clock timezone CET
    A workaround is to have each sponsor user update its Time Zone setting on the Sponsor Portal, but this is impratical.
    Did anybody experience the same issue?
    Regards,

    Hi Luigi Gangitano,
    From when are you experiencing this issue? I suspect this would have been an issue when the server timezones are changed from CEST timezone to CET timezone.
    To further figure out where exactly the issue is , 
    1.Can you please let us know what is the timezone in the UI on the top most right corner in the server information section is ?
    2.Similarly can you please check the timezone in the CLI of Primary ISE node.
    If the above two locations are displaying correct timezone then we have to suspect with the sponsor portal.

  • ISE 1.2 Sponsor Portal- Account Expiration Date Defaults to same time as Start Date

    We have a time profile setup for ISE Sponspr Portal with Start/End.  I understand this allows the sponsor to specifially set the start and end time for the guest account.  When creating an account, the Start/End time is the same time.  If a Sponsor forgets to set the end time, then the guest account will be created, but will expire not allowing the guest to login.  It would be nice to have the end time default to something other than the start time, like 8 hours default.  Is this possible?  Can the expiration time default to something like 8 hours, but still give the Sponsor the ability to adjust the start/end times if needed?  This is very simple, and I cannot believe this is not available.

    Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
    Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
    DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
    DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
    DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.
    Upon expiration of their account per their assigned time profile, they will no longer be able to login or access the company network.
    If a guest were to return to the network, the sponsor can change the account duration via the sponsor portal to grant them access again and then require them to change their password if deemed necessary (depending on the settings). Changing account duration can be used for extending a guest users access longer than the original setup.
    If you upgrade to Cisco ISE 1.2, the older time profiles are still available, but you can delete them if you are not using them. If the older time profiles are assigned to a sponsor group, a message alerts you before deleting. If you perform a new installation of Cisco ISE 1.2, only the new time profiles display.

  • ISE sponsor portal guest accounts

    I am having an issue with guest accounts that have been created in the sponsor portal, some accounts work fine but others show up in the authentication logs on ISE as error 22056.  This error points to ISE not looking in the right identity store but when you go deeper into the details all auth requests are pointing at the internal users store which is correct.
    My main problem is that when I try to look at these accounts from the ISE admin console to see if there is any difference between them they do not show up i.e. no accounts that are created on the sponsor portal are displayed in the internal users database but if you try to create an account with the same user name ISE says that there is already an account with that name.
    Is there any where on ISE to display the sponsor guest accounts?
    Regards
    Craig

    Hi,
        not too sure if I am missing something but this just tells you how to use the sponsor portal? my query was based around being able to see all user accounts i.e. accounts created in the sponsor portal and from the admin from the admin console in the admin console.
    If I web browse to the ISE admin console and the go to administration-Identities I can only see the accounts that I have created through ISE admin, if I try and create an account that I know exists on the sponsor portal ISe complains that the user already exists but you cannot view it.  This seems very odd, why wouldn't an admin be able to see all accounts?
    thanks
    Craig

  • ISE 1.1 sponsor portal different type of guest accounts

    Hi there
    I just played around with the ISE 1.1.2.145 sponsor portal. I have the following 3 requirements, but I don't see a way the get there with the actuals sponsor portal features:
    1. I would like to create a event user (one single user for multiple logins) with a given username and a given password
    2. I would like to create a single user with a given username and a given password
    3. How can I change the password of such a user
    At the moment I am a little disappointed from the sponsor portal, there are not that features or I can't see the way to get there ;-)
    Can anybody confirm the above problems?
    Best regards
    Dominic

    It is possible to use internal users as well as AD users for admin.
    I'm not actually sure whetehr it's possible to stop using Internal Users.
    I have it working using both, primarily as I don't have AD credentials on customer site, so they use AD credentials and I stick to using Internal Admin User.
    I still haven't understood your original question entirely, but if you select the guest username to be created based on email address (rather than first name/last name), then you can create a single username using a fictional email address, and allow the user to change the password on first login. You can then change the password to whatever you want.
    Does that fit?

