ISE Guest Self-Provisioning Portal

Similar Messages

• ISE Guest Self Registration Portal

  Hi,
  I get the Guest portal page and my credentails authenticate correctly and the device is authenticated using MAB. Then i get this message
  This device has not been registered
  You need to manually configure your device
  Your device configuration is not supported by the setup wizard
  Device ID < MAC of my windows 7 PC
  Any idea how to get past this stage
  Thanks
  Nki

  If you are only using mab then you will have to go the device registration page and register the mac address. Disregard my previous post. Here is how you manually register the device - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mydevices.html#wp1064213
  You will have to create the identity sequence store in order to allow your AD account (if integrated) to access the registration page - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mydevices.html#wp1056461
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE upgrade 1.2: Self-provisioning portal not working

  Hi all,
  I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
  Screenshot of page is attached:
  I've checked ise-console.log application log file and found two errors correponding to the first page:
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:-         at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
  and the second (not working) one:
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:-  at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
  Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
  Can somebody please help?
  Thanks,
  L

  Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

• Java not recognized by Cisco Self-Provisioning Portal on Apple computers

  Have a Mac Mini running that had this problem under OSX 10.8 and is persisting in 10.9.  When this computers reaches the self-provisioning portal, after clicking submit on the MAC address registration, the following screen displays an erroneous error that Java isn't installed.
  Have gone through updating Java from Apple (2013-005) as well as from Oracle/Java (1.7), and applied several variations of uninstalling and reinstalling Java, doesn't seem to make a difference.  From the top, the Mac Mini attaches to Wifi and the self-provisioning page appears with an authentication request.  User authenticates succesfully.  The next page displays the MAC address for the machine and a description field.  Upon filling out the description, the page is submitted.  The following page tha should complete the provisioning process, rather, displays an error that Java isn't installed and the user should go to java.com to complete the installation.  According to the Java.com, Java is installed. According to terminal (by executing the command "java -version"), Java is installed. Running other Java applications, like JDE, run perfectly well.  The self-provisioning page seems to be unaware of Java despite everything else.  Ideas?

  Thanks. No dice. The instructions on that page also appear to be woefully out of date too. In Safari, on the preferences security tab, there is no checkbox for "Enable Java" (I think that is a Safari 6.0.4 thing on OS X 10.8 or thereabouts). In OS X 10.9 there's just the "allow plugins" checkbox and the "manage website settings" button. Assuming this is where it's at now, moving to the Java plugin in the list, they were already "allow". I went a step further and set it for the three websites listed (that include the provisioning portal domain) to "allow always". No luck. Then went to another step further and click "run in unsafe mode" for every item in the Java website list and again it made no difference. The self provisioning portal page still says that Java isn't installed :-(
  For Firefox, the instructions on that page are out of date too. Under what I believe are the correct settings, the Java applet plug-in for 7.45 is set to "always activate". I assume this is the same thing as seeing the "disable" button in previous FF versions, indicating that the job applet plug-in is actively running.
  The chrome instructions on the page are irrelevant because my OS X and hardware are 64-bit and so is Java but not chrome. Therefore Java doesn't run on chrome on this machine in the first place.
  I don't know who's browser the self provisioning portal fires up since it fires up its own window, not a Firefox or Safari specific one. In windows for example the self-provisioning portal fires up a tab in IE. That actually makes it simpler to debug IMO.
  Any more advice? Java seems to be running just fine for every thing else. What am I missing?
  UPDATE (Just another thought)
  Alternatively, could it be a the with WebKit? Or Cisco's implementation of WebKit (as far as whether any changes would have been required for OS X 10.9 in the way with kids is instantiated)? If or example the self provisioning portal is opening up its own "browser" by using the Safari webkit function (as opposed to opening a tab directly in Safari itself) could this be a bug in Safari itself, or a changed API that Cisco has failed to implement (considering the other incompatibilities various Cisco products have with OS X 10.9)? I just hope that the problem is something that I can fix with a workaround rather than waiting for a patch from either Apple or Cisco that may or may not come anytime soon? :-/

• ISE guest self-registration Client Limitation per day

  I deployed ISE with guest self registration on the Web Portal.
  I want the guest (ex: AndroidPhone with Mac address: xx:xx) to be able to get 1 hour of internet access per day. 
  I know that using Time profile I can limit the guest to 1 hour of access, but how can I give the guest access each day.
  Requirements:
  --- I want to make this phone create only one account. ( How can I limit his mac address from creating new accounts when his account will expire in one hour)?
  --- After 1 day, I want to give the same phone access (I dont mind if it is a new account or the same account as the day before)
  How can we make this happen? Otherwise, everytime the account expires, the phone will be able to auto-register with a new account.
  Thank you

• ISE Guest Self-Service Emailing Credentials

  Hi Guys,
  Is it possible to setup the ISE to automatically send a self-service guest their credentials via email once they've registered as appose to simply showing them onscreen ?
  I know it's possible to do so once they've registered through the sponsor portal, but the customer would like it done by default.
  Thanks,
  Nick

