ISE CWA Redirect URL customization
Hi,
Just wanted to know if we can change the redirect url. By default it starts with the hostname of ISE. I will have four PSN nodes and want that url is actually the Load Balancer Url rather than ISE node. Since ISE isintegrated with AD domain.local so public certificate would not be possible. We are planning to install publecrt cert with differnt domain name likke domain.com. If some one has done it before please let me know
Thanks
Aijaz
Hello,
I went through your query and have found a link which I think would surely help you to solve your query:-
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
Similar Messages
-
Hi,
Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
TIA
-G
Sent from Cisco Technical Support iPad AppUsers Are Not Appropriately Redirected to URL
Symptoms or Issue
Administrator receives one or more "Bad URL" error messages from Cisco ISE.
Conditions
This scenario applies to 802.1X authentication as well as guest access sessions.
Click the magnifying glass icon in Authentications to launch the Authentication Details. The authentication report should have the redirect URL in the RADIUS response section as well as the session event section (which displays the switch syslog messages).
Possible Causes
Redirection URL is entered incorrectly with invalid syntax or a missing path component.
Resolution
Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct per the following options:
•CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
•802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp -
HI
i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
show authentication session interface GigabitEthernet1/0/11
Interface: GigabitEthernet1/0/11
MAC Address: 1078.d2fc.698c
IP Address: 192.168.0.59
User-Name: 10-78-D2-FC-69-8C
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 81
ACS ACL: xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A6518000000010006F2B5
Acct Session ID: 0x00000003
Handle: 0x0D000001
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
switch configuration
boot-start-marker
boot-end-marker
logging monitor informational
enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
username cisco privilege 15 password 0 cisco
username ise-rad-alive password 0 CICSOISEalive123
aaa new-model
aaa authentication login local local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 10.10.20.13 server-key myshared
client 10.10.20.14 server-key myshared
aaa session-id common
switch 1 provision ws-c2960s-24ps-l
ip dhcp snooping vlan 1-2000
no ip dhcp snooping information option
ip dhcp snooping
ip domain-name mycompany.com
ip name-server 192.168.10.40
ip device tracking probe use-svi
ip device tracking
ip admission name Webauth proxy http inactivity-time 60
vtp mode transparent
epm logging
dot1x system-auth-control
fallback profile Webauth
ip access-group ACL-WEBAUTH-REDIRECT in
ip admission Webauth
spanning-tree mode pvst
spanning-tree extend system-id
interface GigabitEthernet1/0/11
switchport mode access
switchport voice vlan 93
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 777
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
interface Vlan1
no ip address
shutdown
interface Vlan80
ip address 10.10.101.24 255.255.255.0
ip default-gateway 10.10.101.1
ip http server
ip http secure-server
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 10.10.20.13
deny ip any host 10.10.20.14
deny ip any host 192.168.10.43
deny ip any host 192.168.10.40
deny ip any host 192.168.10.41
deny ip any host 192.168.10.42
remark explicitly prevent DNS from being redirected to accommodate certain switches
deny udp any any eq domain
remark redirect all applicable traffic to the ISE Server
permit tcp any any eq www
permit tcp any any eq 443
ip radius source-interface Vlan80
logging origin-id ip
logging source-interface Vlan80
logging host 10.10.20.11 transport udp port 20514
logging host 10.10.20.12 transport udp port 20514
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
radius-server vsa send accounting
radius-server vsa send authenticationVerify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp -
Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.Poonam,
I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
Let me give you this example. Say I have the following confgured:
CONFIGURED SWITCH INTERFACE ACL (PACL)
ip access-list standard ACL-ALLOW
permit ip any any
CONFIGURED SWITCH REDIRECT ACL (RACL)
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www 443
CONFIGURED ISE DOWNLOADABLE ACL (DACL)
permit tcp any host <psn01> eq 8443
permit udp any host <dns01> eq 53
deny ip any any
Then the process would look like this:
1. During dot1x negotiation the acl that is used is this:
permit ip any any <<<<<PACL
2. Once CWA is in effect then the acl looks like this:
redirect tcp host <host ip> any eq www 443 <<<<<<RACL
permit tcp host <host ip> host <psn01 ip> eq 8443 <<<<<<DACL
permit udp host <host ip> host <dns01 ip> eq 53 <<<<<<DACL
deny ip any any <<<<<<DACL
permit ip any any <<<<<<PACL -
Cisco ISE - CWA redirect in another way than cisco-av-pair?
