ISE, Guest user accepted by admin

Similar Messages

• Question about ISE guest user account self registration

  Dear Sir,
  We will plan guest solution for my wireless network ( we have WLC5508 and 1142 access point ), our requirement is :
  1. guest user access to an wireless guest SSID, open browser, it will redirect to web-auth page.
  2. The web-auth page have a url and if user click the url, guest user then connect to another web page, guest user can input some information ( for examples : username, email, cell phone ,,, ) to create guest user account self. The expiration of the user account fix to one day.
  3. the username and random password created for the guest user then send by SMS or email to guest user.
  4. Guest user can use the username and password he received to login web-auth page to use guest wireless network
  5. User activity information ( user create, login/logout, expire time, user IP address ... ) should be log.
  Please help to verify the ISE with base license can meet our requirement. ( especially item 2 & 3 )
  Best Regards,

  Hi,
  Guest registration is covered with base licenses.
  Here is some material that will bring you up to speed:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Base:
  Capabilities: Basic network access and guest access
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: None
  Perpetual license
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Tarik Admani
  *Please rate helpful posts*

• ISE Guest User problem

  Hi Guys,
       I got a problem about Guest user after create guest account from ISE sponsor. When i try to login with guest user on Web authen (WLC) it show login error and the message on ISE is  Authentication failed                                                                                 : 24206 User disabled
  Failure Reason > Authentication Failure Code Lookup
  Failure Reason :
  24206 User disabled
  Description
  User marked disabled in Internal database.
  Resolution Steps
  Check whether the user account in Internal database is enabled
  I would like to know, how to enable the guest account? What i missed configuration?

  Hi dsdavid,
       Do you use ISE with WLC? If yes, you need to configure ISE as External Web Auth at WLC?
      WLC
      Security > Access Control List
            Allow traffic from Client to ISE
       * If you have firewall or ACL on Core switch between WLC and ISE, you have to allow traffic Client to ISE too.
      Security > Web Auth > External Web Auth
       Web Authentication Type : External
       Redirect URL after login : Up to you
       External Webauth URL : https://:8443/guestportal/Login.action
       WLAN > Security > Layer 3
       - Check Web Policy > Authentication
       - Pre-Auth ACL > Choose ACL which you pre-define at Security > Access Control List
       WLAN > AAA Servers
       - Choose Authentication Server as ISE
       WLAN > Advance
       - Check Allow AAA override

• Change Account Duration for ISE Guest User can not more than 5 days

  Extending guest account duration can not more than 5 days.
  On portal we can change it to more than 5 days, but the account always expired after next 5 days.
  Email notfication sent after change duration also said the account only have 5 days of duration.
  I'm using ISE 1.2 patch 2.

  Step 1 From the Cisco ISE Administrator interface, choose Administration > Guest Management > Settings > General > Purge.
  The Purge Settings page is displayed.
  Step 2 To schedule a purge operation, check the Enable purge settings for expired guest accounts check box.
  Step 3 Configure the following available options:
  a. Enter the purge interval, in number of days. Valid range is 1-365.
  b. Specify the hour of the day when the purge should occur.
  Date of last purge displays the date and time when the last purge operation occurred.
  Date of next purge displays the date and time when the next purge operation is scheduled to occur.
  Step 4 To immediately execute a purge of expired guest user records, click Purge Now.
  This executes a purge manually even if Enable purge check box is not checked. This option provides you the freedom to purge records whenever you seem fit.
  Step 5 Click Save
  Please check the point 3 find the value is so that it may engaged.

• Cisco WCS guest user expires after few days

  1) Hardware we are using:
  WCS version 6.0.196.
  WLC version 6.0
  2) Configuration steps we carried out:
  We have created guest user using Lobby admin account having for accessing WLC which we are having in network. it works fine for some days but after that we have observed the particular guest user account status showing expired on WCS. Wanted to mention we have used Unlimited tab for life time while creating guest user account. The Account life time for guest user at the point of configuration was showing ( status -- Active, Account Lifetime -- Never Expire)
  The document we followed.
  http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0manag.html#wp1086189
  3) Problem we are facing.
  After some days(we are not sure about how many days) the guest users account shows "Expired"
  4) Requirement.
  Configuration of particular user with account life time as never exipre.
  Regards,
  Pramod.

