Ise: Multiple simultaneous guest logins
we have noticed that when someone gains access with webauthentication as a guest the system does not take care of avoiding multiple authentications by the same user...
this is really bad as the credentials can be easily passed between malicious guests
the right process should be
login > store mac address > permit only that one > allow access until the guest authorization expires with mac+Usercredentials
this is not acceptable on an access control solution like this
by now I'm looking for a workaround... and your help
A second question arises when thinking about the way the dhcp release / renew on COA happens
it doesn't work as it should... most of the times the ip is not renewed according to the authorizated network...
AND (this is very bad)
it needs administrative rights on the pc where it is meant to happen..... what if our guest have not that privileges?
thanks for your replies
G
Hello. I asked the same question to a Cisco engineer during an ISE webinar. He told me that this feature is not available at current time. The exact question was :
Q : the feature "limit concurrent logins" for guest users is it in roadmap for what ISE version ?
A : Current target is ISE 1.3, Q3CY13. Note that ISE 1.3 feature list is not committed at this time.
This question should appear in the Q&A of the webinar"Voice of the Engineer - TrustSec & Identity Services Engine" in Cisco communities web.
Please rate if it helps
Similar Messages
-
ISE no redirect to origin URL after guest login
Hi, is there a possibility to redirect a guest user to the origin URL after he logged in successfully?
Right now the attached file is what the user sees after login.
Thanks!The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of an external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required because the portal provides features such as device registering and self-provisioning. The flow includes these steps:
The user associates to the web authentication Service Set Identifier (SSID).
The user opens the browser.
The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
The user authenticates on the portal.
The guest portal redirects back to the WLC with the credentials entered.
The WLC authenticates the guest user via RADIUS.
The WLC redirects back to the original URL.
This flow includes several redirections. The new approach is to use central web authentication. This method works with ISE (versions later than 1.1) and WLC (versions later than 7.2). The flow includes these steps:
The user associates to the web authentication SSID, which is in fact open+macfiltering and no layer 3 security.
The user opens the browser.
The WLC redirects to the guest portal.
The user authenticates on the portal.
The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
The user is prompted to retry the original URL. -
Multiple simultaneous logins no longer being prohibited when unchecked
Since (I think) the most recent raft of software updates were installed, multiple simultaneous logins are no longer being prohibited when the box is unchecked in a user's logon account.
My users are now logging onto different computers and 'lending' their account to people who are not students.
Is anyone else experiencing this anomaly since 10.5.7 or thereabouts?Figured it out, I just had to restart the server for the changes to take effect.
-
ISE 1.2 Guest Portal Profiling Certainty Factor not Increase
Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
Profiling Configure and Endpoint Detail in attachment belowHi salodh
as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png) -
ISE 1.2 Guest Access session expired
We have set up the ISEs to allow wired guest users to logon with CWA but every time we get
"Your session has expired. Sign on again".
We successfully get to the portal and can logon, change password, accept conditions but then we just get the session expired page.
From the switch (some data redacted fro privacy):
sw01#sh auth ses int f0/1
Interface: FastEthernet0/1
MAC Address: 0021.xxda.xx28
IP Address: xxx.xx.40.45
User-Name: 00-21-xx-DA-xx-28
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 901
ACS ACL: xACSACLx-IP_GuestWired_ISE_Portal_Access-53182da8
URL Redirect ACL: dot1x_WEBAUTH-REDIRECT
URL Redirect: https://guest.ourdomain.com:8443/guestportal/gateway?sessionId=AC1262FB000000FA0FCEFDB8&portal=TT_GuestPortal&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1262FB000000FA0FCEFDB8
Acct Session ID: 0x000001CF
Handle: 0x370000FB
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
The ISE reports a failed login
Event
5418 Guest Authentication Failed
Failure Reason
86017
Now the reason appears to be that the guest portal being accesed is on an ISE in our DMZ but the RADIUS/MAB authentication is done by our internal ISEs (all ISEs are part of the same cluster however). This is because the NAD is a switch and its management interface is on the inside of the network while the guest VLAN is in a DMZ. If we authenticate the RADIUS and guest on the same ISE (by breaking routing/security) then the access is granted and it all works corrcetly.