  This is not currently supported.  I am including a link to the feature enhancement request for your reference:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto15206

• ISE - Guest Access (without portal)

  Hi Guys,
  I have a customer who current is using the cwa portal for guest access. Corporate use will be added in the future sometime next year.
  Kit involved:
  5508 - Internal (Inside Net)
  5508 - Anchor (DMZ Net)
  ISE - Inside Net
  3600 APs
  Presently, guest user connects, anchored to DMZ 5508, issued IP address from server in DMZ and DNS redirect to the web portal from same server. guest logs in and internet access through ASA and then content filtering box.
  They want a solution whereby they do not have to use the portal for corporate user with their own devices such as ipads. I know BYOD is a possiblity but would involve using a CA server on the inside of the network. This is not something I'm keen as it opens a channel from the guest network directly to their AD infrastructure.
  I'm leaning toward PEAP authentication atm using a GoDaddy SSL cert that is already installed. This would bypass the portal system and only involve client devices being configured once.
  Is there any other option that would be simple to setup as this is on a limited timescale ?
  Cheers,
  Nick

  Nick,
  They want a solution whereby they do not have to use the portal for  corporate user with their own devices such as ipads. I know BYOD is a  possiblity but would involve using a CA server on the inside of the  network. This is not something I'm keen as it opens a channel from the  guest network directly to their AD infrastructure.
  If you are referring to supplicant provisioning, the scep enrollment request is proxied from ISE and the private key and cert is transferred to the endpoint. This doesnt require your guest network having direct access to AD....just to ISE.
  Tarik Admani
  *Please rate helpful posts*

• ISE guest self service question

  Hi experts
  Is there any way to implement this scenario on ise 1.2.1:
  guest registers himself on the portal and either selects or enters sponsor details
  sponsor gets notified by mail and can approve or deny
  guest gets a sms text message with password and can use the guest wlan
  Grateful for any hint
  Cheers
  Albert

  No,  to enable SMS messaging, you need to be running v1.3.
  Good news, though.  With a current Service Agreement, ISE upgrades are free.  If you can schedule downtime, you can upgrade from 1.2.1 to 1.3 without stress.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE Guest - Change Password Option

  Hi All
  Can anyone confirm that the change password option on the Guest Self Registration Portal actually works?
  I have enabled the options with the ISE Guest Portal to allow the Guest to create his own account and also to change his password.
  Although the self creation of the account works fine it doesn't look like changing the password works. When you enter the new password and click submit nothing seems to happen.
  ISE version is 1.2.1.198
  Regards
  Roger

  Hi Roger,
  Are you making use of customized self registration portal. In such cases make sure , the session ID of a particular guest login is carried forward to the password change page as well.
  For the html changes to any pages (login, aup, self_registration, self_registration_result,
  device_registration & change_password)  that link back to other pages. The below points A and B should be added as part of customized pages.
  A)Reference script (<script src="js/customportals.js"></script>)
  B)Add the onsubmit="getDynamicAction(this);" logic for posts
  Thanks

• ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)

  I'm trying to achieve the following for our employees, contractors and guest.
  Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.
  contractors (ldap contractor group) -> webauth -> internet
  guest (internal ise db via sponsorportal) - webauth -> internet
  Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours. 
  employee (ldap employee group) -> webauth -> nsp -> internet
  In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
  I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated. 
  Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.

  Hi Patrick,
  I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.
  for the devices registration , I have set  the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
  my authorization rules as follows :
  1- rules name : Vendor-wired  :  identity : registerddevices AND identitygroup: VENDOR  authorization profile: VENDOR-ACCESS
  2-  rules name : WIRED-CWA  :  identity : any  condition: device-type:SWITCH  authorization profile: CWA-PORTAL
  It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .
  did you find any hint for this problem ?

• ISE, BYOD: guest clients provisioning

  Hello!
  The question is about provisioning different types of wifi clients through the ISE Guest portal.
  ISE 1.1.4, WLC 7.4.100 (Guest WLAN uses MAB)
  Suppose, there are two groups of wireless clients:
  1) guest user, which credentials are created through the ISE Sponsor Portal
  2) domain user, who has credentials in ActiveDirectory
  The aim is to provision domain user, and not provision guest user.
  When client connects to Guest SSID and opens the browser, he is redirected to ISE Guest portal.
  When client uses domain user, he is provisioned, and when uses guest credentials he is not provisioned
  How ISE understands, that domain user must be provisioned and guest user must not be provisioned if Web portal is configured to provision everyone?
  (Web Portal -> Settings -> Enable Self-Provisioning flow)

  The answer is that typically you either know that MAC address or you have someting installed (NAC agent?) and fulfill some requirements.
  Alternative, you can perform CWA first (and...)
  Then if user is part of guest users -> allow internet only access
  If user is part of AD -> send him to do registration.
  Authorization policy allows you to use "identity group" as part of condition.
  If device registered -> allow full access. (just an idea).
  M.