Hello.
I'm trying to set up ISE as a CWA.
I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
So the big question: Is there way to make the same redirect using standard radius attributes?
Thank you.Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
If could be wrong here so if someone else has done this before pls chime in.
Thank you for rating helpful posts! -
Hi
If in a CWA authorization profile the IP address option is used for the redirection, how will this impact on redundancy ? For instance in my implementation with 2 ISE appliances, on the Primary Admin Node the CWA profile is configured with an IP address of x.x.x.110 which is the address of the Primary ISE appliance. When the primary appliance fails how will the secondary appliance handle the above cause the x.x.x.110 ip address will then be unavailable and the new ip should be x.x.x.109....?If you check that box and set an IP address manually then all CWA requests will go to that IP/Host Name. If you want to have redundancy then you should leave that box unchecked. Doing that will allow ISE to use the FQDN of the Radius server that is currently serving that SSID.
I hope this helps!
Thank you for rating helpful posts! -
ISE CWA redirection problem for Apple devices
Hi,
I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).
I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.
Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)
The problem doesn't appear for devices with iOS 6 but only for newer versions.
I've also tried with version 8.0 on WLC without success.
Any advise?
Regards.Captive portal/wispr support for apple ios7
CSCuj18674
Description
Symptom:
When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.
Conditions:
The Apple device is running Apple iOS 7.
Workaround:
In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.
IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that. -
ISE Sending Hostname in CWA Redirect
Dear Support Team.
we have setup in which wireless controllers are deployed in Foreign & Anchor Scenario. (Guest WLC or Anchor is deployed in DMZ) , Controllers are running 7.3 and CWA config is done as per standard TAC documents.
When WLC redirects the session to ISE, Redirection URL has ISE hostname and is something like this
https://ise-ip-address:8443/guestportal/gateway........
we have setup Guest Access in such a way, that guest dhcp pool is using the Public DNS, we are not providing our internal DNS to guest dhcp pool, since public DNS does not have an entry for ise-ip-address, DNS resolution Fails and CWA is not happening.
is it possible that ISE can send IP address in place of its hostname, for example
https://10.15.24.20:8443/guestportal/gateway......
Any help will be highly appreciated.
Thanks
AhadOne workaround that I have gotten to work in the past when using ASA firewalls is to create a static NAT entry and leverage DNS inspection to translate the Private IP address for you. It is important to note that in this example the domain name that the ISE PSN is registered as is on a publicly resolvable domain name which you have control of the DNS entries.
In this example we will have a three legged ASA. Inside, DMZ, and Outside.
The PSN's hostname is psn.example.com.
The PSN's Private IP address is 10.1.1.100
Steps:
Create a Public DNS record for psn.example.com. For best practices you should use an IP address that belongs to you and that is not a part of RFC 1918. This way the public DNS servers do not reject the IP address for some other reason. In this example we will use 1.1.1.1
Enable DNS inspeciton on the ASA.
Create a Static NAT entry for 1.1.1.1 (outside) -> 10.1.1.100 (inside) and enable DNS translation.
Now when the CWA user connects and gets a public DNS server it will query the public server for psn.exmaple.com and the public DNS server will return 1.1.1.1. Now because of the DNS inspection the reply of 1.1.1.1 is replaced with the private IP address of 10.1.1.100.
End result is the DMZ host using a public DNS server to return a private IP address. If you have multiple PSNs you will need to create multiple DNS and NAT.
You are welcome to try and use RFC Bogus RFC 1918 addresses, but the public DNS servers may have rules against doing so which is why i recommend using the public IP addresses that you own. It is important to remember that even though you are creating Inside to Outside NAT entries for your ISE servers because you haven't created any inboundACL's they are not exposed to the Internet just because you created a NAT for them.