We are summarising that the session ID sent by the RADIUS ISE server is not avaialble to the Guest Portal ISE server so the session ID does not exist in the session cache.
So does the guest portal ISE server have to be the same ISE server that does the RADIUS/MAB session generation? There is no obvious way to tie a FQDN (e.g. guest.ourdomain.com) to the ISE used by the NAD.
Should the session ID not be shared across all enforcement nodes?
Any other ideas or thoughts?
Chris DavisThanks Jan, do you know if this is by design, even across nodes in node groups? I'm guessing that Bug CSCul10677 is the same issue.
Thing is, it rather makes the CWA static IP/Hostname option redundant/useless in a resilient configuration. It also means that the NAD must use the guest network for dot1x traffic or that the guest nework must be able to route over/into the internal network neither of which appear to be ideal from a security perspective... -
ISE 1.2 Guest portal user cannot change their passwords
I have a WLC 5508(version 7.6) and a server installed the ISE (version 1.2.1.198),Now we configured the CWA,Use guest portal as an employee and guest login url,We can use the manually create internal user and password successfully logged in, and we set up allow guest users to change password in Multi-Portal, but the user can not change the password in the guest portal ,I suspect the change password option on the Guest Portal actually works? Can anyone tell me how to change their own username password in the guest portal ?
Requiring Guests to Change Password
You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
Before You Begin
Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
Step 2 Check the Guest portal to update and click Edit .
Step 3 Click the Operations tab.
Step 4 Check either or both options:
Allow guest users to change password
Require guest users to change password at expiration and first login
Step 5 Click Save . -
I am letting a friend use my computer as a surrogate for the time being to backup her phone and photos. I had never used the guest login before and didn't realize that all the files would be lost at logout. I haven't logged out yet but I need help trying to get the iphoto library onto a thumb drive. If at all possible I would like to get the backup from itunes as well.
I have already copied all of the photos out of iphoto but that doesn't save the time, date and location of them. I cannot access the folder to move the iphoto library because of it being in the guest login. I have already deleted the photos off of the phone so that is a no go.
I've been trying to search for an answer but haven't had any luck yet. Any help would be greatly appreciated.have already copied all of the photos out of iphoto but that doesn't save the time, date and location of them.
Export them
File -> Export
This User Tip
https://discussions.apple.com/docs/DOC-4921
has details of the options in the Export dialogue. -
Guest Login feature in SRM 7.0
Hi,
How do we use Guest Login feature in SRM 7.0? Requirements are given below.
1. Purchaser publishes Public RFx.
2. In Conpany's web portal, link is given as "Open Tender-Click here" to enable one time bidder to participate in the Open tender.
3. A new bidder who is not registered as bidder in the organisation would like to participate in the Bidding. He clicks on the above link in the organisation's web portal which will login as "Guest" and direct him to the SRM portal where the Bidder can see public tender Bids.
4. He opens the Bid and analyse the details. Then he can decide to participate.
5. Then either ROS can be used or conventionally he can send mail to the organisation requesting to be a Bidder.
I heard some custom developments are done in few projects with custom screens. But can we achieve the same in a standard way. If developments are required, then complexities involved or process involved in the developments.
Regards,
PrasannaHi Vineela,
According to my information this BADI still exists.
There was a note that entered this BADI into SRM 6.0
1158310 SOCO: Missing BADI in search (first screen)
In SRM 7 this code is here, you could have a look and set BP in /SAPSRM/IF_CLL_DOM_SOCO_GAF1~SEARCH
to check what is happening, it may be something small.
There is nothing on our database about other customers with similar complaints.
The method you would need for sourcing is
IF_EX_BBP_WF_LIST~BBP_WF_LIST_SOCO
Hope this helps,
Kind Regards,
Matthew -
WLC to ISE authentication for Guest
Hi Experts,
Hope if you could guide me with our setup for Guest users. Below is what we are doing
a) Guest connects to SSID
b) WLC is being used to redirect Guest HTTP to WLC internal Portal
c) WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
Appreciate your helpThe first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
Please follow below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
How to disable the guest login in OBIEE 11g?
