ISE 1.3 bugs in Guest Types?

Similar Messages

• ISE 1.3 Sponsored "Known Guest" emailing credentials issue

  Just ran into an issue with ISE 1.3 email notifications and was hoping that I might have overlooked a setting.
  Basically if I create a self-registered guest ISE will send an email to both the listed sponsor and a confirmation email to the guest with credentials – this works fine. Furthermore I can go to the sponsor portal and click the self registered user then resend the credentials – this also works.
  My problem is when I create a "known guest" user from the sponsor portal. Basically I create the account and hit the notify button, select email and click ok – ISE then throws an error saying unable to send email. I click the user and click resend and likewise I cannot send an email.
  So in summary email notifications work for self registered guest type but not a known guest type.

  Fixed the issue. I did some debugging and looking through logs and found that there is a bug. Basically you need to enable the sponsor to select the language dictionary for email notifications and it fixes the issue.
  It is under the customisation section of the relevant sponsor portal under settings of known guest

• Can I change the guest type for existing guest.

  can I change the guest type for existing guest. ISE version 1.3

  You can not change the guest type for existing guest account. You need to delete it and create with correct type

• ISE to do wireless network guest access services

  Hi Forumers'
  I need to know how WLC can support ISE guest management in wireless mode.
  Tested and confirm by Cisco SE, Knowing that WLC currently does not support dynamic VLAN authorization for central web authentication. This limitation will be addressed in WLC 7.2 when MAB and CWA support is added to the code. On the other hand, DACLs on the other hand works and we can use that to restrict access of this guest traffic.
  So, option now is
  1. Can ISE support on WLC LWA guest access provision? This able to view guest user login and show at ISE monitoring.
  thanks
  Noel

  What you don't have at the moment with ISE and WLC is :
  -dynamic vlan asisgnement for webauth
  -the double-authentication (provoked by Radius CoA) required for central web authentication.
  For the rest, all is ok I think. So Local web authentication is supported. Either the webauth is handled by the WLC or you configured it as external on the WLC and the ISE acts as a guest portal.
  Guest users will be the guests you create on ISE, monitoring will happen etc ...

• Bug? Fichier type ".fmp12" trouvable avec Spotlight , introuvable avec "FAVORIS Tous mes fichiers"

  iMac 21.5-inch, Mid 2010  Logiciel  OS X 10.8.5 (12F45)
  Bug? Fichier type ".fmp12" trouvable avec Spotlight , introuvable avec "FAVORIS Tous mes fichiers"
  Où est le problème  ?

  La réindexation de SpotLihgt n'a pas changé le comportement de la commande "Tous mes fichiers"
  Les fichiers avec le radical .FMP12 ne sont pas reconnus . Alors que toutes les zones de recherche qui utilisent SpotLight retrouvent les fichiers .fmp12.
  Et pourtant, les autres fichiers créés par l'application FileMaker version 10 et antérieures sont trouvés par la commande de recherche de la fenêtre "Tous mes fichiers" et pas les fichiers créés par FileMaker 12 Advanced.
  Problème non résolu.

• ISE 1.1 sponsor portal different type of guest accounts

  Hi there
  I just played around with the ISE 1.1.2.145 sponsor portal. I have the following 3 requirements, but I don't see a way the get there with the actuals sponsor portal features:
  1. I would like to create a event user (one single user for multiple logins) with a given username and a given password
  2. I would like to create a single user with a given username and a given password
  3. How can I change the password of such a user
  At the moment I am a little disappointed from the sponsor portal, there are not that features or I can't see the way to get there ;-)
  Can anybody confirm the above problems?
  Best regards
  Dominic

  It is possible to use internal users as well as AD users for admin.
  I'm not actually sure whetehr it's possible to stop using Internal Users.
  I have it working using both, primarily as I don't have AD credentials on customer site, so they use AD credentials and I stick to using Internal Admin User.
  I still haven't understood your original question entirely, but if you select the guest username to be created based on email address (rather than first name/last name), then you can create a single username using a fictional email address, and allow the user to change the password on first login. You can then change the password to whatever you want.
  Does that fit?

• Ise 1.2, cannot access guest portal

  I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443
  any idea?