• ISE, guest portal on WLC

  Hi,
  Currently we have wireless guest login through a guest portal in the WLC. Is it possible to implement ISE and keep the guest portal in the WLC?
  Example:
  User connects to a SSID with an laptop. That laptop is profiled as not belogning to the company network and is then redirected to the WLC guest portal.
  All the guides I find is about having the guest portal in the ISE.
  Regards
  Philip

  You can use LWA for this . he WLC redirects  the HTTP traffic to an internal or external server where the user is prompted to  authenticate. The WLC then fetches the credentials (sent back via an HTTP GET  request in the case of external server) and makes a RADIUS authentication. In  the case of a guest user, an external server (such as Identity Service Engine  (ISE) or NAC Guest Server (NGS)) is required as the portal provides features  such as device registering and self-provisioning.
  Refer to the following link for  configuration  example
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE Self Service Portal Customisation.

  Hello community!
  I have been hacking around with the Self Service portal on the ISE.  I have it working nearly as I wish it too, having edited self_registration.html to my satisfaction.
  The issue is, I get details in the OUPUT of the self_registration_result.html screen pop that I do not wish to display.  The screen outputs all the details previously input, even though I only want to show the username and password.  The contents of self_registration_result.html do not even reference the other variables.  Specifically, I wish to exclude the email address.
  See below.  No mention of the outputting of the email address.
                      <form id="form" method="post" action="/guestportal/LoginCheck.action" onsubmit="getDynamicAction(this);">
                          <input type="hidden"  name="guestUser.name" id="username" alt="Username">
                          <input type="hidden"  name="guestUser.password" id="password" alt="Password">
                          <input alt="" name="redirect" id="redirect" type="hidden" value=""/>
                          <input alt="" name="switch_url" id="switch_url" type="hidden" value=""/>
                          <input alt="" name="err_flag" id="err_flag" type="hidden" value=""/>
                          <input alt="" name="byodSessionId" id="byodSessionId" type="hidden" value=""/>
                          <input alt="" name="byodAction" id="byodAction" type="hidden" value=""/>
                          <button type="submit" id="button-submit" class="global-btn">Log In</button>
                     </form>
  Thoughts?

  Self registered guest sponsor approval flow
  ISE 1.2 - needs some customization and coding to make the user process nicer 
  Custom self registration page:
  Use the first and last name to create the account as the email address will be that of the sponsor
  Use one of the optional fields (titled as email address of the requester)
  Normal email address required would be that of the sponsor (person receiving the email with creds to forward along), 
  The success page would state that the credentials are being sent to the sponsor and once approved will receive via email back from them.
  Its self registration with approval and the flow is through email (no status page on sponsor portal)
  Make sure restrict the email domain that can be entered to that of the company only (otherwise there is a break down as guest can put their own). See this guide entry.
  Additionally, you can modify the email template to send the correct data to employees:
  Dear Sponsor,
  A guest with email address $OPTION1$ requested an account
  If you authorize this request, username is $USERNAME$ and password is $PASSWORD$
  Risk is the sponsor knows the credentials of their approved guest
  See sample page from Viktor Brokov or use the ISE 1.2 Guest Portal Builder
  Here is the flow that was done for a turkish bank with partner middleware - Ozgur Guler (ozgguler) SE
  1)      Guest connects to guestWLAN and opens a browser. He is redirected to ISE guest portal.
  2)      When he clicks “Self registration” , he goes to a middleware’s web service that is just looking like ISE portal. Our partner NetSec developed this middleware.
  3)      He enters his name,surname, year of birth,national ID number, mobile number, sponsor’s mail, etc.
  4)      The middleware firstly checks the validity of the guest from a government web service. It checks name, surname, year of birth and ID number validity.
  5)      If they are valid, the middleware sends an email to sponsor to get an approval.
  6)      If sponsor clicks the link in mail, it is approved and middleware creates a username on ISE using our current API (they will shift to Guest API when it is available)
  7)      After creating the user, the middleware sends a command to SMS gateway to send credentials to the guest.
  8)      Guest logins.

• Extend ISE Guest portal provisionig form

  Hi,
  is it possibile to customize the Guest Portal by adding some fields in the registration form ?
  For example I need to add:
  input text field used to enter guest ID number
  dropdown menu containing a list of organizational unit prepopulated with an ldap query
  More in general, is it possibile to customize the Guest Portal web application by adding custom business logic implemented with jsp or Java class ?
  Thanx
  Fabio

  Basically I would like to extend the guest registration form by adding new fields and adding some custom business logic used to implement the validation of these fields.
  More in details a guest should provision him self by providing also the badgeID received at the reception and by providing the organizational unit of his sponsor and then the "guest portal" should ensure the the value provided by the guest are valid by checking against some external system (ldap and a database).
  I know these are quite special requirements and usually "legacy web application" cannot be extended in this way because it's very difficult: I would like to know what is the best way to implement these special requirements to implement extremely custom "Guest provisiong" in a Cisco environment.