Hi,
Whenever i click on analytics link, Guest automatically logs in , then i have to logout in order for the user to log in.
How do we disable this Guest login?
Thanks
AshishHi,
Whenever i click on analytics link, Guest automatically logs in , then i have to logout in order for the user to log in.
How do we disable this Guest login?
Thanks
Ashish -
ISE 1.3 Guest API - using custom fields for guest creation?
I am currently working with the new ISE 1.3 guest api, i have most everything working, i can create guests fine, with the basic information entered into the guest account like first name, last name, company, email, phone and so on. Now i need some more fields to enter other information in for that guest, and i have created 5 extra custom fields called option1-option5, and enabled them for the "Known Guests" page on my sponsor portal. I can however not figure out how they should be adressed in the xml input sent in the api request...anyone tried this ?
Regards
JanHi Johan,
Sure i can lead on the way, the stuff i am doing is part of a complete system i build and sell, that integrates with ISE to give customers the ability to create guest accounts using a number of different social media facebook, google and so on, to self-provision accounts for guest acces (and many other things :-)
I mainly use PHP for this, and for simplicity you can use a curl command line executed by any scripting you prefer, or use any curl library you might have available to you.
So, you need an ise sponsor account that has the "api usage flag" allowed in the sponsor group it is a member of. Then you need to know a few things about the ise setup, that needs to be sent with your request to ise, to allow the creation of a guest account.
If you need some code examples, send me a pm and we can figure something out
API Reference :
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_guest.html -
SDDM guest login, transition to KDE Framework
Hi,
I am preparing the Transition to KDE Frameworks and as a first step I want to install SDDM, as suggested here.
Some time ago I set up an Ubuntu-style guest-account or guest-login with KDM/KDE4 and would like to keep that in SDDM. A home directory is set up on a temporary file system on kdm start (as root before login dialog appears, see below), and cleaned/recreated after each logout. I copied it from here. Now the question:
Is it possible to do that in SDDM?
There is an entry "Guest-login" on a TODO page of SDDM at github, which is about half a year old. So don't know if that has been implemented or not. Do you know?
Also, there is a Wishlist entry on the SDDM github site, which seems to request just what I need. There it is suggested to use pam_mount and systemd (auto)mount units in a user-session, but I'm not sure if that would help in my problem?
Currently I'm calling a script "guest-account" (see below) in /usr/share/config/kdm/Xsetup. Xsetup is looks like:
#! /bin/sh
# Xsetup - run as root before the login dialog appears
/root/scripts/guest-account add
And /usr/share/config/kdm/Xreset looks like:
#! /bin/sh
# Xreset - run as root after session exits
if [ $USER = 'guest' ];
then
/root/scripts/guest-account remove guest
/root/scripts/guest-account add
fi
The script guest-account (found it here) looks like:
#!/bin/sh -e
# (C) 2008 Canonical Ltd.
# Author: Martin Pitt <[email protected]>
# License: GPL v2 or later
# modified by David D Lowe and Thomas Detoux
# Setup user and temporary home directory for guest session.
# If this succeeds, this script needs to print the username as the last line to
# stdout.
add_account ()
mkdir /tmp/guest
HOME="/tmp/guest"
USER=`echo $HOME | sed 's/\(.*\)guest/guest/'`
# if $USER already exists, it must be a locked system account with no existing
# home directory
if PWSTAT=`passwd -S "$USER"` 2>/dev/null; then
if [ "`echo \"$PWSTAT\" | cut -f2 -d\ `" != "L" ]; then
echo "User account $USER already exists and is not locked"
exit 1
fi
PWENT=`getent passwd "$USER"` || {
echo "getent passwd $USER failed"
exit 1
GUEST_UID=`echo "$PWENT" | cut -f3 -d:`
if [ "$GUEST_UID" -ge 500 ]; then
echo "Account $USER is not a system user"
exit 1
fi
HOME=`echo "$PWENT" | cut -f6 -d:`
if [ "$HOME" != / ] && [ "${HOME#/tmp}" = "$HOME" ] && [ -d "$HOME" ]; then
echo "Home directory of $USER already exists"
