ISE Guest force proxy usage

Similar Messages

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE guests and Ironport

  Hi All,
  I'm currently writing a HLD for a Cisco ISE rollout in my organization, and I've come across sort-of-an-issue:
  I'm planning on getting the guests in through the ISE Guest portal, but I also want to push them through an authenticated proxy(for accounting purposes) instead of a transparent one... however, I can't seem to find a way to somehow integrate Ironport and ISE in order to achieve some sort of an SSO, to avoid users having to enter their credentials twice(guest portal and ironport)- has anyone got a working solution for this?
  Any constructive input appreciated!
  Thanks!

  Thanks for the swift responses and suggestions!
  I'll most certainly have a look at the proposals...
  However,  I still want the guest users to go through the S370, as it's not only  for accounting purposes, but I want them to authenticate, since it would  make tracing and pinning events to a person way easier - that's the  main reason why I'm trying to find a solution that might act like an  SSO. The business side stated that signing in twice(ISE guest portal, then proxy) is unacceptable. I know that there's no direct integration between ISE and Ironport at the moment, and I am going to put in a feature request for that, but for the time being, I am really keen on getting this to work somehow...
  BTW - I'm currently using a virtualised ISE, release 1.1.4., And I've got the 3395's on order...

• Cisco ISE Guest Sponsor Portal Isssue

  Dear all ,
  We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
  We have created open ssid in wlc and using external redirected url of ise for guest login page.
  But when we create any guest user in sponsor login for guest user we faced following issue
  1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential  then its again redirect to same login page
  wihout successful login prompt.
  Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
  2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
  But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
  Can anyone help me to resolved above issue regading cisco ise guest sponsor portal
  Thanks & Regards
  Pranav Gade

  Pranav your answers are inline,
  1) When guest user gets conected to wirless and login in to guest  portal with credential after putting credential  then its again redirect  to same login page
  wihout successful login prompt. When you are using CWA (central web authentication) there is no way we can redirect users using the redirect-url because this will always redirect users for every time they initiate a web request. There is no other coa feature that will remove this condition since they have already been authenticated.  Here is a guide that explains the user experience when using central web auth -
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
  Can  we pompt successful login after guest login to guest portal or redirect  to any other link like google.com so guest user will gets to know he is  able to access internet now No this is not possible, you can change the verbage and force the AUP to be displayed informing users that they can retry their web request after hitting the accept button.
  Here is the documented experience once users go through the guest process -
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
  2)  We have creted time profile 8hours first login for guest user. When  guest user gets connected while putting credential in to guest portal.
  But  we face issue after approximately every 20 mins guest gets disconnected  from internet and guest again gets login page of guest portal and if we  put same credential then its working but after approx 20 min interval  user get disconnected from internet. Check the advanced timer on your SSID as you may be hitting the session timeout on the WLC. Please disable this option and let the COA feature in ISE expire user sessions on the controller.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Faulty Parental Controls & Proxy usage

  Dear all,
  the follow problem concerns:
  - Guest user account, Parental Control, Proxy usage, Safari
  Plattform: MacOS 10.7.4 with all updates installed
  The Problem occurs with the following steps:
  >> 1. Fresh Install of MacOS 10.7.4, Update Installation and create a normal Guest user using the control panel
  >> 2. Configuring a proxy on the wired Interface via the control panel. Fixed Proxy.
  >> 3. Testing the Preferences made as Admin user without restrictions, everything works fine as it should.
  >> Firefox => Running without Problems.
  >> 4. At this this Time Parental Controls for the Guest user are inactive.
  >> 5. Logoff the Admin user, relogin with the guest user, everythings fine. Internet Acces works with Safari and Firefox.
  >> 6. Logoff as Guest and relogin as Admin.
  >> 7. Now we're activating Parental Controls WITHOUT ANY RESTRICTIONS for Webaccess for the Guest user
  >> 8. Logoff Admin and login as Guest user ...
  >> 9. There's no Internet Access at all for anything the Safari and Firefox prompt "The Connection has been reset" ...
  Seems that some Programmer at Apple desgined a faulty Parental Control ...
  => What do you think ? Any suggestions any idea how to fix that problem
  About the Background:   The solution mentioned should be deployed in a School with ~ 150 Macs ... And the only thing stopping us from deploying Lion is that fault mentioned above ...
  Thanks in advance,
  Markus