  I had attached the steps to configure the guest portal and hope will address the problem.
  Configuring the Guest Portal
  Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.
  You can add a new Guest portal or edit an existing one.
  Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.
  Step 2Click Add.
  Step 3Update the fields on each of these tabs:
  •General—enter a portal name and description and choose a portal type.
  •Operations—enable the customizations for the specific portal
  •Customization—choose a language template for displaying the Guest portal with localized content
  •File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.
  •File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.
  •Authentication—indicate how users should be authenticated during guest login.
  Step 4Click Submit.
  Specifying Ports and Ethernet Interfaces for End-User Portals
  You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.
  You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.
  Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
  Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.
  Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.
  Step 4Click Save.
  If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
  Tips for Assigning Ports and Ethernet Interfaces
  •All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.
  •You must assign the Blacklist portal to use a different port than the other end-user portals.
  •Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.
  •You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:
  Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals
  You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.
  Before You Begin
  Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
  Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:
  •Default Sponsor Portal FQDN
  •Default My Devices Portal FQDN
  Step 3Enter a fully qualified domain name.
  Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
  Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node.

• ISE 1.2.1.198 - Guest Portal Configuration

  Is it possible to customize the default portal and add a paragraph any where on the login page with instructions?  I've tried adding the text in the Pre-Login Banner Text field, and it does wrap to the next line, but text goes of the screen before wrapping.  Would like to be able to add carriage return in the text, so text would scroll off the screen.

  ISE 1.3 (due out in November time frame) will have a huge amount of customization of the portal available for your use.
  If you really need to do it before then, and you have an ISE-certified Authorized Technology Partner you're working with, they have access to a Guest Portal Builder tool that can be used.
  Failing those, you're back to changing the native html code for the portal by hand. Not recommended.

• Cisco ISE 1.2.1.198 Guest Portal Vlan Override at Mobile Device (android,IOS) not working

  Hi Guy, 
  In my ISE deployment, once the guest succcesful authenticated will be assign guest VLAN for internet access.
  we are using guest portal to do the vlan override once user authenticated.
  Window 7 Internet explorer (Active X), Chrome (Java Aplet) is working fine.
  but Android,Apple IOS devices unable to release the DHCP and get new DHCP.
  because from ISE and WLC we can see the Vlan have change, how mobile devices initiate dhcp release for Guest Portal
  Kindly advice.
  Regards
  Freemen

  I don't have such documentation nor I could find any on Cisco's site. With that being said, it doesn't mean that it doesn't exist. I just know that Active X is windows specific framework and Java is not supported on either iOS nor Android:
  http://www.java.com/en/download/faq/java_mobile.xml
  The good news is that Cisco appears to be steering away from Java so it is possible that in the future this will be supported. 
  Hope this helps!
  Thank you for rating helpful posts!

• Bug on "get type and creator.vi" OSX intel

  There is a bug on LV 8.2 "get type and creator" vi
  i tried it on a G5 : perfect
  on an intel machine the file type is reversed : JPEG becomes GEPJ, AIFF becomes FFIA
  a bit annoying ...

  Hello,
  Please excuse me for not fully understanding the distinction you are drawing here.  I think you are saying that INDEPENDENTLY FILES HAVE:
  a). a type
  b). an extension
  These are somehow correlated in Windows.  When I remove the .jpg extension from a file name indeed I see the "blank icon" and right clicking the icon to expose the properties shows that it has file type "File" where it used to be "JPEG image."   When I use the Get Type and Creator.vi I still see ????.
  I would like to understand exactly the distinction you are drawing, and exactly how to see the problem you are reporting.  Please be so kind as to dictate a very specific list of instructions with which this can be reproduced.  If it requires using commands in the command line, please specify exact syntax so that isn't a hurdle in and of itself.
  I appreciate your patience and very much look forward to your next post!
  Best Regards,
  JLS
  PS - Another idea just hit me - is it possible that you have the folder options item "hide known file extensions" checked?  I think this is default in XP, and perhaps you are simply not seeing the extension of your jpg files since windows is hiding them.  If that's the case, but you DO see extension, your file names may actually be something like myFile.jpg.jpg, where the trailing .jpg are just being hidden from you.  It sounds like you're familiar with how windows distinguishes file types and extensions, but I thought I would at least throw that out there, since it is a bit subtle.
  Message Edited by JLS on 10-25-2006 01:50 PM
  Best,
  JLS
  Sixclear

• ISE 1.1.1 Iphones Guest CWA connection dropouts

  Hi all
  I have deployed wireless guest access utilising CWA. I have no posture or client provisioning enabled on the deployment therefore it is a straightforward configuration. In short my issue pertains directly to Iphones (I haven't tested with other mobile devices yet). Basically a laptop connects, gets redirected, authenticates successfully and ultimately can browse the internet and network resources.
  With an Iphone I connect, get redirected, authenticate successfully, accept the AUP and finally get a page that says I am connected and should reenter my original URL. At this point I try to open safari by going to the main IPhone GUI, the wireless connection drops and safari falls back to 3G connectivity. I then go back to the wireless connections and click on the SSID which immediately reconnects and allows access based off the orignal connection.
  Has anyone experienced this issue and if so what is it related to? Is there a setting or command I am missing on the system or is this yet another case of BYOD device been a pain in the backside with ISE?

