ISE Guest User problem

Similar Messages

• Question about ISE guest user account self registration

  Dear Sir,
  We will plan guest solution for my wireless network ( we have WLC5508 and 1142 access point ), our requirement is :
  1. guest user access to an wireless guest SSID, open browser, it will redirect to web-auth page.
  2. The web-auth page have a url and if user click the url, guest user then connect to another web page, guest user can input some information ( for examples : username, email, cell phone ,,, ) to create guest user account self. The expiration of the user account fix to one day.
  3. the username and random password created for the guest user then send by SMS or email to guest user.
  4. Guest user can use the username and password he received to login web-auth page to use guest wireless network
  5. User activity information ( user create, login/logout, expire time, user IP address ... ) should be log.
  Please help to verify the ISE with base license can meet our requirement. ( especially item 2 & 3 )
  Best Regards,

  Hi,
  Guest registration is covered with base licenses.
  Here is some material that will bring you up to speed:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Base:
  Capabilities: Basic network access and guest access
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: None
  Perpetual license
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Tarik Admani
  *Please rate helpful posts*

• Change Account Duration for ISE Guest User can not more than 5 days

  Extending guest account duration can not more than 5 days.
  On portal we can change it to more than 5 days, but the account always expired after next 5 days.
  Email notfication sent after change duration also said the account only have 5 days of duration.
  I'm using ISE 1.2 patch 2.

  Step 1 From the Cisco ISE Administrator interface, choose Administration > Guest Management > Settings > General > Purge.
  The Purge Settings page is displayed.
  Step 2 To schedule a purge operation, check the Enable purge settings for expired guest accounts check box.
  Step 3 Configure the following available options:
  a. Enter the purge interval, in number of days. Valid range is 1-365.
  b. Specify the hour of the day when the purge should occur.
  Date of last purge displays the date and time when the last purge operation occurred.
  Date of next purge displays the date and time when the next purge operation is scheduled to occur.
  Step 4 To immediately execute a purge of expired guest user records, click Purge Now.
  This executes a purge manually even if Enable purge check box is not checked. This option provides you the freedom to purge records whenever you seem fit.
  Step 5 Click Save
  Please check the point 3 find the value is so that it may engaged.

• ISE, Guest user accepted by admin

                     Hi all,
  I have set up a guest portal and been using it very well
  but I want guest users to get accepted by admin when they created their own ID
  so is there any way to send messages to admin when guest users create their ID ??
  and then they would be able to use their id after the admin(or sponsor) allows ??
  thank you for reading this.

  maybe I was not clear.
  I want the guest user to submit application like it is now.
  when the guest user submits application, some kind of alarm goes to admin(or sponsor) to give permitions to login for guest user
  so they can't login until admin(or sponsor) accepts their application.
  that way, we can manage guest user efficiently.
  Thank you.

• Guest User problems

  With weblogic 6.1sp2, I get this exception for about 25-50% of random EJB calls:
  java.lang.SecurityException: Authentication for user guest denied in realm wl_realm
  Two things:
  - the guest user is not disabled
  - I am not using the guest user -- I am initializing my InitialContext with a Properties object specifying a differeent user and password.
  The error is truly random -- one time it will happen, another time (same call) it will not. What is going on?
  Thanks,
  Pat.

  "Patrick Forhan" <[email protected]> wrote in message
  news:3fe1c287$[email protected]..
  With weblogic 6.1sp2, I get this exception for about 25-50% of random EJBcalls:
  >
  java.lang.SecurityException: Authentication for user guest denied in realmwl_realm
  >
  Two things:
  - the guest user is not disabled
  - I am not using the guest user -- I am initializing my InitialContextwith a Properties object specifying a differeent user and password.
  >
  The error is truly random -- one time it will happen, another time (samecall) it will not. What is going on?
  >
  I would open a support case.

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 'Unknown user' problem in Guest account

  Hello.
  Remember the unknown user problem in the Finder that plagued everyone that upgraded from Tiger? Thanks to someone on these boards' AppleScript, I managed to fix that for my account eventually and get it changed to staff for every file and folder.
  However, I just checked out my Guest account in Leopard, and when I do a Get Info on the home folder, the public folder and the sites folder, the unknown user still appears.
  What do I need to do to fix this?
  Would reinstalling Leopard sort it out by the way? I don't want to do it because it would create countless hassles, but is there a way of reinstalling Leopard that lets me keep my own home folder and applications while killing all the permissions problems?