  Thank you for your help! I work for a school district and teach digital video course in a magnet program. We purchased 11 new iMacs with the Lion OS and every single one of those new iMac computers had the exact problem when the parental control panel is set and you have to use a proxy setting. None of the computers would allow Internet access in those student user accounts.
  I have been stuck since May 2012 for an Apple fix. We buy our Apple products with a three year Apple Plan and they have been pretty much useless! I had to take one of the computers twice to the Apple store Genius and they could not do anything.  I called their online support and they asked me to run a special program they sent me to trace and download the debug routine results. They sent me an email to confirm that indeed it was an Apple OS bug and not anything on my part! It's like telling me I'm not an idiot.
  Well, that was in early June 2012 and it is September 2012 still with no fix and several poor responses like, "we don't have a fix and if we do, we will sent out a patch. So, no need for you to call!"  So much for the other 20 new machines we were planning to add.
  I will try you fix to see if it works. Thanks again.
  Herm

• Cisco ISE Guest Portal - DNS Issue - External Zone

  Hello,
  I have a customer that has the following sceanrio :
  In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
  since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
  My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
  Thank-you in advance for your replies.
  Robert C.

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• Pb to reach ISE Guest portal due to DNS constraints

  I have set up a Guest Portal with WLC 5508 7.4 and ISE 1.1.1 ;
  everything is OK, except one thing :
  the  Guest VLAN, associated to the Guest SSID is, actually, a DMZ behind my  customer firewall and the DHCP parameters provided to the wireless Guest  equipement connected on this VLAN include the public ISP DNS servers  addresses, not the customer internal DNS serveurs addresses;
  this  seems OK since the idea of this Guest SSID is to give a pure Internet  access to the Guests, and no connection at all towards the customer  internal servers;
  the  problem is that, when the wireless guest receives the redictect URL  from ISE (URL to access the ISE Guest Portal), this URL is based on the  ISE DNS name, not on its IP address; so, the PC can't resolve this  internal DNS name by using the ISP DNS servers addresses provided by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  Apart  from changing those DNS values in the DHCP server (the customer does  not accept this solution), how could we solve this problem ?
  I have tried to code manually , in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://192.168.1.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa,
  but, it does not work, since the sessionIdValue variable is not replaced by its real value when sent to the wireless client
  any comment welcomed

  We had the same issue. Our solution was to advertise the internal IP address from our external facing DNS server and let it propagate publicly.  Our ISE box is in a DMZ and the firewall rules do not allow outside traffic to it, however the clients will get the correct internal IP address and since they are already inside the firewall on the DMZ segment they are able to get to the ISE box with the publicly resolved internal IP address.  The other option we entertained was a firewall DNS redirect.  That would work by intercepting the DNS request for that specific URL and return the proper internal IP, all other DNS requests would pass through to the public DNS server.

• ISE Guest Access- Redirect to URL after successful logon

  Currently, when guest users attempt to browse they get redirected to the guest portal.  After login, they get a message that they can now access the original URL.  Is there a way to automatically redirect to the URL they were trying to access, or remember the URL after they login?

