ISE Guest login page problems

hello all,
am trying to setup a 'guest' access for known people... i mean, the validation of the credentials are made to a LDAP server. User account are created there, and inside a wfacces group.
My probleme is when i activate my autorization policy #3, the guest need to enter his credential many times...
Rule 1: if Network Access:UseCase EQUALS Guest Flow then Permitaccess
Rule 2: if (Wireless_MAB AND Radius:NAS-Identifier EQUALS Guest_corp ) then Authprof_Guest_corp
Rule3 : if (Radius:NAS-Identifier EQUALS Guest_corp AND ldap_corp:ExternalGroups EQUALS cn=wfAcces,ou=ISE,ou=security,ou=groups,o=my.domain ) then PermitAccess
In my Authprof_Guest_corp, i have my ACL, my redirect URL and the identity source sequence.
Removing my rule 3 fix the issue, but i dont want ALL LDAP users to be able to access inet...
The Multiple Matched Rule Applies is selected
Any idea what am doing wrong? or how i should do that?

There are several things which need to check in order to resolute.
1.) Authentication Failure message indicates that the user’s credentials are invalid. Resolution Check if the Active Directory user account and credentials that are used to connect to the Active Directory domain are correct.
2.) Test Bind to Server Click to test and ensure that the LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest.
3.)Cisco ISE allows you to import MAC addresses and the associated profiles of endpoints securely from an LDAP server. You can use an LDAP server to import endpoints and the associated profiles, by using
either the default port 389, or securely over SSL, by using the default port 636.

Similar Messages

Cisco ISE Guest Login

Hi,
I have a weird problem; after a guest user account has been created on Cisco ise 1.1.4 patch 8; when the guest user is redirected to the ise guest portal; the first login is always unsuccessful. Upon entering the login credential and password correctly; the client would be redirected to the same login page. Upon retrying the process a few times; it would succeed after 2-3 times.
On the ise authentication; I see a guest authentication error; "Guest Authentication Failed : 86020: Unknown exception" with only a single step seen on the logs for troubleshooting "5431 Guest Authentication Failed"
I would like to check if anyone has seen such an issue/behaviour?
Any suggestions is appreciated.
Thanks.

No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

Integrated ITS on SRM:Login Page Problem

Hello All,
   I am working on SRM 4.0 with Internal ITS.I have done all the required settings for Internal ITS.I am able to get the login page but when I enter the user Id and password of my SRM system,It shows the erroe that "Incorrect SSO configuration on this server ".
   I have checked the transaction RZ11 on SRM Server for the parameter login/accept_sso2_ticket.It is set to value 0.
   Can anyone tell me what extra settings are to be done for the Integrated ITS?Please help.
Thanks & Regards,
Deepti.

Hi Raja,
   I have changed the default language in the system settings for the service BBPSTART as English.Also I have made the following changes for the same service :-
1>Changed the Logon procedure to "Alternative Logon procedure " and in that I have removed "SSO Authentication".
2>In system Logon Configuration,I have changed the default client and language.
3>In service data,I have changed the Basic authentication from Standard r/3 User to "Internet User".
After doing the above changes,I have republished the service.
Now i am getting the Login Page(in language English) but with the message "SSO cannot be used for logon To continue, choose "Logon". A dialog box appears, where you can enter your user and password. This server does not support HTTPS! It is therefore potentially unsafe to send your password ".
After that when I enter the ID and Pwd,I get the same Login screen(USER,PWD,CLIENT,LANGUAGE AND ACCESIBILITY Labels) but this time below there is the message "Inocrrect SSO configuration on this server".
Please tell me the exact changes so that I can login to the homepage.
Also to avoid the Login page,I have tried entering the Login Details in anynomous Logon data,but then I directly get the Homepage with the Menu on the Left hand Side and when I click on any of the items,I get the screen with the following text:-
SSO is not active in system
To continue, choose "Logon". A dialog box appears, where you can enter your user and password.
This server does not support HTTPS! It is therefore potentially unsafe to send your password
Copyright 2002-2004 SAP AG All Rights Reserved
I am not able to understand why the system is prompting me for the SSO settings when I have set the parameters(LOGON_ACCEPT_SSO2_TICKET AND LOGON)_CREATE_SSO2_TICKET to 0).
Please help.
regards,
Deepti.

Cisco ISE Guest Login without provisioning

Hi,
I have setup the ise based on https://supportforums.cisco.com/docs/DOC-26442 whereby I have an authorization rule for CWA and an authorization rule for guestflow with provisioning. All is working great, however I was wondering if it may be possible to setup the ise with the following scenarios with dual ssid:
1. user login to guest ssid and redirects to guest web portal and input guest credential created by sponsor (this is working well)
2. user login to guest ssid and redirects to guest web portal and input credential from AD goes to provisioning (this is working well)
3. user login to guest ssid and redirects to guest web portal and input credential from specified AD group and get internet/network access without provisioning.
For point 3, I was wondering if it may be possible and if so on how it may be accomplished? I have attached the present Authz rule for reference as well as the rule I have tried which does not seems to be working.
Any help is appreciated!
Thanks.