  Does it properly refuse authentication ? Or does the login page stop appearing or something ?
  There was a bug with the webauth dying under heavy load, regardless of number of identical accounts used.
  One good way for you to check would be, when problem occurs, to create a second backup guest user and see if that would start working. If it doesn't, the account is not the problem.
  I'm not aware of any maximum of usage of the same account.
  Which 4.2 exactly are you running ?

• ISE MAB to external Radius then MAB internal for Guest User auth

  Hello guys,
  we have the following requirements for our ISE Guest Access Deployment:
  We want to provide guest access but only to non Company Laptops. To check if the Laptop is company or a non company Laptop we have have all MAC Addresses in our ACS server. So in my understanding we have to to the following.
  Check the MAC Address against the External Radius Server (ACS)
  If Access-Accept returns -> Deny Access
  If Access-Deny returns -> Check MAC Address against Internal Endpoint Store
  If User not found -> Guestflow
  Right now i don´t no how i can sould design it but i need two Authentication Policys first for the redirect to the External Radius and then another one for check against internal Identity Endpoint Store. Am i right ? I don´t know if that is possible.
  Really thanks for your help!!
  Greetings
  Philip

  Let me ask you a quick question: Are all domain machines Windows and joined to AD?

• ISE DNS Question For Guest Users

  Before I ask the question, let me explain our environment.
  We have an internal 5508 controller.  We also have a 5508 DMZ controller that acts as an anchor controller.  Guest traffic is piped to the DMZ controller which provides the DHCP address, and DNS server information.  The DNS that we provide is our ISP provider DNS server information, to our guest wireless users.  There's no need to provide them with our internal DNS server information, since they're only going to the internet.
  Here's my dilema.  We are now implementing the ISE appliances so that we can better control our guest users.  Currently, our guest SSID is wide open.  With the ISE, we're going to initially only do self-registration for guest users.  They will connect to our broadcasted SSID, when they connect to it, they will be presented with the guest portal.  There will be a link that allows them to go to a self-registration page.  The dilema is that the ISE appliances are a part of our internal 10.x.x.x network.  Since the guest users will have our ISP's DNS servers, our ISE devices will not be able to be found for the redirection to the portal.
  Would anyone have any suggestions on this?  I don't want to advertise our internal DNS servers to guest users.  Thanks for any help!

  I haven't tried this before but ISE does actually allow you to assign physical ports to the Guest HTTP portal. You can see this under Administration > Web Portal Management > General > Ports. Perhaps you can:
  1. Take a physical port from your appliance and connect it to the DMZ
  3. Give it an IP address that is resolvable from the public DNS server
  3. Assign that physical port only to the guest HTTP service
  On the other hand, you could also build a DNS server just for the guest users and stick in the DMZ :)
  Not sure if this helps but just some food for thought.
  Thank you for rating helpful posts! 

• ISE Guest-Account Single-User Multiple Logins

  Hello,
  How to make ISE to only allow  one guest-user account login at a time.    the actual issue I have is- when I give one Guest user-id to someone, he can circulate that user-id with others and multiple unauthorized guests can use that single user-id to connect to Guest-portal
  Anyway to restrict that ?

  Restricting Guests to One Active Network Session
  You can restrict guests to having only one device connected to the network at a time. When guests attempt to connect with a second device, the currently-connected device is automatically disconnected from the network.
  This is a global setting affecting all Guest portals.
   Step 1 Choose Administration > Web Portal Management > Settings > Guest > Portal Policy.
  Step 2 Check the Allow only one guest session per user option.
  Step 3 Click Save .