  ISE guest flow :
  The user associates to the web authentication Service Set Identifier (SSID).
  The user opens the browser.
  The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  The user authenticates on the portal.
  The guest portal redirects back to the WLC with the credentials entered.
  The WLC authenticates the guest user via RADIUS.
  The WLC redirects back to the original URL

• ISE Guest Port Direction not working

  Hi Guys,
  Got a problem here with ISE guest authentication.
  My configuration in the WLC is as bellows:
  And the configuration in my ISE is as bellows:
  After my device connects to the SSID, I cannot be redirected to the guest portal, no redirection URL showed up in my browser, while the URL is pushed to the WLC client as bellows:
  DNS A record has been added before and I can open the FQDN.
  Can anyone help me about this? Thanks!
  Best Regards,
  Savi

  Are you able to ping / nslookup to ISE.wuscnad.com from the test client?
  Also, please provide a screen shot of the set of ACL's CWA-Guest from the WLC?
  Here is a document you can go through to configure wireless CWA  
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Regards,
  Jatin

• Using ISE guest store via RADIUS

  I have a question concerning the guest store on the ISE.
  I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
  On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
  Has anyone already implemented a similar solution or any idea how to access the guest store?
  Thanks
  Thomas

  I just created a simple setup and tested the login.
  It doesn't work with a user created as a guest account.
  If I create the user in the normal internal identity store I works fine.
  Might there be a difference between ISE Versions?
  We are currently using Version 1.1.0.665 on a VM for testing purpose.
  This is what the details show:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24206  User disabled
  22057  The advanced option that is configured for a failed authentication request is used
  22061  The 'Reject' advanced option is configured in case of a failed authentication request
  11003  Returned RADIUS Access-Reject
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24212  Found User in Internal Users IDStore
  22037  Authentication Passed
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - Guest
  11022  Added the dACL specified in the Authorization Profile
  11002  Returned RADIUS Access-Accept

• ISE Guest - Change Password Option

  Hi All
  Can anyone confirm that the change password option on the Guest Self Registration Portal actually works?
  I have enabled the options with the ISE Guest Portal to allow the Guest to create his own account and also to change his password.
  Although the self creation of the account works fine it doesn't look like changing the password works. When you enter the new password and click submit nothing seems to happen.
  ISE version is 1.2.1.198
  Regards
  Roger

  Hi Roger,
  Are you making use of customized self registration portal. In such cases make sure , the session ID of a particular guest login is carried forward to the password change page as well.
  For the html changes to any pages (login, aup, self_registration, self_registration_result,
  device_registration & change_password)  that link back to other pages. The below points A and B should be added as part of customized pages.
  A)Reference script (<script src="js/customportals.js"></script>)
  B)Add the onsubmit="getDynamicAction(this);" logic for posts
  Thanks

• ISE Guest Portal and one more SSID using internal accounts

  Hi Guys,
  I have two SSIDs on WLC, the first is related with ISE Guest Portal and the second is related with employee but i realize that the
  Guest user can access the employee SSID and employee accounts can access the Guest portal page.
  I guess this is happen because i cannot split these databases under "Internal Users" on Authentication Policy.
  How can i restrict the access even if i am using the internal databse?
  thanks a lot

  using the Authorization policy is the right way.  Match the corp ID store to the corp WLAN SSID ID in the AuthZ policy, for example (where Employee is your corp ID store and yyyy is the name of your corp SSID):

• Cisco ISE Guest Login

  Hi,
  I have a weird problem; after a guest user account has been created on Cisco ise 1.1.4 patch 8; when the guest user is redirected to the ise guest portal; the first login is always unsuccessful. Upon entering the login credential and password correctly; the client would be redirected to the same login page. Upon retrying the process a few times; it would succeed after 2-3 times.
  On the ise authentication; I see a guest authentication error; "Guest Authentication Failed : 86020: Unknown exception" with only a single step seen on the logs for troubleshooting "5431  Guest Authentication Failed"
  I would like to check if anyone has seen such an issue/behaviour? 
  Any suggestions is appreciated.
  Thanks.

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• ISE Guest portal CWA - Webauth exit button on Login Successful page not working (Safari and Chrome)

  Hello
  Has anyone else experienced the issue where this exit button works when IE is used to login to the ISE Guest portal, but not when Chrome is used. Same for Safari (from IPAD).
  Sent from Cisco Technical Support iPad App

  Google Chrome is not a fully supported browser  for use with the Administrative User Interface of the Identity Services Engine  (ISE), Version 1.1.3 and earlier.