ISE: differentiate Guest's accesses depending on the device

Similar Messages

• ACE: Fine tune policie to have access depending on the device

  Hi
  Is it possible to have such policie:
  Group "Windows" has access to "List of devices" but for this specific list of devices, they don't have same configuration access...
  Only for switch 1 in the list, they can configure only interfaces 1 to 10 and for switch 2  in the list they can configure only interfaces 20 to 30 and so on.
  If it's possible, do you have a short overview how to do this ?
  Many thanks !

  Hi Horacio,
  I'm not sure this will work, because I've never tried it.  Somewhere I read using BrowserMap you can achieve it.  Have you looked at  http://dev.day.com/docs/en/cq/current/developing/mobile.html
  Thanks,
  Sham

• What is the best approach to render different images depending on the device?

  I have been looking around for a few days but I couldnt find a good way to render different image rendition, depending on the device.
  I have one* mobile site (from a desktop site blueprint). I use the mobileimage components in several places of the site. The problem is that some images need to be different (different resolutions and shape) depending on which device is trying to access the content.
  I want one image for ipad , and one image for iphone.
  Is there any solution for this, built-in CQ?
  I have tried reading about the DAM renditions... but the image component is not aware of them, and does not use them as far as I know.
  Any help with this is really appreciated
  Thanks!

  Hi Horacio,
  I'm not sure this will work, because I've never tried it.  Somewhere I read using BrowserMap you can achieve it.  Have you looked at  http://dev.day.com/docs/en/cq/current/developing/mobile.html
  Thanks,
  Sham

• ISE Guest Service fail depending on the browser

  One of my customers is complaining about having problems to access the guest services depending on the browser used:
  When the visitor has Intenet Explorer 10 or 11, he said the content is blocked and even the guest portal is not displayed. When the visitor has Google Chrome (no specific version indicated), he said the portal is displayed but the content is blocked after ingress user and password. Whit Firefox a certificate exception was added in advanced options.
  I think the issue can be something related with certificates or even the  computer but I'm not sure how can I identify the root cause.
  I wonder if something in the ISE is reported about the browser used to authenticate in the guest portal. I know the release notes indicate browser compatibilities, but in guest services I think shouldn't be restrictions, because you don't know what device, OS, or browser will be used by guests.
  The ISE is running 1.1.2.145, no patches yet.
  I will appreciate any tip you can provide me.
  Regards.

  Hi ,
  This below link gives the detailed versions of the supported operating systems and their supported browsers for Sponsor and Guests.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
  Google chrome , Mozilla and IE are supported, but there is some restriction in the browser versions.
  For IE make sure you have enabled ActiveX controls and check if the compatibilty mode is enabled.
  If customer is making use of supported browsers and still experiencing the issue then we need to check what options are enabled on browsers and what is blocking the content download in the browser.

• ISE - Restrict Full WiFi Access only to Authorized Devices

  Hi All,
  We have a WLC HA (Code 8.0.100.0) setup with an ISE pair (version 1.2) , and all that works fine.
  Currently ISE is configured to authenticate users from AD. Our corporate SSID is setup with WPA2+AES with 802.1x PEAP authentication, so users can connect Wifi from their devices after they put in their AD credentials.
  We would now want to Restrict our Internal network Access through WiFi only to Authorized Devices like company issued Laptops/Tablets etc. For all the other devices like Personal Smartphones/Tablets/Laptops users can only have Internet Access only if they are Authenticated/Authorized to do so.
  For the Rest of the devices like Printers, Apple TV's etc we already have a separate SSID running on which we are doing Mac Filtering through WLC, so none of the browser less devices would be connecting to the Corporate SSID.
  Assuming We have the Mac Addresses of all the company issued devices Laptops/Tablets (Most of which are Apple Devices), what is the best approach to go about this utilizing ISE.

  Yes, I am evaluating MDM solutions too, but budget being a constraint I am not sure if that would be approved or not.
  There is lack of free MDM solutions which can be integrated with ISE, I did found the Meraki's Systems Manager worth a shot, but I guess the free version does not integrates with ISE, unless you go for the Enterprise Version. There were a few Rumors that ISE 1.4 is coming up with inbuilt MDM.
  For now I will go ahead and import the mac address database to ISE in an Identity Group called Corporate-Devices and will edit the auth profile to check for the Identity Group Along with AD.