No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

Cisco ISE Guest Sponsor Portal Isssue

Dear all ,
We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
We have created open ssid in wlc and using external redirected url of ise for guest login page.
But when we create any guest user in sponsor login for guest user we faced following issue
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page
wihout successful login prompt.
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
Can anyone help me to resolved above issue regading cisco ise guest sponsor portal
Thanks & Regards
Pranav Gade

Pranav your answers are inline,
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page
wihout successful login prompt. When you are using CWA (central web authentication) there is no way we can redirect users using the redirect-url because this will always redirect users for every time they initiate a web request. There is no other coa feature that will remove this condition since they have already been authenticated. Here is a guide that explains the user experience when using central web auth -
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now No this is not possible, you can change the verbage and force the AUP to be displayed informing users that they can retry their web request after hitting the accept button.
Here is the documented experience once users go through the guest process -
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet. Check the advanced timer on your SSID as you may be hitting the session timeout on the WLC. Please disable this option and let the COA feature in ISE expire user sessions on the controller.
Thanks,
Tarik Admani
*Please rate helpful posts*

ISE Guest portal CWA - Webauth exit button on Login Successful page not working (Safari and Chrome)

Hello
Has anyone else experienced the issue where this exit button works when IE is used to login to the ISE Guest portal, but not when Chrome is used. Same for Safari (from IPAD).
Sent from Cisco Technical Support iPad App

Google Chrome is not a fully supported browser for use with the Administrative User Interface of the Identity Services Engine (ISE), Version 1.1.3 and earlier.

Cisco ISE Guest portal - smart card login

Does anyone know if Cisco ISE support smart card login to the guest portal page?

No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

E4200 Guest SSID Login page fails

Config:
Netgear ProSafe Gigabit Router is my DHCP Server -- The entire home net work is on the same subnet (192.168.15.xxx)
Linksys E4200 configured as an access point ONLY -- wired connection -- static IP assigned -- DHCP server turned off
Linksys WRT610N configured as an access point ONLY -- wired connection -- static IP assigned -- DHCP server turned off
3 -- 5 port gigabit switches
1 -- 8 port gigabit switch
No more than two switches between any two wired devices
Both Linksys access points have the same SSID and WPA2 security phrase -- total of 4 radios
Nonoverlapping channels are selected on both the 2.4Ghz and 5.0Ghz radio to minimize interference
All computers are running Windows 7 Professional 64bit with all the latest updates
Two iPhones and one iPad also access the network
All LAN and WAN connectivity is working as designed
Problem:
guest SSID is turned on
password is established
All devices will connect to the guest SSID and the E4200 is assigning an ip address to the device in the 192.168.33.xxx range which is what it's supposed to do.
When I open a web browser, I am not automatically redirected to the Cisco Login Page. If I enter 192.168.33.1 as the URL, the login screen is presented. I enter the password I have created in the guest admin page on the wireless guest tab. I then see a blank page and a URL of 192.168.33.1/guestnetwork.asp. THIS IS WHERE I GET STUCK. THE ONLY WAY TO EVER SEE THE LOGIN PAGE AGAIN IS TO REBOOT THE E4200, otherwise you just get unable to connect messages when opening web browsers and the wireless status icon in the system tray shows a yellow exclamation mark.
I successfully connect to the guest SSID but I do not get access to the internet. When I type ipconfig, I see that the DNS is set to 192.168.33.1 which does not exist on my network. I assume there's some internal NAT magic that is supposed to happen in the E4200 to bridge me over to my 192.168.15.xxx network but it doesn't seem to be happening.
At the beginning of the call I specifically asked them if the E4200 must be the DHCP server in order for the guest SSID feature to work and they said no. 1.5 hours later they had no answers so they told me that it wasn't working because the E4200 was not the DHCP server. The documentation says nothing about a DHCP requirement for guest AP service. Linksys support further could not answer what you would do if you needed more than one AP with guest service enabled.
It seems like this is a firmware issue but it may be the guest SSID service requires the E4200 to also act as the DHCP server. Can anyone shed any light on whether this is a bug or if the router/AP is working as designed?
Thanks,
(Mod note: Edited for guideline compliance.)

Yes the E4200 must have DHCP turned on in order to pass out IP's to your Guest Network. No DHCP, no Guest Network.