  During the point of problem from WCS logs I observed the "Guestuser Service" is giving problem, below is the error. The detailed log is attached herewith.
  14:11:39.488 ERROR[general] [24] [GuestUserService] User does not belong to group 'Lobby Ambassador' or defaults are not set COMMON-11,LobbyAmbDefaults
  The issue is associated with mentioned bug
  CSCti79856
  Symptom:
  WCS deletes the Guest User Template when trying to de-provision it from a controller. Instead of deleting the guest user from the selected controllers, the user is removed from all controllers and the template deleted from WCS.
  Conditions:
  Using the delete functionality on the Guest User Template Page
  After upgrading WCS version from 6.0.196.0 to 7.0.172.0 issue was resolved. Thanks..

• File Vault Useless when Other User Has Full Admin Rights?

  Question:
  I'm about to send my MacBook Pro in for service. I've backed it up to a bootable clone, but I'd still rather not erase all my stuff, in case they send it back as-is (they do sometimes do that if they don't have to reinstall OSX).
  So, I've given the guest user account full admin privileges on this machine and created it without a password so the AppleCare boys can do what they need to do.
  My question is, is my account secure if it is password protected and encrypted with File Vault?
  Or, if somebody was feeling malicious, couldn't they just reset the password for my account in the guest account preferences or create a new master password for the machine, since the guest account has full admin rights?
  Thanks for any quick answers!

  Hi bscepter;
  If you are that paranoid about your data, the best
  thing for you to do is to remove it off of the
  machine before you send it in.
  Allan
  I'm not "that paranoid" about my data. I was merely curious if File Vault would protect my data should somebody with another admin account want to access or delete it. I mentioned this in my initial post.
  But thanks, anyway.

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE MAB to external Radius then MAB internal for Guest User auth

  Hello guys,
  we have the following requirements for our ISE Guest Access Deployment:
  We want to provide guest access but only to non Company Laptops. To check if the Laptop is company or a non company Laptop we have have all MAC Addresses in our ACS server. So in my understanding we have to to the following.
  Check the MAC Address against the External Radius Server (ACS)
  If Access-Accept returns -> Deny Access
  If Access-Deny returns -> Check MAC Address against Internal Endpoint Store
  If User not found -> Guestflow
  Right now i don´t no how i can sould design it but i need two Authentication Policys first for the redirect to the External Radius and then another one for check against internal Identity Endpoint Store. Am i right ? I don´t know if that is possible.
  Really thanks for your help!!
  Greetings
  Philip

  Let me ask you a quick question: Are all domain machines Windows and joined to AD?

• ISE 1.1.1 - User Accept Policy keeps returning

  Hello there
  I have an ISE 1.1.1 setup, with a guest portal. The AD can be used to log onto this portal, and the Guest Portal Policy Configuration is on First Login.
  However, every time a AD user logs in on the portal, he has to accept the User Accept Policy. Is this a bug? Or is there a configuration error?
  Greetings

  Steve,
  It should be able to redirect users based on the username and device that they are authenticating from, if you look at the endpoint there is an attribute that is AUP specific once that is set to yes, the profiling database should have this flag set so it isnt redirected to the AUP after login.
  In your authorization profile is the client being redirected to another authorization policy after CoA?
  Please post screenshots of the authorization policy, the endpoint attribute, and the authentication events....
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Why can I not disable the guest user in the 10.8.2 update? I have never enabled the guest user, but after the update, it was automatically enabled with a "managed" tag. It is not selectable even after entering my admin password to unlock the options.

  Why can I not disable the guest user in the 10.8.2 update? I have never enabled the guest user, but after the update, it was automatically enabled with a "managed" tag. It is not selectable even after entering my admin password to unlock the options. I was able to select the account under "parental controls", but again, could not delete it. Why Apple? Why?!!????

  SOLVED Ok. I actually was able to disable it. I had to actually log in as the guest user to make it accessible in the preference window. Then I disabled it and logged out. Apologies if this was obvious for some people, but I have had some sort of issue with something every update since Snow Leopard.

• ISE DNS Question For Guest Users

  Before I ask the question, let me explain our environment.
  We have an internal 5508 controller.  We also have a 5508 DMZ controller that acts as an anchor controller.  Guest traffic is piped to the DMZ controller which provides the DHCP address, and DNS server information.  The DNS that we provide is our ISP provider DNS server information, to our guest wireless users.  There's no need to provide them with our internal DNS server information, since they're only going to the internet.
  Here's my dilema.  We are now implementing the ISE appliances so that we can better control our guest users.  Currently, our guest SSID is wide open.  With the ISE, we're going to initially only do self-registration for guest users.  They will connect to our broadcasted SSID, when they connect to it, they will be presented with the guest portal.  There will be a link that allows them to go to a self-registration page.  The dilema is that the ISE appliances are a part of our internal 10.x.x.x network.  Since the guest users will have our ISP's DNS servers, our ISE devices will not be able to be found for the redirection to the portal.
  Would anyone have any suggestions on this?  I don't want to advertise our internal DNS servers to guest users.  Thanks for any help!