• Is the search engine of safari in iOS6.0 depending on the device edition?

  take google for example.
  My ipad was purchased in HK and I found safari forces me to use google.com.hk.
  In addition, my iphone was purchased in UK and safari then forces me to use google.co.uk.

  Are you currently in Hong Kong? If so, the Chinese government won't allow you to use any Google search engine other than the HK/Chinese ones and either blocks access to other Google engines or forces a redirect to the HK version. I believe that the HK Google is locked into the firmware in any device sold in China, though I'm not certain.
  If you're not currently in China, then you should be able to get your iPhone using the correct one by setting the region for the UK. The iPad, though, may well be locked to the HK version of Google with no way to change it.
  Regards.

• How do I skip the Device Registration Portal for Cisco ISE web portal

  I have set up a sponsor and guest portal system for wireless guest access to the internet using ISE v1.2.0.899 virtual and WLC 5500 runninng 7.4. After logging into the intial page, the guest user is directed to the Device Registration Portal. Entering a MAC address value puts the user in a continuous failing loop. But, if they just hit the "continue" button at the bottom of the page, they will be directed onward and have internet access as was intended. I have no requirement for guest users to register their devices. What do I need to do to remove the device registration portal from the log on sequence for guest user access? Thanks!

  Hello Scoot,
  you make a list of the MAC add of coperate devices. and set a rule if authentication doesn't happen only these devices can do the self  registration.
  I hope this works for you

• Cascading EA4500s and Guest Network access

  Hi, I hope esomone can help me here. I've got two EA4500 routers connected via ethernet. The primary router has DHCP enabled and the secondary has it disabled. IP address of primary is 192.168.1.1 and the secondary is 192.168.1.2.
  I have set up guest access on both routers however only the primary router allows users to connect. When out of range of the primary router but in range of the secondary router the network is visible but when you try to connect to it, it only gives limited or no connectivity message and can't connect to the internet.
  Is it possible for the guest network access to follow the same pattern as the secure network, i.e. the same network throughout the house?
  Regards
  Jon

  Cascading two routers should have correct parameters set. For instance, the Ethernet port of the secondary router should be connected to the ethernet port of the primary one, and the DHCP should be disabled on the second router. The ip address you've set are correct for the both routers. This thing shoud be done if the connection is LAN to LAN.
  By the way there are two types of cascading: Click here for info!
  For the Guest Network:
  Guest Network would only work if the the DHCP is enabled on your router. It means to say that on the type of setup you're doing which is LAN to LAN (DHCP disabled on the second router), Guest network would not work on the secondary router. If the connection is LAN to WAN, then both of the router should have Guest Network working.

• How do I stop  Guest Account from appearing on the login screen?

  All of a sudden - like since I upgraded to iCloud - my login screen displays "Guest User". I have Guest disabled in Accounts. The only account I have active is mine. I don't want Guest to appear on the login screen. How do i stop it from doing so?

  Even when the Guest Account / Access is disabled, the login option / and lock screen, still have a guest login.
  This is because in Preferences/ Security & Privacy/General the bottom item is turned on.
  Turn on: Disable restarting to Safari when screen is locked

• HT201304 I need to restrict access to Settings on an iPad so settings like VoiceOver cannot be activated while letting them access multiple apps on the device. Is their any way to restrict access to settings without locking the device with a PIN?

  I need to restrict access to Settings on an iPad so settings like VoiceOver cannot be activated while letting them access multiple apps on the device. Is their any way to restrict access to settings without locking the device with a PIN?
  This is so our guests cannot tamper or disable the device. We are already using Apple Configurator but their does not seem to be a way to lock down settings without a PIN.

  There's a lot of restrictions information in Chapter 19 of the 4.2 User Guide.
  http://support.apple.com/manuals/#ipad
  By the way, a more extensive version of the User Manual is available at no charge through iBooks.

• Is it possible to track the device installed on FACETIME?

  Hello,
  My device is stolen and wanted to know if it is possible to locate the device using FACETIME?
  This option would open the device, and when I call to EMAIL through another device has regular ring,
  A person can not turn off this option because there is an access code to the device.
  In addition the device was not installed FIND MY IPHONE, but I think there is an active wireless
  The FACETIME another device was calling.
  Device was not active Sim, Is it possible to locate the device via IMEI? Or any other way

  iphone152 wrote:
  Car does not address Mac, iPhone has a serial number.
  Cars have serial numbers, too. They're called a Vehicle Identification Number (VIN). That still doesn't mean that the manufacturers have the infrastructure in place to track them. You can get systems for your car that enable you to track them (e.g. Lojack). Should you fail to take that step, you can't track your car.
  Apple sells you a product. They have no responsibility for what you do with it afterwards.
  There is nothing to argue, Apple can locate the device 100%
  Please provide proof of this statement.