exit 1
fi
else
# does not exist, so create it
# Arch Linux modification: Ubuntu/Debian uses their own adduser package,
# which works differently from the own provided by the shadow package.
# Instead, use useradd, which works in any distro.
# Only the syntax is changed
# adduser -> useradd
# --system -> --system
# --no-create-home -> --no-create-home
# --home -> --home-dir
# --gecos -> --comment
# --group -> --user-group
# --shell -> --shell
#adduser --system --no-create-home --home / --gecos "Guest" --group --shell /bin/bash $USER || {
useradd --system --no-create-home --home-dir / --comment "Guest" --user-group --shell /bin/bash $USER || {
umount "$HOME"
rm -rf "$HOME"
exit 1
echo "guest:guest"|chpasswd
fi
# create temporary home directory
mount -t tmpfs -o mode=700 none "$HOME" || { rm -rf "$HOME"; exit 1; }
chown $USER:$USER "$HOME"
gs_skel=/etc/guest-session/skel/
if [ -d "$gs_skel" ] && [ -n "`find $gs_skel -type f`" ]; then
cp -rT $gs_skel "$HOME"
else
cp -rT /etc/skel/ "$HOME"
fi
chown -R $USER:$USER "$HOME"
usermod -d "$HOME" "$USER"
# Load restricted session
#dmrc='[Desktop]\nSession=guest-restricted'
#/bin/echo -e "$dmrc" > "$HOME"/.dmrc
chown -R $USER:$USER "$HOME"
echo $USER
remove_account ()
USER=$1
PWENT=`getent passwd "$USER"` || {
echo "Error: invalid user $USER"
exit 1
USERUID=`echo "$PWENT" | cut -f3 -d:`
HOME=`echo "$PWENT" | cut -f6 -d:`
# deluser is provided by the adduser package on Debian/Ubuntu. useradd
# doesn't have a '--system' parameter, which causes deluser to only delete
# system users, so this will be handled using this script.
SYS_UID_MIN="$(cat /etc/login.defs | grep SYS_UID_MIN | awk '{print $2}')"
SYS_UID_MAX="$(cat /etc/login.defs | grep SYS_UID_MAX | awk '{print $2}')"
if [ "$USERUID" -lt "$SYS_UID_MIN" ] || [ "$USERUID" -gt "$SYS_UID_MAX" ]; then
echo "Error: user $USER is not a system user."
exit 1
fi
if [ "${HOME}" = "${HOME#/tmp/}" ]; then
echo "Error: home directory $HOME is not in /tmp/."
exit 1
fi
# kill all remaining processes
while ps h -u "$USER" >/dev/null; do
killall -9 -u "$USER" || true
sleep 0.2;
done
umount "$HOME" || umount -l "$HOME" || true
rm -rf "$HOME"
# remove leftovers in /tmp
find /tmp -mindepth 1 -maxdepth 1 -uid "$USERUID" -print0 | xargs -0 rm -rf || true
#deluser --system "$USER"
userdel "$USER"
case "$1" in
add)
add_account
remove)
if [ -z $2 ] ; then
echo "Usage: $0 remove [account]"
exit 1
fi
remove_account $2
echo "Usage: $0 add|remove"
exit 1
esac
Last edited by stri (2015-01-29 04:00:19)Release 12 enforces multi-org. We have the profile options 'MO: Operating Unit' and 'MO: Default Operating Unit' set to our one and only org_id. Is there also a default responsibility that needs to be set to allow GUEST access to an OAF page in R12?
Thanks,
Elaine -
Cisco ISE or NAC Guest with web security (IronPort) integration
All,
We have a scenario where guests will be authenticated against the ISE or NAC Guest server, and customer will place an IronPort to provide web security, however, we can not find referentes whether IronPort can or cannot integrate with Guest Server, so that guests are not requested to be authenticated twice, one by the Guest Server, a one by the proxy. The idea is to keep it transparent for the guests with a single authentication.
Has anyone there implemented such scenario?