• Migrate Guest Users from Prime Infrastructure 2.1 to ISE

  I have just installed a new Prime Infrastructure Server and have discovered our list of guest user accounts from the discovered Controllers. We are implementing ISE 1.3 and would like to move all the guest user accounts from Prime to ISE without doing it manually. Is there a way to either export or pull the guest users from Prime or the WLC and import them to ISE?
  I would be very interested to find out if this can be done.
  Cheers,
  Tom

  Hi Seth,
  Check the attached screen shot to find the JOB
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• Linksys M10 and Mountain Lion OS problems with Guest User - which router is best to upgrade to for Maverick and higher OS coming in fall?

  Since we upgraded our OS to Mountain Lion the Guest User on the Linksys M10 router isn't working.  Not compatible.  Which Linksys should one upgrade to for use with Maverick OS and the newer releases coming this fall and onward?

  Sorry - I have Maverick 10.9.4 and the guest user on the link sys M10 isn't compatible.  Any suggestions on which wifi router to upgrade to for newer releases of OS coming?

• ISE Guest Portal - Error Resource not found

  Hello,
  When I create a guest user through the sponsor portal, then try to login with this guest user through the Guest Portal, after I press login button, the following error message occurs and do not know what to do to solve.
  Error: Resource not found.
  Resource: /guestportal/
  None of the messages on the forum about it helped me to solve the problem.
  I am using ISE 1.1.3.124 and this is a new re-image appliance.
  Can anyone help?                  

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the authorization profile should  exactly match the example below. (Note: Do not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from the  Cisco ISE authorization profile contains the following command lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• Cisco ISE Guest Login

  Hi,
  I have a weird problem; after a guest user account has been created on Cisco ise 1.1.4 patch 8; when the guest user is redirected to the ise guest portal; the first login is always unsuccessful. Upon entering the login credential and password correctly; the client would be redirected to the same login page. Upon retrying the process a few times; it would succeed after 2-3 times.
  On the ise authentication; I see a guest authentication error; "Guest Authentication Failed : 86020: Unknown exception" with only a single step seen on the logs for troubleshooting "5431  Guest Authentication Failed"
  I would like to check if anyone has seen such an issue/behaviour? 
  Any suggestions is appreciated.
  Thanks.

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• ISE guest access - can't match on Optional Data fields

  Hi all
  I need to have 2 different types of guest users that will get different level of access with DACL / Airspace ACL
  I thought that best way to do that is simply matching one of optional data fields you can setup in Sponsor Portal
  Unfortunately as soon as I reference Optional Data field in Authorization rule I get no match. Can't also match on username which would not help anyway.
  getting redirected, login, getting redirected again etc.......
  This is affecting both wireless and wired.
  As soon as I remove that additonal condition from authz rule guest access works fine - getting redirected, log in, surf the internet.
  Is this is bug with ISE that you can't match guest optional data fields?

  Hi evnafets,
  You were right. How silly I am didnt see that small thing- but STILL PROBLEM IS UNSOLVED.
  [ore]
  java.sql.SQLException: [Microsoft][ODBC Microsoft
  Access Driver] Missing ), ], o
  r Item in query expression 'Post_Date LIKE
  to_date('04-06-2005',' dd/MM/yyyy''.
  Like it says, you have a missing ")" character
  rs=stmt.executeQuery("SELECT Name FROM
  NoticeBoardTable WHERE Post_Date LIKE to_date('"+
  date_str+"', 'dd/MM/yyyy' <--HERE NEED A CLOSING
  BRACKET ");
  When I did this it said to_date function is not available that because Ms-access doesn't have this function. Then I just changed the query to:-
  rs=stmt.executeQuery("SELECT Name FROM NoticeBoardTable WHERE Post_Date LIKE "+ date_sql ); . Although it didnt generate any exception, but dont show any record.
  But even better would be to use a prepared
  statement.
  String sql = "SELECT Name FROM NoticeBoardTable
  WHERE Post_Date LIKE  ?";
  PreparedStatement stmt = con.prepareStatement(sql);
  stmt.setDate(1, date_sql);
  ResultSet rs = stmt.executeQuery();
  I had prepared statement in my final servlet, I made this one just to check why its not working on dates. Also on your advice I changed it to prepared statement. It runs fine but didn't show any record with date 04-06-2005 although I have it in my database (not generating any exception).
  I print the sql date throuht servlet just to check , its showing 2005-06-04. May be its formate problem.
  Thanks
  Regards