ISE Guest Wifi Portal Users restricted to 5 day account

Similar Messages

• Cisco ISE Guest Sponsor Portal Isssue

  Dear all ,
  We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
  We have created open ssid in wlc and using external redirected url of ise for guest login page.
  But when we create any guest user in sponsor login for guest user we faced following issue
  1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential  then its again redirect to same login page
  wihout successful login prompt.
  Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
  2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
  But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
  Can anyone help me to resolved above issue regading cisco ise guest sponsor portal
  Thanks & Regards
  Pranav Gade

  Pranav your answers are inline,
  1) When guest user gets conected to wirless and login in to guest  portal with credential after putting credential  then its again redirect  to same login page
  wihout successful login prompt. When you are using CWA (central web authentication) there is no way we can redirect users using the redirect-url because this will always redirect users for every time they initiate a web request. There is no other coa feature that will remove this condition since they have already been authenticated.  Here is a guide that explains the user experience when using central web auth -
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
  Can  we pompt successful login after guest login to guest portal or redirect  to any other link like google.com so guest user will gets to know he is  able to access internet now No this is not possible, you can change the verbage and force the AUP to be displayed informing users that they can retry their web request after hitting the accept button.
  Here is the documented experience once users go through the guest process -
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
  2)  We have creted time profile 8hours first login for guest user. When  guest user gets connected while putting credential in to guest portal.
  But  we face issue after approximately every 20 mins guest gets disconnected  from internet and guest again gets login page of guest portal and if we  put same credential then its working but after approx 20 min interval  user get disconnected from internet. Check the advanced timer on your SSID as you may be hitting the session timeout on the WLC. Please disable this option and let the COA feature in ISE expire user sessions on the controller.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE GUEST external portal

  Hi,
  Can I integrated Cisco ISE to use external URL for guest authentication ?
  regards
  Prasad

  Hi,
  If I am understading your scenario correctly then following link might be helpful,
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_ui_reference_administration.html#wpxref85952

• ISE Guest Access- Redirect to URL after successful logon

  Currently, when guest users attempt to browse they get redirected to the guest portal.  After login, they get a message that they can now access the original URL.  Is there a way to automatically redirect to the URL they were trying to access, or remember the URL after they login?

  ISE guest flow :
  The user associates to the web authentication Service Set Identifier (SSID).
  The user opens the browser.
  The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  The user authenticates on the portal.
  The guest portal redirects back to the WLC with the credentials entered.
  The WLC authenticates the guest user via RADIUS.
  The WLC redirects back to the original URL

• Guest WiFi not working correctly

  I just bought a new EA6300 router expecially for it's guest wifi functionality but i have problems with this feature.
  weather i log in via my laptop/ macbook/ android or iphone i can connect to the guest wifi network but the guest wifi portal is not displayed and i cannot login as guest.
  After a reset of the router the guest wifi works for a little while but fails within couple of hours.
  Is this a firmware bug or does someone knows a workaround.
  Hope Linksys can help me with this standard build in feature!!!
  Thanks in advance.

  blue_butterfly wrote:
  Hey there, bramschats! Intermittent guest network connection may be caused by wireless interference. Try changing the wireless channel of your router to either 1, 6, 9, or 11. You may also want to change your security settings to WPA2 Personal. That should take care of the intermittent connection. If all else fails, update the router's firmware.
  There is no "I"in the word Team.
  (moxx)
  hi blue_butterfly: I would kindly suggest a better way to do what you suggest. It would be best to troubleshoot the problem by looking first to see if there actually is congestion. there are apps available for free to see what channels are being used. By randomly moving to another channel you may cause others to then be interfered with causing them to move and the problem just continues to move around. Also, the only wifi channels that don't overlap (at least here in the USA) are channels 1, 6, and 11.  All the other channels cause at the very least a small amount of signal degragation to the adjacent channel. So try to find the app for whatever device you can use, android or iPhone and see what is actually out there, select the channel with the lowest signals on it and see if that helps. The channels in between 1, 6 and 11 can certainly be tried but just be aware that they are the least advisable ones to use. 
  @ bramschats: if you are able to use the guest login at some times but then it doesn't work after a while try refreshing your browser before you re-boot the router. If that still doesn't work and the only way to fix it is to reboot the router complain to belkin about it. There seems to be a lot of bugs in their software lately and the only way we will get their attention is to complain, return deivces etc. 