Here is a cisco doc on how to do "DNS Doctoring"
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html
I should note that I have tested this using 1.2 with the static hostname, but I have not tested it with 1.1.4, but the underlying pricipals should be the same. -
WLC Web Auth Redirect URL point to an ISE Policy NODE only?
Hi all,
I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.Thanks Peter for your clarification regarding the semantic I used and the question I made.
Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post. -
IOS CWA Redirect - ISE - Safari
I do not believe I can be the only one with this issue, not when I have it at two sites and with the original installs being done by different people.
Is anyone else having issues with Safari properly being redirected to ISE CWA by IOS redirection?
I have this issue on 3750X for wired clients, and on a 3850 NGWC for wireless clients. What makes this unique is that the only thing similar to this deployment is the Macbooks running with Safari.
My troubleshooting seems to point at an issue with Safari not liking the redirect based upon the switch(3850,3750X) certificate. Firefox and Chrome both work without issues on the test Macbooks. I'm unable to find anything in the Bugtoolkit about it.
If using Safari on Cisco switch for CWA is unsupported, please provide a link to Cisco document detailing it.This issue has been resolved. It turned out that the Macbook was trying to do a crl download to confirm that the certificate was valid. I am pretty sure it was becuase the cheapest GoDaddy certificate was used and the intermediate certificate isn't always found in the default Mac certificate store. Firefox works because they handle CRL checks differently.
I had two different resolutions as I had the problem at two different customers/sites.
First test was allowing access to crl.godaddy.com. After I excluded this IP address from the redirect and permitted it in the dACL - Safari was able to correctly redirect to the CWA portal page.
At another site, due to the centralized management of the Macbooks, we utilized Mac OS X Server to create a profile in Profile Manager that included the GoDaddy Intermediate certificate and pushed that out to all macbooks to resolve the issue.
In addition - and worthy of note. If you are doing posturing and the ISE certificate is not trusted on Apple, the same sort of CRL check will occur and the NAC Agent will never posture the endpoint.
tl;dr - Doublecheck Certificate trust settings on Apple because they are evil. -
IOS Content Filtering Using TrendMicro: Can I customize the block-page redirect-url?
I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription.
Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page http://global.sitesafety.trendmicro.com/result.php or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
I know I can use the 'parameter-map type urlfpolicy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect-url') but I wonder if anyone has any ideas on how to do more with either the built in page or the redirect-url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
Thanks!
Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?Hmm... no thoughts over the weekend. Anyone?
-
[ISE + CWA] Redundant Guestportal
Hello Community,
I try to configure a redundant guest access with 2 ISE und 2 guests anchors. ISE Management and the sponsor portal are connected to eth0 (gig0) with hostname ise1.mydomain.com (ise2.mydomain.com for 2nd ISE). Eth0 is reachable from company network. The web authentication, where guests must enter their login credentials, is only reachable via eth1 (gig1) with hostname ise1-pub.mydomain.com (ise2-pub.mydomain.com for 2nd ISE).
The main problem is, that ISE always redirects to ise1.mydomain.com, which is on eth0 and therefore not reachable for wireless guests. I can configure a static hostname for redirection (which is cluster wide), but then I have no redundancy (there is no balancer reachable). So ISE must chose the correct hostname for the redirection URL depending on the ISE who authenticates the guest.
I tried to define an alias for both ISE on CLI:
ip host 10.1.1.1 ise1-pub ise1-pub.mydomain.com on primary ISE and
ip host 10.1.1.2 ise2-pub ise2-pub.mydomain.com on secondary ISE
and deleted the static ip/host entry in my authorization profile. But ISE always redirects to ise1.mydomain.com (or ise2.mydomain.com). My understanding was, that if I configure an alias, ISE will redirect to the alias IP.
Any hints?
ISE is version 1.2.1 Patch 4
Guest Anchors are 5760 with 3.6.1Instead of having just one authz rule for the cwa redirect as normal, you can create one for each of the servers (still configured on the primary of course).
What you do is create one rule where your authz profile has the static host redirect set to ise1-pub.mydomain.com and the condition : server : ise1
Then create a copy of that rule, where you redirect to ise2-pub.mydoamin.com, and use the condition server : ise2
This will redirect to different names, depending on which of the ise servers the radius request was received by.
