ISE 1.2 Self Registration

Similar Messages

• ISE guest self-registration Client Limitation per day

  I deployed ISE with guest self registration on the Web Portal.
  I want the guest (ex: AndroidPhone with Mac address: xx:xx) to be able to get 1 hour of internet access per day. 
  I know that using Time profile I can limit the guest to 1 hour of access, but how can I give the guest access each day.
  Requirements:
  --- I want to make this phone create only one account. ( How can I limit his mac address from creating new accounts when his account will expire in one hour)?
  --- After 1 day, I want to give the same phone access (I dont mind if it is a new account or the same account as the day before)
  How can we make this happen? Otherwise, everytime the account expires, the phone will be able to auto-register with a new account.
  Thank you

• ISE 1.2 - Self-Provisioned devices still in pending registration status

  Hi everybody,
  I'm on ISE 1.2 patch 2, setting up single-SSID self-provisioning BYOD flow which works as expected except for a couple of issues:
  first PEAP authorization always fails (no server certificate confirmation appears on device and no Endpoint Profile is assigned), second on goes through as expected and self-registration flow is started;
  at the end of the flow, TLS certs are installed, device appears in endpoint database under user's account but "Device Registration Status" stays "pending" and this makes it impossibile to further authorized RegisteredDevices identity group;
  single mobile devices gets different "Endpoint Profile" result at each subsquent access. For example: Android smartphones are profiled as Android or HTC device or HP devices or Samsung randomly.
  I've tried to analyze log files but cannot extract a full dump of the profiling process that could help identify why all this happens.
  Can you please help?
  Regards,
  L

  Hi Kevin,
  I did not find and answer. In subsequent patches the self-registration flow seems to have changed somehow and now I have more device in 'Registered' state, but still most of the time at the end of the process there is no guarantee that the devices will be in this stage. I've moved to more broad policies for authorization (i.e. if you have a valid certificate and login from one of the accepted profiles, we'll let you in).
  Please let me know if you open a TAC case, what is the answer.
  Regards,
  L

• ISE 1.2 Guest Self Registration

  We are in the middle of an ISE deployment.  We are currently on version 1.2, Patch 3.  One of our use cases for ISE is Guest Access.  I am trying to understand more about self registration functions in ISE.  What are the capabilities? Can a user access a self registration page, enter credentials such as an email address, or phone #, and receive an email or text message with the guest account credentials?

  yes Guest can acess self registration page and enter his name company email phone etc...and do self registration and can get the credentials via mail and sms
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_guest_pol.html#pgfId-1482408

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• CISCO ISE 1.2.0.899 - Self registration email address field Limit

  Hi
  I was wondering if someone out there can resolve an issue I am seeing, when a user goes to the self registration portal and enters an email address it only allows 24 characters to be entered, in the documentation it states that up to 48 characters can be entered. Is there a setting that i need to change to increase the character limit to above 24.
  Thanks
  John

  Hi Anas
  That is not true, I had the same problem with ISE in our Network.
  We are running 1.2.0.899, after all the troubleshooting I decided to upgrade the Patch on the ISE.
  As part of that I have deployed patch 5, which has resolved the issue.
  So please just download patch 5 for the solution.
  Regards
  Sandy

• ISE and Self Registration

  Ciao,
  is it possible to send user and password credentials, created by self registration, via mail or SMS ?
  For example:
  - user connect open ssid,
  - open browser and ISE, after redirect, present http guest portal with self-registration,
  - user compile form of self registration with email or phone fields,
  - credentials are send via email (not displayed as default).
  Thanks,
  Regards,

• Cisco ISE users self-registration Time Zone

  Hello, everyone!
  I'm configuring ISE Guest portal and I wonder why I need to choose time zone while in self-registration? Where is it used? And how can I disable this parameter from the self-registration page?

  Time profiles provide a way to give different levels of time access to different guest accounts. Sponsors must assign a time profile to a guest when creating an account, but they cannot make changes to the time profiles. However, you can customize them and specify which time profiles can be used by particular sponsor groups. Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
  Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
  DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
  DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
  DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.

• ISE 1.2 device registration with MAB only, no client provisioning

  Hello,
  Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
  I do not want to push certificates or native supplicant profiles to client devices.
  I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
  Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
  Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
  Am i really obliged to use native supplicant provisioning to register my device ?
  GN

  Hi
  Device Registration web auth is a process where you can configure user without client provisioning.
  In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
  1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
  2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
  3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
  4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
  5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
  6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

• ISE 1.2 Device registration problem

  I'm trying to get the device registration to work, but keep getting "Device not supported" or "Unable to obtain the user information".
  I cannot seem to find any information on those errors from the manuals.
  What are the possible solutions to get it working ? If the device is not supported, does it mean, that the profiling failed or something else ?
  ISE 1.2

  Hi Harri,
  What kind of authentication are you doing for these users? MAB, Dot1x? Also is this issue seen with all devices, or just a few ( i.e. same type, same vendor...)?
  If this is self-registration for guest users, there is a known issue with using Custom Guest Portal. The defect details are given below :
  https://tools.cisco.com/bugsearch/bug/CSCui77336/?reffering_site=dumpcr
  Therefore if you are using the custom portal, can you instead try with a default portal?
  Thanks,
  Aastha

• Wireless Guest Users Self Registration

  We are looking for a solution where for guest user self registration an email will be send to the employee/network admin for approval request before providing the network access to guest users.
  Please let me know if ISE is having this feature. Also let me know the other options.