  Did you test this on iOS6 ? it has a feature that will drop wireless and go to 3G if you are unable to reach www.apple.com/library/test/success.html, i beleive it's called auto-join or something? also recently this page was down at apple, and caused quite a bit of problems for Iphone/Ipad users, maybe thats what you were seeing.

• ISE with CWA and wired guest access via WLC Anchor

  Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
  We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
  So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
  It comes out as:
  https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
  So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

  The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

• ISE wireless web authentication for guest management not redirecting

  Hi forumers'
  I face the problem that after connecting to the wireless guest network, it won't redirect me to the ISE guest portal . This happen on my iPhone. The iPhone is running on iOS 5.0.1
  Whilst on workstation it's working well.
  attach the snapshot of what happen on the iPhone.
  Any clue to torubleshoot? Thanks
  Noel

  Hi
  I still fail whilst i testing on my iPhone.
  I'm not using ISE self-signed certificate, i create CSR and signed by root CA server. So once i try to connect it won't prompt me the "accept ceritficate"
  My WLC local auth certificate verdor certificate is signed by the same root CA server as well.
  So i test on desktop to run safari broswer, it able to redirect to ISE guest portal.
  Can please suggest more troubleshooting guide?
  Thanks
  This is how the outcome for the safari broswer
  Noel

• ISE Domain Name, Certificates and Guest Portal

  Hi everyone,
  We have an ISE deployment using our internal domain for its FQDN (For example: ise01.private.local). We now want to use it for authenticating guest access and have noticed the redirection URL by default uses the FQDN of the ISE server.
  This works fine for our corporate machines as we have our own internal CA and generated certificates. As we do not want certificate errors occurring for our guests, we need to use a public FQDN.
  Are we best off changing the domain-name used by the ISE servers or is there a way to edit the redirection URL to use a custom domain?
  I have heard suggestions that changing the domain-name is unsupported, but I can't find any other way.
  Thanks,
  Mark

  Mark,
  Do you already have a public FQDN pointing to your ISE?  If so, let's assume that you are authenticating guests using CWA.  First creat a new Authorization Profile, under Common Tasks, select Web Redirection (CWA, DRW, MDM, NSP, CPP), Choose the Authentication Method (in this case, CWA) and define the ACL to be used.  Just below that, select Static IP/Host Name and enter the public FQDN that points to your ISE.
  From here you can create an Authorization Policy to reference the profile you just created.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.1 - Error Custom Guest Portal

  Ciao,
  we are facing a strange problem on ISE Custom Guest Portal.
  After pressing the login button it returns an error:
  Error:
  Resource not found.
  Resource:/guestportal/
  It seems like that te function "/guestportal/LoginCheck.action" is not able to return the succesfull login page.
  It's quite strange because user are authenticating without problem.
  Any clue?
  Ciao e grazie!
  Luciano

  Ciao,
  we faced the problem on clients connected in wireless, where WLC redirect to the custom guest portal.
  The setup works fine for almost 2 months, than it stop working; then we re-imaged the device (1st time).
  Digging in the log with SE of TAC (621986639) we found these errors:
  2012-06-06 13:55:32,152 ERROR 2012-06-06 13:55:32,152  [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  2012-06-06 13:57:43,839 ERROR 2012-06-06 13:57:43,839  [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:8080/guestportal/gateway?sessionId=SessionIdValue&action=cpp
  2012-06-06 13:59:39,923 ERROR 2012-06-06 13:59:39,923  [http-443-5][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  And during the test these errors were generated:
  2012-06-07 16:05:58,448 ERROR 2012-06-07 16:05:58,448  [http-8080-2][] org.apache.struts2.dispatcher.Dispatcher- Could not find action or result
  There is no Action mapped for action name Login. - [unknown location]
           at com.opensymphony.xwork2.DefaultActionProxy.prepare(DefaultActionProxy.java:186)
           at org.apache.struts2.impl.StrutsActionProxyFactory.createActionProxy(StrutsActionProxyFactory.java:41)
           at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:494)
           at org.apache.struts2.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:422)
  So we performed another re-image (2nd time) with a different media (not sure the problem was the media, it should be some script fail)  today I'm performing some test ... I'll update this discussion asap.
  Ciao!
  Luciano