I attached a screenshot of the rules. -
I have a situation where DNS cannot be used for redirecting on CWA, so I have had to create a auth profile that has manual entries in it that redirects the guest to the IP address of the guest portal, rather than the DNS name.
The attribute is configured with the following:
cisco-av-pair = url-redirect=https://x.x.x.x:8443/guestportal/Login.action
cisco-av-pair = url-redirect-acl=cwa
The redirection works, and the guest is prompted with a login screen, but as soon as they are authenticated they receive a error page stating that the resource is not found, with the resource being /guestportal.
The URL that it is trying to reach is https://x.x.x.x:8443/guestportal/guest/redir.html
Has anyone managed to configure CWA to use the IP address rather than the DNS name, and go around this issue?Hi
You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation. -
Hi all,
I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
as the redirect page.
I'm using ISE 1.1.2 and WLC version 7.3.101
1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.Hi,
Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
As far as certs if you are using mobile devices you may want to consider 3rd party certs.
Let me know if that helps.
Tarik Admani
*Please rate helpful posts* -
ISE 1.3 portal customization - background image
With all the simplicity to adjust the look and feel of portals in the new ISE 1.3 comes (albeit small for some) a price: I no longer see a way to configure a custom adjustments like a background image, not simply a top banner. This was doable in 1.2 via Cisco ISE Portal Builder or custom editing of html files and custom image uploading. Migrated portal still works fine. But since is not editable it's almost unusable. Is there still a way to do full customization of the portals?
Here are some steps on how to reference a background image using CSS and ISE 1.3
If needing help on doing other modification to the portal outside of the basics (like moving elements or resizing) after making the change then please work with web developer experienced in javascript and CSS.
Export default CSS from ISE:
Click Guest Access > Configure
Choose any Portal and click “Edit”.
Click Portal Page Customization > Advanced Customization
Choose “Default Blue theme” and click “Export”.
Open file with editor (for example:Coda,Notepad etc.).
Edit file:
Copy and paste
(Don’t forget to put your picture instead of http://www.your-picture.jpg):
Add this code AFTER the Defaults theme code
body .cisco-ise-content {
background-color: white ;
body{
background-image: url("http://www.your-picture.jpg")!important;
background-size: cover;}
.ui-dialog-contain > .ui-content {
background: none repeat scroll 0 0 white;
body .ui-dialog .ui-dialog-contain .ui-header {
background: none repeat scroll 0 0 #0a569c;
.progressWizard .ui-bar-a.step-inner {
background: linear-gradient(#4da2f1, #4ea5f6) repeat scroll 0 0 #4ea4f4;
Replace from the code
.ui-body-a,
.ui-overlay-a {
border: 1px solid #d3d3d3 /*{a-body-border}*/;
color: #666 /*{a-body-color}*/;
text-shadow: 0 /*{a-body-shadow-x}*/ 0 /*{a-body-shadow-y}*/ 0 /*{a-body-shadow-radius}*/ #ffffff /*{a-body-shadow-color}*/;
background: #ffffff /*{a-body-background-color}*/;
background-image: -webkit-gradient(linear, left top, left bottom, from( #ffffff /*{a-body-background-start}*/), to( #ffffff /*{a-body-background-end}*/)); /* Saf4+, Chrome */
background-image: -webkit-linear-gradient( #ffffff /*{a-body-background-start}*/, #ffffff /*{a-body-background-end}*/); /* Chrome 10+, Saf5.1+ */
background-image: -moz-linear-gradient( #ffffff /*{a-body-background-start}*/, #ffffff /*{a-body-background-end}*/); /* FF3.6 */
background-image: -ms-linear-gradient( #ffffff /*{a-body-background-start}*/, #ffffff /*{a-body-background-end}*/); /* IE10 */