• ISE - Guest - permanent access for specific device

  Hello,
  In brief: I'm using ISE 1.2, 5508 wlc and few 3702-I APs - brodcasting 2 SSIDs: Internal and Guest (Internet olny). Guest SSID forces user to provide username and password through guest portal.
  Is there any way to configure some policy on ISE to allow specified mobile device(s) (filtering by IMEI or MAC address) access to Internet via Guest network without necessity of provide username and password? An exception that is avoiding guestportal and/or permanent remember that particular device.

  Hey kkoziarski,
  It sounds like you are looking for the functionality of that known as Web Passthrough.  Where the device can just view some TOC and possibly be presented with a Guest AUP.  This is something that is doable with a Standalone WLC, as I am sure you know.
  Funny thing is that I was coming here to post something along the same lines.  I've spent the past week researching and trying some configs on both ISE 1.2 and ISE 1.3.  It appears that the final answer is no.  This wouldn't be performing any authentication and neither would it be applying any permissions to the device/user, which at that point - it wouldn't be utilizing any of the functionality of ISE.
  What I have found is that there are 2 methods that can offer a similar experience, but will not be a true Webb Passthrough, and it will not be easily configurable.
  1.  Creating a customized HTML page for the WebAuth AUP, that would then have the username and password embedded in the code, and more than likely need to be linked to the Submit button or something of that nature.
  2.  Utilizing ISE policies on a per-WLAN basis and including specific attributes, which would then have to communicate with the above custom HTML page.
  Any other users out there, please feel free to correct me if I am wrong!  I wonder if they will ever come out with a feature as such :/

• Guest Portal Access using ISE

  I’m having an issue setting up the Guest Port Access for our wireless network.
  I’m trying to setup an SSID anchored in the DMZ for internet access only. The authentication to this would be granted via the ISE Guest Access Portal.
  I’ve got the SSID created and tested working with no authentication.
  When I enable the Guest Portal (per these instructions http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml), I can login and create a guest account. Have the guest go to the portal, login, hit ‘I accept’, but then instead of redirecting them to whatever page they tried to access, it sends them back to the guest login page (with still no access to the network resources).
  Am I missing a simple setting somewhere? Please let me know if this should be reposted in the security/ISE forum instead of here.
  Thanks,
  Pete

  Is this related?
  11036
  ERROR
  RADIUS
  The Message-Authenticator RADIUS attribute is invalid.
  A RADIUS packet having an invalid Message-Authenticator attribute has been received. Make sure that the client device is compatible with AD Agent, has been configured properly, and is functioning properly. Make sure that the same RADIUS shared secret has been properly configured, both in the client device and in AD Agent.
  Reference: http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_log_msgs.html

• ISE Guest wired access VLAN Flip

  My guest access through ISE is working find except I can't get it to flip the VLAN and move the guest PC to the guest VLAN. I have the Guest VLAN ID in the authorization policy. Can someone point me in the right direction with this?
  Thanks,
  D

  Hi
  Are you able to get mapped the right policy? Also is change of authorizatoin (COA occuring) you should see in the monitoring logs an entry where dynamic authorization succeed message?
  I would check the ssid advanced settings to see if AAA Overide and Radius NAC are enabled. In settings page in ISE (under administration > settings > profiling) see if the COA has been set to "reauth"...something other than "not enabled".
  If you are having issues pullling a new ip address then check the operation tab in the guest portal configuration.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Guest Internet access in the Enterprise

  We have set up guest internet access in our enterprise using GRE tunneling with a PIX. I'm trying to determine the best way to do authentication for users on this guest network.
  I think I can do RADIUS (using ACS) with the PIX as an NAS. Question is can I use a different type of server (such as MS IAS)? Can I use either one to utilize an existing MS Active Directory database?
  If I use radius on the pix for authentication, a login prompt pops up when a user tries to use the web. Is there a way to redirect users to a web page first and have the login embedded on the page? This is done in hotels now and I don't know if there's a Cisco solution for this.

  The following documents lists all the supported Databases,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/d.htm