WLC 2504 Guest Wifi login Page

Hi
Need some help. I have setup guest access on the controller and this is not working at the moment.
DHCP server setup on the controller for the Guest users.
You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
Need to know how to fix this.
Regards
Chris

George:
Thank you for the ratiing.
For this issue, they are getting the web-page and after providing the credentials it is redirecting to the original page.
If there is no DNS available so how the host will resolve the URL IP in order to open the web-page?
This is why I suggested to check DNS.
From the link I posted above I quote:
...........The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client connects to a WLAN configured for web authentication, the client obtains an IP address from the DHCP server. The user opens a web browser and enters a website address. The client then performs the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web authentication login page.Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On Windows, choose Start > Run, enter CMD in order to open a command window, and do a “nslookup www.cisco.com" and see if the IP address comes back. ........
If you are using a URL for the virutal interface then lack of DNS will not show you the credentials page at the first place.
If no URL for virutal interface and you get auth page but after entering the credentials it does not successfully redirect one of the main reasons is DNS problem.
You can still comment on this if you see it not accurate.
Regards,
Amjad

I cannot connect to the login page of my banking websites for Firefox but can from IE also firefox does not close when I shut it down I have just done a clean instal of windowsws7 and teh problem persists on reinstall of FF3.6.13

I can connect with my banking websites but the login page will not come up. This is a recent occurrence and I have done virus scans and have also recently done a clean instal of Windows 7. The problem persists. I can connect to any other website with no problems. When I close FF it appears to close and Task manager shows as not running but it will not reopen. If I attempt to uninstall I am told that FF is running and needs to be closed. I have to reboot to get to close and be able to reopen.
I can connect to the bank sites with IE. However I really don't like IE.
I am using Win7 Professional on a Sony notebook VGN SZ55

I don't have an answer, but I experienced the same problems trying to set up an airport express to route traffic to my stereo.
Apple Extreme router, iMac and laptop all worked just fine for months, upon installing Airport Express (step by step, according to instructions), all **** broke loose. Airport Utility was unable to see my Airport Extreme router, after hours of rebooting computer, cable modem, router, and finally a hard reset of the Airport Extreme router, it is finally recognized by Airport Utility again.
Recreated network, iMac connects to the internet just fine, laptop (Macbook Air) connects to the network just fine, but will not connect to the internet. Network diagnostics does not help, it gets to the "do you have a router? If so, reboot" stage, and never seems to see the router.
Any suggestions?

Problems with the login page in Portal release 2

Hi,
I have problems logging into portal, release 2 on Linux. I get the following error message when clicking the login link:
Forbidden
You don't have permission to access /pls/orasso/orasso.wwsso_app_admin.ls_login on this server.
This used to work until I changes the password for the orasso user using 9IAS Enterprise Manager. The portal home page works fine. I've tryed to run the ssooconf.sql script, but this didn't help me much.
Does anyone have any solution to this problem?
Kjetil

That's just a display of the license agreement. The login page is always at:
http://127.0.0.1:8000/apex
(You have to put the directory on there)
~Jer

Certificate problem (webauth and WLC/WCS login pages)

Hello,
When I try to web in to the WCS or the WLC controls I get a message saying that the certificate could not be verified. I can add it into the trusted CA on IE6 but the message will still pop up anyway. It also says "The name on the security certificate is invalid or does not match the name of the site".
This problem is also happening for the WebAuth login page. This is more critical for me, as we have two WLANs which require WebAuth. When the clients use IE6 or Firefox it's not an issue, but when using IE7 it seems to randomly drop their connection due to the certificate being viewed as 'invalid' by the browser, forcing them to reauthenticate. I need to get this figured out and resolved so that the wireless webauth network is more reliable - I can't expect people to not upgrade to IE7.
Has anyone managed to get through this problem without purchasing a valid certificate from a CA like Verisign? Let me know please!
Thanks,
Jeff
P.S. My WCS is version 4.0.97.0 and I just upgraded my WLCs to 4.0.217.0 with plans to upgrade to the new 4.1.171.0 in the next week.

Recieved this from TAC which may play into your issue.
The description of the Microsoft post-login bug is as follows but we have the code with this fix in the attached:
There is known bug filed with Microsoft in reference to the tag. There
is also one with Netscape. The work-around is below:
The Pragma statement fails in IE because of the way IE caches files.
There is a 64K buffer that must be filled before a page is cached in
IE. The problem is that the vast majority of the pages using the Pragma
statement put it between the HEAD tags.
The HEAD loads and the Pragma comes into play. The browser gets the go
ahead to not cache the page, however there is not yet a page to not
cache. Since the page hasn't filled the 64K buffer, there's no page so
the Pragma is ignored. Thus...the page is cached.
The solution is to play to the buffer. If you're really serious about
the Pragma working, place another set of HEAD tags at the bottom of the
document, before the end HTML tag and re-enter the Pragma. This is a
suggestion straight from Microsoft Support. The page would look like
this:
Text in the Browser Window

Having problem getting to login page of UOB internet banking

Just got my MacBook Pro 13". But couldn't use it to get into the login page of UOB Internet Banking.
Anyone having the same problem? Hope someone can help.
Bernard

Posting the link to the web site might help.