  • Cisco ISE sponsor Portal email notification of guest account

    Is there anyway to not have the email button be displayed in the sponsor portal?  We don't have email or SMS enabled and sponsor users are complaining that the button is there but doesn't work, it woul be really good if you could just remove it.  I have looked at the sponsor language template configuration but it doesn't appear to be able to not display the button just rename it?
    any information would be much appreciated.
    Craig

    Martin,
              thank you very much for the information, I don't think I would ever have checked there for this configuration.  It is taking me awhile to get used to the ISE GUI, I don't find it particularly intuitive but hopefully I will get there.
    thanks
    Craig

  • ISE 1.2 Patch 12

    Hi all,
    I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
    None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
    "5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
    Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
    I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
    Any info out there about 5441 before I log a TAC?????
    Thanks.

    Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
    It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
    Event
    5400 Authentication failed
    Failure Reason
    12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
    Resolution
    Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
    Root cause
    Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

  • ISE 1.2 sponsor portal - disabling default languages

    Hi,
    We are implementing Cisco ISE 1.2 and have a question on the sponsor portal languages.
    The client company's official language is English and so we would like to disable all other languages from the sponsor portal. If we don't do it, the users might select their native language (on the sponsor settings and/or the guest notification language) meaning that we have to customize and maintain all 15 language templates.
    It has alread happened during the tests: a sponsor created a guest account and choose a notification language other than English - the SMS was not sent because the "Destination" on the "SMS text message notification" default value is "[email protected]".
    Thanks in advance.
    Regards,
    Telmo Oliveira

    Hi all,
    This reply to myself is done for documentation proposes, it can help someone with the same challenge.
    Today I was at an event at Cisco where ISE 1.3 beta was presented. This version will have already the option to choose between browser locale or static language template. Talking to the Cisco eng. responsible for the presentation, he told me that 1.2 had no way to do it.
    Cisco ISE 1.3 is now planned to be release end of 2014.
    Regards,
    Telmo Oliveira

  • ISE 1.2 corrupted sponsor portal

    Hi,
    since I started to use ISE sponsor portal it showes me wrongly, see attached screenshot.
    I tried various browsers, but the problem is the same. Other pages are okay, just the main with guest users has problem.
    Looks like it happened after upgrade from previous ISE version.
    Does anybody know how to fix this?
    Thanks and greets
    Karel

    Hi Karel,
    As regarding to your query,
    These selections will allow guests to change their password, perform self-service, and require
    acceptance of a default AUP upon login.
    Changed in ISE 1.2: Now that we have the ability to Change Account Duration (discussed later in the lab) the option
    to Require guest and internal users to change password at expiration and first login has been updated so that
    the guest must change the password when not only first logging in but then also when the expired account has been
    reactivated. It’s not being used in this lab so be aware of this option.
    Self-service allows any user to generate access credentials without requiring a sponsor to perform this task.
    As this is not a sponsored user and any user may create their own account with this policy setting, it is
    common to assign self-service guests to an Identity Group with minimal network access privileges such as
    “Internet_Only”.

  • Sponsor Portal after upgrade ISE 1.2 - 1.3

    Hi,
    After upgrade ISE to version 1.3 I can't access to Sponsor Portal via ://ISE_IP:8443/sponsorportal/ as it was done in version 1.2 (error: [ 404 ] Sponsor Portal Resource Not Found. The resource requested cannot be found). I have to open it through ISE (Guest Access -> Configure -> Sponsor Portals -> Sponsor Portal (Default) -> Portal test URL). But then in address bar i can see the exact same address i tried to reach (://ISE_IP:8443/sponsorportal/) but it works.
    I deleted migrated portal from version 1.2 and now using only default one. Should I additionally activate it somewhere after this upgrade?

