ISE 3315 Guest Portal on ETH1?

Similar Messages

• ISE and Guest Portal

  WLC - 7.2.110.0
  ISE - 1.1.1
  I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action
  At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.
  I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?

  As you asked the documents related to ISE and Guest Portal. I am sending you two docs which will help you in this case. Please find the below documents:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success

• ISE - sponsor guest portal with smartcard authentication

  Team, any support for sponsor guest portal authentication with the smartcard?
  If not then can someone plese create feature request to Cisco, smartcards are being rolled out more and more.
  Bilal

  We've got it working in our agency.  It's front ended by an 5540 ASA that sends the users attributes to ISE and then loops ISE to authenticate via AD. I've got a pretty sweet write up on it from our advanced services rep.  The guys are legit when it comes to work around and I just finished testing this with ISE 1.3. If you guys are interested I'll attach it tomorrow. 
  Attached configuration guide.   Note for 1.3 the Sponsor Group Policy has been removed.  Just make sure the Sponsor Group is configured and add the store to locate the user.  In our case its AD.
  If you have questions just PM me and Ill be glad to assist.
  -Ryan 

• ISE HTTP GUEST PORTAL

  Hello,
  We have some disconfort with Guest web authentication. When WLC redirects a guest user, he views certificate error.
  Can I use http instead https for guest portal?
  Thanks,
  Oleg

  Hi,
  Is your guest portal on the ISE ? In the ISE , there is only HTTPS port allowed to configure under Guest portal and no option of http port is there , So I dont think so. You also might be using port 8443 in the external web-auth redirection URL under security tab.
  Now even if you put a valid certificate on the ISE which hosts external guest portal , still you would receive certificate warning as long as you use local web server of the controller which is its virtual ip address.This is because even if the external web server where page is hosted for example has a valid certificate , even then internal virtual ip address is presented to the client.
  So
  > either you trust them in your browser so that you dont receive certificate warnings
  >or else have a valid certificate on the controller and external web server. 
  > or use http for web authentication in the controller and also http to external hosted page, then also you can get rid of these certificates.
  Regards
  Dhiresh

• ISE 1.1 - Error Custom Guest Portal

  Ciao,
  we are facing a strange problem on ISE Custom Guest Portal.
  After pressing the login button it returns an error:
  Error:
  Resource not found.
  Resource:/guestportal/
  It seems like that te function "/guestportal/LoginCheck.action" is not able to return the succesfull login page.
  It's quite strange because user are authenticating without problem.
  Any clue?
  Ciao e grazie!
  Luciano

  Ciao,
  we faced the problem on clients connected in wireless, where WLC redirect to the custom guest portal.
  The setup works fine for almost 2 months, than it stop working; then we re-imaged the device (1st time).
  Digging in the log with SE of TAC (621986639) we found these errors:
  2012-06-06 13:55:32,152 ERROR 2012-06-06 13:55:32,152  [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  2012-06-06 13:57:43,839 ERROR 2012-06-06 13:57:43,839  [http-443-10][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:8080/guestportal/gateway?sessionId=SessionIdValue&action=cpp
  2012-06-06 13:59:39,923 ERROR 2012-06-06 13:59:39,923  [http-443-5][] api.services.persistance.dao.ResourceDAO- Exception while retrieving the resource //ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  And during the test these errors were generated:
  2012-06-07 16:05:58,448 ERROR 2012-06-07 16:05:58,448  [http-8080-2][] org.apache.struts2.dispatcher.Dispatcher- Could not find action or result
  There is no Action mapped for action name Login. - [unknown location]
           at com.opensymphony.xwork2.DefaultActionProxy.prepare(DefaultActionProxy.java:186)
           at org.apache.struts2.impl.StrutsActionProxyFactory.createActionProxy(StrutsActionProxyFactory.java:41)
           at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:494)
           at org.apache.struts2.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:422)
  So we performed another re-image (2nd time) with a different media (not sure the problem was the media, it should be some script fail)  today I'm performing some test ... I'll update this discussion asap.
  Ciao!
  Luciano

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• ISE 1.2 Guest Portal Profiling Certainty Factor not Increase

  Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
  Profiling Configure and Endpoint Detail in attachment below

  Hi salodh
  as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

• ISE 1.2 customizing guest portal

  I am having some issues trying to customize colours on the default guest portal in ISE 1.2.
  Is there really no way to change the entire page background colour, except going through creating a complete set of html files ?
  It seems if i upload a transparent background image for both the banner and the logo, and then change the all the gackground coulour settings, the colour only affects the area where the cisco splash logo is, and not the entire page.
  I attached my settings, and how the page looks with those, what i am after is the entire page black, and then white text.

  Hello Jan
  You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
  These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
  Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
  Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
  Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
  Step 4 Click Save.