  I haven't tried this before but ISE does actually allow you to assign physical ports to the Guest HTTP portal. You can see this under Administration > Web Portal Management > General > Ports. Perhaps you can:
  1. Take a physical port from your appliance and connect it to the DMZ
  3. Give it an IP address that is resolvable from the public DNS server
  3. Assign that physical port only to the guest HTTP service
  On the other hand, you could also build a DNS server just for the guest users and stick in the DMZ :)
  Not sure if this helps but just some food for thought.
  Thank you for rating helpful posts! 

• ISE Guest-Account Single-User Multiple Logins

  Hello,
  How to make ISE to only allow  one guest-user account login at a time.    the actual issue I have is- when I give one Guest user-id to someone, he can circulate that user-id with others and multiple unauthorized guests can use that single user-id to connect to Guest-portal
  Anyway to restrict that ?

  Restricting Guests to One Active Network Session
  You can restrict guests to having only one device connected to the network at a time. When guests attempt to connect with a second device, the currently-connected device is automatically disconnected from the network.
  This is a global setting affecting all Guest portals.
   Step 1 Choose Administration > Web Portal Management > Settings > Guest > Portal Policy.
  Step 2 Check the Allow only one guest session per user option.
  Step 3 Click Save .

• "locked" users  open to non-admin and guest users

  I had this problem a while ago and did a work around that worked.
  When I am on guest or other non-admin users accounts and open hard drive and then users I can access files that should be locked. Mine is the only acct that has a Red slashed circle thru it. My wife's account is also admin but the red circle slashes show up past her icon and some of her folders are open.
  The last time this came up I dragged her open files into the redslashed document file and everything was fine.
  But now my son's file is open to all and this computer is used by many.
  When I do the get information and try to change anything in there I get a message of unexpected error and operation could not be completed message error code 120
  I get this when I try to get information using my admin acct., his non-admin account, or the guest account. Sometimes it asks me to authorize and then an error now it goes right to error
  And the group is listed as admin and read only so it should not be open to all?
  Thanks for you help again with these, to me , befuddling problems
  Barry

  Hi Barry, you need to Repair the HD 1st off with that error code 120 = HFS "Directory not found".
  "Try Disk Utility
  1. Insert the Mac OS X Tiger Install disc that came with your computer, then restart the computer while holding the C key.
  2. When your computer finishes starting up from the disc, choose Disk Utility from the Installer menu. (In Mac OS X 10.4 or later, you must select your language first.)
  *Important: Do not click Continue in the first screen of the Installer. If you do, you must restart from the disc again to access Disk Utility.*
  3. Click the First Aid tab.
  4. Select your Mac OS X volume.
  5. Click Repair. Disk Utility checks and repairs the disk."
  http://docs.info.apple.com/article.html?artnum=106214
  Then try a Safe Boot, (holding Shift key down at bootup), run Disk Utility in Applications>Utilities, then highlight your drive, click on Repair Permissions, reboot when it completes.
  (Safe boot may stay on the gray radian for a long time, let it go, it's trying to repair the Hard Drive.)
  Then we can work on the other problems, if Disk Utility or fsck should fail to repair it, your best bet is DiskWarrior from Alsoft, you'll need the CD to boot from if you don't have another boot drive...
  http://www.alsoft.com/DiskWarrior/

• Migrate Guest Users from Prime Infrastructure 2.1 to ISE

  I have just installed a new Prime Infrastructure Server and have discovered our list of guest user accounts from the discovered Controllers. We are implementing ISE 1.3 and would like to move all the guest user accounts from Prime to ISE without doing it manually. Is there a way to either export or pull the guest users from Prime or the WLC and import them to ISE?
  I would be very interested to find out if this can be done.
  Cheers,
  Tom

  Hi Seth,
  Check the attached screen shot to find the JOB
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• Safari guest user logon can view fox news videos, admin can't, videos run fine in Crome

  Not sure what to do...Admin user won't run Foxnews videos whereas Guest user will run Foxnews videos. Have read many posts on checking flash, etc. Been there done that... I created a new Admin user and FoxNews videos worked but could not get iphotos to transfer to new admin user. So I'm still looking to fix the current Admin User.  Thx.

  I'm having the same problem - Safari seems to hang hourly. I'm switching to Firefox.