  If you want to go through the process of having a employee or "sponsor" approve the account, why not just have the person who would be the appover create the account for the guest user and cut out the middle step? This is the process we have been using and so far so good!  If abuse is a concern we try to keep tabs on that by occasionally checking the logs in ISE to see if any one user is creating many account or consistantly has an account that may be for non work related functions.

• Partner Self-registration in Oracle B2B 10g

  Hi B2B team,
  Wanted to confirm from you if there is any provision for Partner self-registration in Oracle B2B 10g. We are on the latest patch. I am not aware of this functionality but wanted to get this confirmed from the product team.
  Also, we will require a server restart when a new TP comes onboard in Oracle B2B 10g isnt it? Is my understanding correct or is there something we can do to overcome this?
  Regards
  Kavitha

  Kavitha,
  Drop a mail to B2B product dev team/PM to know more on this part. As far as I know there is no such facility in 10g. Yes, bounce may be required in case of certificate changes involved.
  Regards,
  Anuj

• How to show a date field in OIM self-registration page

  Hello gurus,
  I want to add a date field in the self-reg page. I added lines in FormMetaData.xml and tjspSelfRegistrationTiles.jsp. The user creation page (delegated administration) shows the right date field, but the self-reg page is not working. I am using uix.tld dateField tag and don't know what attributes to pass to this. Is this the right tag or there is some other one in the tld, and what attributes should I pass?
  Could someone tell me how to do this?
  Thanks
  SK

  It should be much simpler than what you are doing.
  You should be able to create a User Defined Field for the value. Then update the FormMetaData.xml file. Create an entry in the section for user information that creates the attribute value. Just copy one of the existing and give it a new unique number identifier. Also change the field it references to be your user defined field. Then update the Self Registration section to include the new attribute. If you want to update what the approver sees, then also update the section for the approver.
  -Kevin

• User Self Registration in OIM 11.1.1.3

  Hi all,
  Iam trying to register user using self registration process,the request is sent to admin(xelsysadm), i tried to accept request in admin(xelsysadm account) but the request status is showing as "Request Failed".And showing error as
  IAM-2050014:An error occurred while initiating approvals for request oracle.iam.platform.workflowservice.exception.IAMWorkflowException: Tasklist mapping failed for workflowdefinition:
  Error:default/DefaultRequestApproval!1.0 due to unable to process due to null. The corresponding error message is {1}.
  Can any help to solve the issue.
  Thanks & Regards,
  Satish
  Edited by: satish on Sep 8, 2010 3:58 PM
  Edited by: satish on Sep 11, 2010 7:16 PM

  Did you set the organization, before approving the Task. The Approver needs to specify an OIM organization in which to create a user.
  Regards,
  Sanjay Sadarangani

• Error while testing the self registration approval workflow

  Hi all,
  I am getting the following error while testing the self registration approval workflow.
  Here the request level approval is working fine.But the operation level is not working.
  <May 28, 2012 11:25:01 AM IST> <Error> <oracle.iam.request.impl> <IAM-2050126> <Invalid outcome com.oracle.bpel.client.BPELFault: faultName: {{http://schemas.oracle.com/bpel/extension}runtimeFault}
  messageType: {{http://schemas.oracle.com/bpel/extension}RuntimeFaultMessage}
  parts: {{
  summary=<summary>oracle/iam/platform/OIMClient</summary>
  ,detail=<detail>java.lang.NoClassDefFoundError: oracle/iam/platform/OIMClient
  at orabpel.approvalprocess.ExecLetBxExe0.execute(ExecLetBxExe0.java:182)
  at weblogic.ejb.container.internal.SessionLocalMethodInvoker.invoke(SessionLocalMethodInvoker.java:39)
  at java.lang.Thread.run(Thread.java:662)
  </detail>
  ,code=<code>java.lang.NoClassDefFoundError</code>}
  cause: {oracle/iam/platform/OIMClient}
  received from SOA for the request id 61.>
  <May 28, 2012 11:25:01 AM IST> <Warning> <oracle.iam.callbacks.common> <IAM-2030081> <[CALLBACKMSG] Inside Status Change plugin for request 61 and the status is : Request Failed.>
  er and operation is CREATE.>
  <May 28, 2012 11:25:01 AM IST> <Warning> <oracle.wsm.agent.handler.wls.WLSPropertyUtils> <BEA-000000> <WLSPropertyUtils:getOperationName(),operation name is null>
  How to resolve this issue?
  Please anyone suggest me.Thanks in advance.
  Regards,
  Deena.

  Deena,
  Please make sure the path is correct. also why .zip, why : at the end why blank space? These could be a problem.
  /home/oracle/Oracle/Middleware/Oracle_IDM1/server/client/*oimclient.zip*:/home/oracle/Oracle/*Middleware/ oracle_common*/modules/oracle.jps_11.1.1/jps-manifest.jar:
  Below is correct one.
  $MW_HOME/Oracle_IDM1/server/client/oimclient.jar:$MW_HOME/oracle_common/modules/oracle.jps_11.1.1/jps-manifest.jar
  If you have custom workflow, be sure in task assignment proper outcome approve or reject.
  Thanks,
  Kuldeep