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 5760 v3.6 guest portal redirect to ISE

  I'm testing a new set of 5760 controllers for a future production rollout, running software version 3.6.  Our current production setup consists of older WISM-1 and 4402 controllers running CUWN 7.0.  Our guest network has an anchor in the DMZ, redirecting to ISE.
  In the recent thread (https://supportforums.cisco.com/discussion/12319151/3850-ise-guestportal-no-redirect-v-334), one of the posters said that guest redirection in 3.6 works similarly to redirection in CUWN, while in 3.3 it is very different.  I found the documentation for 3.3 (http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html), which I have to say I don't like very much.  However, I find the configuration and command reference guides for 3.6 are less than helpful on this point. 
  So the question I have is whether guest networking with an external redirect to ISE looks like the following in 3.6?  Or does it work like CUWN, where the SSID is configured with layer 3 security?  If it uses layer 3 security like CUWN, does anybody have a quick configuration sample for how it can work end to end in 3.6?
  ------ From the document http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html ---------
  The flow includes these steps:
  The user associates to the web authentication Service Set Identifier (SSID), which is in fact open+macfiltering and no Layer 3 security.
  The user opens the browser.
  The WLC redirects to the guest portal.
  The user authenticates on the portal.
  The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) in order to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
  The user is prompted to retry the original URL.

  I have a project with a 5760 running 3.6 working to a 5508 anchor controller in a DMZ.
  I have web authentication working to an ISE OK.
  Regards
  Roger

• ISE 1.2.1.198 - Guest Portal Configuration

  Is it possible to customize the default portal and add a paragraph any where on the login page with instructions?  I've tried adding the text in the Pre-Login Banner Text field, and it does wrap to the next line, but text goes of the screen before wrapping.  Would like to be able to add carriage return in the text, so text would scroll off the screen.

  ISE 1.3 (due out in November time frame) will have a huge amount of customization of the portal available for your use.
  If you really need to do it before then, and you have an ISE-certified Authorized Technology Partner you're working with, they have access to a Guest Portal Builder tool that can be used.
  Failing those, you're back to changing the native html code for the portal by hand. Not recommended.

• ISE 1.2 Guest Portal - Device registration portal

  Hello,
  I have a problem with the following setup:
  - Cisco ISE 1.2 (latest patch)
  - Cisco WiSM with 7.0.220.0 (first generation)
  I have build Guest access via ISE. Because the WiSM's highest version is 7.0.X I used LWA with a redirect to the ISE guest portal. When using the Guest SSID with a iPad the client is redirected to the ISE guest portal and the user can enter his credentials (deliverd by the Sponsor). After clicking "Sign On" the client is forwarded to the "Device Registration Portal" of ISE and need to register his MAC address.
  We have try a lot of differend settings but we cannot switch off the forward to the "Device Registration Portal". We only want to use the Guest User portal.
  Please can someone help me to find a solution for this problem?
  Thank you in advance.

  I know this might be reaching, but have you turned off the My Devices portal?
  If so, an idea of the different settings you have already tried might help.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Ise 1.2, cannot access guest portal

  I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443
  any idea?

  I had attached the steps to configure the guest portal and hope will address the problem.
  Configuring the Guest Portal
  Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.
  You can add a new Guest portal or edit an existing one.
  Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.
  Step 2Click Add.
  Step 3Update the fields on each of these tabs:
  •General—enter a portal name and description and choose a portal type.
  •Operations—enable the customizations for the specific portal
  •Customization—choose a language template for displaying the Guest portal with localized content
  •File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.
  •File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.
  •Authentication—indicate how users should be authenticated during guest login.
  Step 4Click Submit.
  Specifying Ports and Ethernet Interfaces for End-User Portals
  You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.
  You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.
  Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
  Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.
  Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.
  Step 4Click Save.
  If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
  Tips for Assigning Ports and Ethernet Interfaces
  •All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.
  •You must assign the Blacklist portal to use a different port than the other end-user portals.
  •Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.
  •You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:
  Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals
  You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.
  Before You Begin
  Step 1Choose Administration > Web Portal Management > Settings > General > Ports.
  Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:
  •Default Sponsor Portal FQDN
  •Default My Devices Portal FQDN
  Step 3Enter a fully qualified domain name.
  Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.
  Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node.

• ISE 1.2 Guest Portal - This device has not been registered.

  I have setup and SSID on my WLC. I got the redirecting to my ISE guestportal working.
  However when I sign in I get a Device regitration Page
  "This device has not been registered"
  Unable to obtain the user information needed for network access.
  The device ID is grayed out and blank.
  Any assistance in this matter would be greatly appreciated

  Thanks Johnston,
  P.S for those who needs the path ISE 1.2 Administration -> Web Portal Management -> Settings -> Multi-Portal Configurations -> DefaultGuestPortal -> Operations.
  On another note
  When I login - I get my acceptable usage policy.
  Accept
  Then get a Device registration Portal where I can add the MAC address.
  Now I have two quistions.
  When I add my test mac address the url redirects to myservername:8443/guestportal/AfterDevReg.action - unable to connect <- that's the one issue.
  The other is - Can't I by pass the MAC? ie once the user is signed on to get access.
  Curretly I have the following settings enabled.
  Enable Mobile Portal
  Allow guest users to change password
  Guest users should be allowed to do device registration <- if I disable that after signon the page just flash back to the guest portal.