• Portal User Login History

  I am looking for a way to create a procedure or use an api in order to return the last time a portal user logged in to their account. Any suggestions?
  null

  I cannot think of any APIs in the PDK that will do this, but it is very simple to do via custom coding etc.
  Create a table with a minimum of these base columns:
  PORTAL_USERNAME
  LAST_LOGIN_DATE
  etc.
  You could create a custom login or logout portlet which uses the WWSEC APIs and also reference a function that adds or updates a row in the above sample table. That way you can keep track of this information. If you use a custom portlet, remember to turn off your page links as appropriate so that there are no ways to escape using the custom portlet!
  It is probably best to do it on the login process and people may not log out properly, i.e., close the browser which means you do not get an accurate picture of log in times.
  You then can in your custom portlets/apps etc. do a check against this table to do simple things like 'Welcome back John' etc. etc.

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.2 Guest portal user cannot change their passwords

  I have a WLC 5508(version 7.6) and a server installed  the ISE (version 1.2.1.198)，Now we configured the CWA，Use guest portal as an employee and guest login url，We can use the manually create internal user and password successfully logged in, and we set up allow guest users to change password in Multi-Portal, but the user can not change the password in the guest portal ,I suspect the change password option on the Guest  Portal actually works? Can anyone tell me how to change their own username password in the guest portal ?

  Requiring Guests to Change Password
  You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
  You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
  Before You Begin
  Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
  Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
  Step 2 Check the Guest portal to update and click Edit .
  Step 3 Click the Operations tab.
  Step 4 Check either or both options:
  Allow guest users to change password
  Require guest users to change password at expiration and first login
  Step 5 Click Save .

• ISE Guest Portal and one more SSID using internal accounts

  Hi Guys,
  I have two SSIDs on WLC, the first is related with ISE Guest Portal and the second is related with employee but i realize that the
  Guest user can access the employee SSID and employee accounts can access the Guest portal page.
  I guess this is happen because i cannot split these databases under "Internal Users" on Authentication Policy.
  How can i restrict the access even if i am using the internal databse?
  thanks a lot

  using the Authorization policy is the right way.  Match the corp ID store to the corp WLAN SSID ID in the AuthZ policy, for example (where Employee is your corp ID store and yyyy is the name of your corp SSID):

• ISE Guest Portal Time Profiles

  G'day All,
  Could someone advise if it is possible to extended or change the time profile of a guest account that has already been created? I am trying to understand using time profiles from within the Sponsor Portal. Imagine a guest user has an account created that gives them 2 weeks access, towards the end of the 2 weeks the user requires another week of access.
  From what I can see in both the ISE time profiles config page and from within the sponsor portal, either the user would have to wait until the existing account expired and have a new account created or a new account would have to be created to grant the additional access, and the existing account could be deleted, I am just seeking clarification of whether time extensions for Guest Accounts is possible prior to the account expiring.
  Currently using ISE 1.1.3
  Thanks in advanced guys.
  James.      

  Please follow the below steps to edite the time profile:
  Adding, Editing, or Duplicating Time Profiles
  To add or edit a time profile, complete the following steps:
  Step 1 From the Cisco ISE Administration interface, select Administration > Guest Management > Settings > Guest > Time Profiles.
  Step 2 Click one of the following:
  • Add—to create a new time profile
  • Edit—to edit an existing time profile
  • Duplicate—to duplicate an existing time profile
  Step 3 Enter the name and description of the new time profile.
  Step 4 Select a Time Zone for Restrictions. Time Restrictions are a set of time periods during which a guest account associated with that time profile would not be granted access to the network or guest portal.
  Step 5 From the Account Type drop- down menu, choose one of the predefined options:
  • StartEnd—allows sponsors to define start and end times for account durations
  • FromFirstLogin—allows sponsors to define the duration of time that guests can have access after login
  • FromCreation—allows sponsors to define the duration of time that guest can have access after account creation
  Step 6 Set the Duration for which the account will be active. The account expires after the duration set here has expired. This option is available only if you select the Account Type as FromFirstLogin or FromCreation.
  Step 7 Set the Restrictions for the guest access.
  These restrictions are composed of a day of the week and a start and end clock time. The Time Zone value specified in the time profile affects the clock times set in any of the Time Restrictions within the time profile. For example, a Time Restriction that specifies Monday 12:00 am to 8:00 am and Monday 6:00 pm to 11:59 pm would only grant system access between 8:00 am and 6:00 pm on Mondays within the time zone of the time profile. Any other day of the week would have no time restriction in this example and system access would be granted at any time.
  Step 8 Click Submit.