Configure the Guest to NOT see the login page?

I'm trying to get my portal to allow the guest user to see their default community (as set inthe default subportal).
I can't get it to do anything other than show the login screen.
On a .Net portal, the n_config.xml seems to be the key file, but I can't figure out what it is looking for ... what are the possible values?
In this context, what is a "space"? Is it a community ID, an activity space, or other?
How are values configured? Replace the value="", or does it go between the propertie's tags? (<AllowGuestAccess value="1"></AllowGuestAccess>, or <AllowGuestAccess value="1">1</AllowGuestAccess>)
<Authentication>  <AllowGuestAccess value="1"></AllowGuestAccess>  <GuestPassword value=""></GuestPassword>  <GuestRedirectToLogin value="1"></GuestRedirectToLogin> </Authentication>

Hi Javier,
You're right -- the Login space is always accessible if you type space=Login, even if you're using SSO and you follow all of developersupport's suggestions. Of course, you already have to be logged in to get there, so the risk is minimal, however, it allows you to "su" to another user (including Administrator) as long as you know the password.
One of our customers thinks this is a major security hole and as a result, we've hacked the LoginView to automagically log you out and redirect you to a protected resource, which forces another SSO login. That's the only thing I could think to do to plug the hole. If any Plumtreevians are listening to this thread, it would be great to get a real fix for this into your next release.
If anyone has any better suggestions, I'm all ears.
Regards,
Chris Bucchere | bdg | [email protected]| www.bdg-online.com

Problem creating login page in portal webapplication

Hi all,
I have been working with ADF for quite some years. Now, I have found webcenter portal on my path.
I'm telling you this is square one all over again.......trying to figure out why the most simple things do not work like they should. like this one
I'm on a project that has to build a new portal application. when you start it, you should be taken to a page where you have to log in.
This is the only public page in the portal app. after logging in, you will see the start page of the portal app. From here you can go to other pages through a menu tree on the left side of the page (=within the page template).
Anyway, I seem to no even get this to work........
I have made two pages. a loginPage and a landingPage. I know you get a login.jspx and a home.jspx for free, but I want to make my own since I had problems attaching my custom pagetemplate. Some other thing that doesn't work........
Anyway, I have made these two pages within the faces-config.xml I have tied the login_success action to my landingPage and the logout_success to the loginPage. I have also altered the login.html to redirect to my loginPage.jspx instead of the login.jspx On the loginPage Ideally, I would like to drag a login taskflow with a page-fragment where I have two inputfields and a button, which are connected to the o_w_s_l_LoginBackingBean. But that is for later, since it doesn't even work when I have put those two inputfields and button directly on my loginPage.jspx
I have tried several different configurations using both the pages.xml file and the jazn-data.xml, but to no avail.
What am I doing wrong? in the pages.xml, what should be the one with home as it's id? should both the loginPage and the landingPage be in there?
Even when I manage to get the loginPage first at startup, the button (who's action is pointing to the doLogin of the o_w_s_l_LoginBackingBean) does nothing. Also nothing in the logs.
Can anyone please tell me how I can get this to work?
thanks a lot in advance.....

Hi fisherman,
custom login page can be created and it can be used in your custom template by simply creating your own login class :o_w_s_l_LoginBackingBean instead of using the default one.
otherwise the second type of solution is :
create a subform and write the following type of code in your jspx/jsff page.
<af:subform id="sub_id">
<af:panelFormLayout id="pt_pfl1" >
<af:panelGroupLayout id="pgl1" layout="vertical" >
<table>
<tr>
<td width="50%">
<af:activeOutputText value="username"
id="aot199"/>
</td>
</tr>
<tr>
<td width="50%">
<af:inputText id="pt_it1" simple="true"
value="#{o_w_s_l_LoginBackingBean.userName}"
/>
</td>
</tr><tr>
<td width="50%">
<af:activeOutputText value="password"
id="aot198"/>
</td>
</tr>
<tr>
<td width="50%">
<af:inputText id="pt_it2" simple="true"
value="#{o_w_s_l_LoginBackingBean.password}"
columns="30" secret="true"
/>
</td>
</tr>
</table>
</af:panelGroupLayout>
</af:panelFormLayout>
<af:spacer width="3" height="3" id="pt_s2"/>
<af:panelGroupLayout id="pt_pgl14" layout="horizontal" halign="end" >
<af:commandButton id="pt_logincb"
action="#{o_w_s_l_LoginBackingBean.doLogin}"
>
</af:commandButton>
this is a sample code,may be some errors are present.but it should work definity if you mention the login success page in faces-config.xml.
Hope ,it will help you.
Regards,
Hoque

ISE Guest login page problems

Similar Messages

Maybe you are looking for