background-image: -o-linear-gradient( #ffffff /*{a-body-background-start}*/, #ffffff /*{a-body-background-end}*/); /* Opera 11.10+ */
background-image: linear-gradient( #ffffff /*{a-body-background-start}*/, #ffffff /*{a-body-background-end}*/);
With:
.ui-body-a,
.ui-overlay-a {
border: 1px solid #d3d3d3 /*{a-body-border}*/;
color: #666 /*{a-body-color}*/;
Replace from the code
.ui-bar-a {
border: 1px solid #d3d3d3 /*{a-bar-border}*/;
background: #4ea4f4 /*{a-bar-background-color}*/;
color: #ffffff /*{a-bar-color}*/;
font-weight: bold;
text-shadow: 0 /*{a-bar-shadow-x}*/ 0 /*{a-bar-shadow-y}*/ 0 /*{a-bar-shadow-radius}*/ #0a569c /*{a-bar-shadow-color}*/;
background-image: -webkit-gradient(linear, left top, left bottom, from( #4da2f1 /*{a-bar-background-start}*/), to( #4ea5f6 /*{a-bar-background-end}*/)); /* Saf4+, Chrome */
background-image: -webkit-linear-gradient( #4da2f1 /*{a-bar-background-start}*/, #4ea5f6 /*{a-bar-background-end}*/); /* Chrome 10+, Saf5.1+ */
background-image: -moz-linear-gradient( #4da2f1 /*{a-bar-background-start}*/, #4ea5f6 /*{a-bar-background-end}*/); /* FF3.6 */
background-image: -ms-linear-gradient( #4da2f1 /*{a-bar-background-start}*/, #4ea5f6 /*{a-bar-background-end}*/); /* IE10 */
background-image: -o-linear-gradient( #4da2f1 /*{a-bar-background-start}*/, #4ea5f6 /*{a-bar-background-end}*/); /* Opera 11.10+ */
background-image: linear-gradient( #4da2f1 /*{a-bar-background-start}*/, #4ea5f6 /*{a-bar-background-end}*/);
with
.ui-bar-a {
border: 1px solid #d3d3d3 /*{a-bar-border}*/;
color: #ffffff /*{a-bar-color}*/;
font-weight: bold;
text-shadow: 0 /*{a-bar-shadow-x}*/ 0 /*{a-bar-shadow-y}*/ 0 /*{a-bar-shadow-radius}*/ #0a569c /*{a-bar-shadow-color}*/;
Save file.
Import back into ISE
Get back to ISE.
Open Advanced Customization/Export/Import Themes…
Choose your file.
Input your theme name.
Click “Save”.
Click “Save” theme (upon the “Language file”).
Click “Portal test URL”.
Enjoy your new background..
Example of the CSS file, see attachments
It is possible to upload portal files to the Posture Remediation repository and reference these files in custom javascript or CSS files.
Recommendation is to use the relative path so you're not referencing a specific PSN
Path to the uploaded files at Policy > Policy Elements > Results > Posture > Remediation Actions > File Remediation
Relative: /auth/packages/<Package_Name>/<File_Name>Example: /auth/packages/Custom_Portal2/my-background3.jpg
Absolute: https://psn_fqdn:portal_port/auth/packages/<Package_Name>/<File_Name>Example: https://ise13-psn1.cts.local:8443/auth/packages/Custom_Portal2/my-background.jpg
Maybe you are looking for
-
How to get ringtones that have dissapeared after purchased?
-
Cannot fill a rectangular shape with Color
HI, I cannot fill a rectangular shape with color. I know it was working at some point. I checked the ID help, and did a search here with no results. I have the tool bar set correctly I think (see below). The object isn't behind other objects either,
-
Is it possible to RE-CREATE table
is it possible to re-create a table in indesign and insert same data by reading data in another table using plugin.if their is a table with data exist as indesign document,can we create new table by inserting data that was already their in the previ
-
Keyboard start typing and make "Funk" sound by itself after upgrading to OS X Mavericks
After I upgraded to OS X Mavericks, whenever I press the Home key (↖︎) OS X starts typing "~6" characters in Terminal and making the sound called "Funk". Also this happens after wake up and power up and randomly. On the login screen it always start m
-
Button height increase in ABAP Webdynpro
Hello Friends, I have requirement in which I need to increase the height of the the webdnpro application. I am unable to do it. Can you please let us know if anyone has a solution for it? Thanks, Adithya k