• ISE Guest-Account Single-User Multiple Logins

  Hello,
  How to make ISE to only allow  one guest-user account login at a time.    the actual issue I have is- when I give one Guest user-id to someone, he can circulate that user-id with others and multiple unauthorized guests can use that single user-id to connect to Guest-portal
  Anyway to restrict that ?

  Restricting Guests to One Active Network Session
  You can restrict guests to having only one device connected to the network at a time. When guests attempt to connect with a second device, the currently-connected device is automatically disconnected from the network.
  This is a global setting affecting all Guest portals.
   Step 1 Choose Administration > Web Portal Management > Settings > Guest > Portal Policy.
  Step 2 Check the Allow only one guest session per user option.
  Step 3 Click Save .

• ISE Guest Portal Failover For New Requests

  I have one controller and two ISE 1.2 nodes (primary and secondary)  for resiliency, not capacity.  Each ISE node has one interface for Management and one interface for Guest Portal.  PSN is active on both nodes.  The WLC chooses the ISE node (with fallback) for authentication.  For guest authentication, the user should be redirected to one of the two Guest Portals. What is the best method for choosing and correctly redirecting the user to the Guest Portal (including when one is down).  Is there another/simpler solution than a load-balancer for this scenario. Node Groups are for pending sessions and I need a solution for new sessions.
  Thanks.             

  You dont need to do that, once the WLC has deemed a PSN down, new mab requests are sent to the next psn in your radius list on the wlc, and the other psn will reply with its own hostname in the redirect url.

• ISE Guest portal digital public certificate with dual deployment

  I have a deployment of ISe which has a primary and secondary node.  We are using ISE for Guest web access and it's Guest portal functionality.
  I have installed a public VeriSign certificate onto the primary node so that guest users don't certificate errors when they get redirected to the guest portal.
  We have a DNS server with an entty for the guest portal URL e.g. guest.company.com with the IP adresses of both ISE servers.
  When users are loggin onto the guest wireless it is pot luck whether or not they get the primary ISE node because of the DNS round robin of the ISE IP addresses.
  Is there anyway to make the secondary ISE node use the Verisign certificate as well or do I need to buy another certificate which is linked to the secondary ISE nodes FQDN?
  (the certificate I have currently has a CN of the FQDN of the primary ISE server with subject alternative names of the secondary ISE node and the guest web redirect URL).
  Any help would very much be appreciated.
  thanks
  Craig

  Hi Craig,
  Please check the below link with a similar prob,  might help.
  https://supportforums.cisco.com/thread/2161878

• ISE Guest portal CWA - Webauth exit button on Login Successful page not working (Safari and Chrome)

  Hello
  Has anyone else experienced the issue where this exit button works when IE is used to login to the ISE Guest portal, but not when Chrome is used. Same for Safari (from IPAD).
  Sent from Cisco Technical Support iPad App

  Google Chrome is not a fully supported browser  for use with the Administrative User Interface of the Identity Services Engine  (ISE), Version 1.1.3 and earlier.

• ISE - Guest Portal Voucer

  hi all,
  my customer has set Wireless LAN Guest Voucher for 28 days however after 6 days its not working.
  Our customer gives Wireless LAN Guest User a 28 days voucher from ISE Guest Portal Solution. After 6 days of using the accounts will not work. Must be deleted and added new. These accounts are not expired, but the login will fail after 6 days.
  any idea why this is or do I need to escalte this to Cisco?
  regards,
  Lance

  You might have another limiter in there. have are your durations configured?
  //////only if expiring////////////////////////
  You are probably hitting the account duration set on the Sponsor Group that created the voucher.
  this can be set under administration -> sponsorgroups -> click on the sponsor group in question -> authorization levels -> and set the Max duration for accounts.