Thank you!I see. So, lets say we disable proxy authentication for the guest segment, can I still provide content filter for the segment, even though there is no proxy authentication? I assume customer will lose the reportinga and tracking granularity, but the scenario will work withou proxy authentication. This may be some sort of "man in the middle" only, but with content filter. Does it make sense?
Thank you! -
Multiple Simultaneous ODBC Connections
Running into a problem when trying to pull data from Oracle via the Merrant drivers. If two databases are building simultaneously and both need to connect to the same Oracle servers at the same time (or, if one database is loading data and a developer is building a data load rule that hits the same server) we get an error stating:SQL driver for [ODBC name] is in use and does not allow multiple connections.This is a problem not only as it slows development (waiting for one load to finish before building another load rule) but can prevent a successful automated build should one app still be loading data prior to the second app starting to load data.Is there a way to allow an Essbase server to connect multiple simultaneous connections to a data source, like Oracle?
joepvd wrote:
I need to connect to two vpn networks, and I am using netcfg. I can connect to both networks separately, but it does not work to have both networks up at the same time.
This is the configuration:
vpn1: 10.0.0.0/255.0.0.0 vpnc
vpn2: 10.0.0.0/255.0.0.0 pptp
There is of course a collision in the address space. These are my routing requirements:
default gateway should stay at the gw without VPNs.
All traffic to 10.0.0.0/255.0.0.0 should go to vpn1
Traffic to 10.1.2.3 and 10.5.6.7 should go to vpn2
You need to configure your VPN servers differently. You can not have conflicting subnets.
Also, PPTP is not secure. You should look into OpenVPN if you are in control of the VPN servers and have the authority to chose. OpenVPN is also much easier to configure. You simply add this to the end of the server config for vpn2.
push "route 10.1.2.3 255.255.255.255"
push "route 10.5.6.7 255.255.255.255"
Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2
DEFCON 19: Whitfield Diffie and Moxie Marlinspikeby
https://www.youtube.com/watch?v=sIidzPntdCM
Last edited by hunterthomson (2013-01-28 09:06:24) -
ERROR: NO_GUEST: Guest login not allowed from client startup
we are getting the following error with express 6.3.4 when connectting to the express server from Objects using a connection editor.
The error message is
Error #12150 in XPCUBE: Non-fatal (0300): Data Manager is unable to generate transmission.
Error #10300 in XDMRESP: Non-fatal (0300): ERROR: NO_GUEST: Guest login not allowed from client startup
Encountered similar error while calling from OLAP web application.
In stored procedure XWD_RAMSTARTUP: The following Express
Server error occurred: NO_GUEST: Guest login not allowed from
client startup
Which I believe is the same reason.
Can you pls suggest what could be the problem and how can we over come this.In the Connection Editor, under "Relational Data-> Settings" did you check the "Personal Configuration" box?
If you did, you should ensure the Authentication type is not set to "None".
Maybe you are looking for
-
ALM11 Report Generator: problem with Call to Test
In ALM11 Analysis View I added a report to generate a Word Document from testcases I desigend in TestPlan. However if the testcase contains a Call to Test to a template test, I get an error message. "Unexpected server error occured during Report gene
-
Force the Summary Sub totals on same page as the Repeating Group
Hello folks, I have a Group by Left Report where I am showing Patients and the Visits that they have taken for each Department. I am then doing a Sub Total of the number of Visits the Patient has taken. I would like to make sure that the sub total sh
-
SAP note 709354 - DB Clustering
An extract from the sap note: --->>> With SAP Enterprise Portal 6.0 on Web AS 6.40, DB Clustering will not be officially supported. This applies to Microsoft SQL, as well as to Oracle Database cluster implementations. The technical feasability of act
-
Office 2010 Administrative Templates - Missing Policies
I have an Office 2010 GPO that needs to enable a policy called "Disable username and password" located at: Computer Configuration --> Admistrative Templates --> Microsoft Office 2010 (Machine) --> IE Settings It seems that policy, and any policy that
-
Whats the check box good for?
Greetings! I'm on a Monday roll. I got bit by a context menu so far so now lets try the check box. I've always been under the impression that the check box was an include/exclude thing its either on or off. Instance I was trying to burn a cd from a p