    Nice to hear that. I just want to add something to take into account:
    When you create the CSR directly from ISE, the documentation says for version 1.2 that you need minimum CN field. I did it and then I started having issues with Chrome Browser/ChromeBook which was triggering a certificate warning even though I had signed it with the correct CA Server and I had the Trusted Certificate Authority included in the browser list.
    When I was using 1.1.3, I did not have that problem when using ISE internal CSR feature and only using Common Name (CN) for the CSR.
    I tried using Openssl as usual to create the CSR for ISE running 1.2. Signed and imported it into the ISE and the problem was solved. I am using like you FQDN in the WLC URL Redirect on LWA or CWA with the corresponding entry into the DNS. One important thing I found is that openssl uses some additional fields which I included in the CSR and I think after reviewing the ISE 1.2 documentation we need to include those as well in the ISE CSR feature. Looks like also there is a sequence/order for those fields in the ISE when creating the ISE CSR. The list is the following:
    countryName       = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName  = optional
    organizationalUnitName  = optional
    commonName        = supplied
    emailAddress            = optional
    Finally, with Openssl I could create as well SAN Certificates and I included the IP of the PSN , PAN and MNT ISE's so I would not need the DNS Entry. This feature was added on version 1.2 of the ISE which helps a lot. I will give it a few more testing since that I have a lab deployment with 5 ISE's (PAN, MNT and 3 PSN's).

  • ISE Time Management for Sponsor Portal User

    Hi all,
    I'm currently using ISE version 1.2 and when I create a custom time management for each user, the rule applied to each user is only applied for a maximum 10 days eventhough I configured it for ex.30 days.
    want to check with all of you if anyone have the same issue?
    Firstly I think it's because the purge time is default set for 15 days, but even when I already changed it. The expiration time will still not get over than 10 days.
    Cheers
    Ryan

    Default Guest Time Profiles
    Time profiles provide a way to give different levels of time access to different guest accounts. Sponsors must assign a time profile to a guest when creating an account, but they cannot make changes to the time profiles. However, you can customize them and specify which time profiles can be used by particular sponsor groups. Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
    Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
    •DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
    •DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
    •DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.
    If you upgrade to Cisco ISE 1.2, the older time profiles are still available, but you can delete them if you are not using them. If the older time profiles are assigned to a sponsor group, a message alerts you before deleting. If you perform a new installation of Cisco ISE 1.2, only the new time profiles display.

  • ISE 1.3 Sponsor Portal mandatory fields

    Hello,
    in the ISE 1.2 version it was possible to say that some fields are mandatory like first name or company.
    I cannot find this setting in the ISE 1.3 version.
    Regards
    filip

    Leoni,
    These settings are found by going to Guest Access > Configure.  Select Sponsor Portals and choose the Sponsor Portal in which you are working.  Click Portal Page Customization
    Once there, select your Guest Type.  I chose Create Account for Known Guests.  Then choose Settings over the preview image.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

Maybe you are looking for

  • My ipod nano has stopped shuffling and won't re-sync

    My ipod nano has stopped shuffling and won't sync to begin shuffle again

  • Has anyone had a problem with viewing the same pdf but it looks different on two computers?

    I am plotting a pdf file from a DWG drawing.  The pdf file looks fine on my computer.  However, when I send it to someone else the lines are not visible and it is hard for them to read.  I have tried exporting to pdf and plotting to pdf. The program

  • Using Mail in Tiger, Messages in .mac account not deleted

    I have recently upgraded my Slot loading iMac to Tiger. I have had a .mac account for many years. I'm just starting to use Mail in Tiger to see if I can filter the Junk mail. The filter training seems to work OK, but once I delete the Junk messages i

  • How to check a Purchase order sent through EDI?

    Dear All ,                                                                                 I have created a P.O and in Message tab there is a green indicator which shows that this P.Ois succsfully sent through EDI , also Condition records are well cr

  • View - remove duplicate records

    Hi, I created a view (on joins of several tables) and used this view as a datasource. Considering the structure of the view (combination of the chosen view fields is not unique) it is normal that the datasource gives duplicate records. Is there a way