Ise: Multiple simultaneous guest logins

Similar Messages

• ISE no redirect to origin URL after guest login

  Hi, is there a possibility to redirect a guest user to the origin URL after he logged in successfully?
  Right now the attached file is what the user sees after login.
  Thanks!

  The first method is local web authentication. In this case, the WLC  redirects the HTTP traffic to an internal or external server where the  user is prompted to authenticate. The WLC then fetches the credentials  (sent back via an HTTP GET request in the case of an external server)  and makes a RADIUS authentication. In the case of a guest user, an  external server (such as Identity Services Engine (ISE) or NAC Guest  Server (NGS)) is required because the portal provides features such as  device registering and self-provisioning. The flow includes these steps:
  The user associates to the web authentication Service Set Identifier (SSID).
  The user opens the browser.
  The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  The user authenticates on the portal.
  The guest portal redirects back to the WLC with the credentials entered.
  The WLC authenticates the guest user via RADIUS.
  The WLC redirects back to the original URL.
  This  flow includes several redirections. The new approach is to use central  web authentication. This method works with ISE (versions later than 1.1)  and WLC (versions later than 7.2). The flow includes these steps:
  The user associates to the web authentication SSID, which is in fact open+macfiltering and no layer 3 security.
  The user opens the browser.
  The WLC redirects to the guest portal.
  The user authenticates on the portal.
  The  ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) to  indicate to the controller that the user is valid, and eventually pushes  RADIUS attributes such as the Access Control List (ACL).
  The user is prompted to retry the original URL.

• Multiple simultaneous logins no longer being prohibited when unchecked

  Since (I think) the most recent raft of software updates were installed, multiple simultaneous logins are no longer being prohibited when the box is unchecked in a user's logon account.
  My users are now logging onto different computers and 'lending' their account to people who are not students.
  Is anyone else experiencing this anomaly since 10.5.7 or thereabouts?

  Figured it out, I just had to restart the server for the changes to take effect.

• ISE 1.2 Guest Portal Profiling Certainty Factor not Increase

  Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
  Profiling Configure and Endpoint Detail in attachment below

  Hi salodh
  as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

• ISE 1.2 Guest Access session expired

  We have set up the ISEs to allow wired guest users to logon with CWA but every time we get
  "Your session has expired. Sign on again".
  We successfully get to the portal and can logon, change password, accept conditions but then we just get the session expired page.
  From the switch (some data redacted fro privacy):
  sw01#sh auth ses int f0/1
              Interface:  FastEthernet0/1
            MAC Address:  0021.xxda.xx28
             IP Address:  xxx.xx.40.45
              User-Name:  00-21-xx-DA-xx-28
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  901
                ACS ACL:  xACSACLx-IP_GuestWired_ISE_Portal_Access-53182da8
       URL Redirect ACL:  dot1x_WEBAUTH-REDIRECT
           URL Redirect:  https://guest.ourdomain.com:8443/guestportal/gateway?sessionId=AC1262FB000000FA0FCEFDB8&portal=TT_GuestPortal&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1262FB000000FA0FCEFDB8
        Acct Session ID:  0x000001CF
                 Handle:  0x370000FB
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  The ISE reports a failed login
  Event
  5418 Guest Authentication Failed
  Failure Reason
  86017
  Now the reason appears to be that the guest portal being accesed is on an ISE in our DMZ but the RADIUS/MAB authentication is done by our internal ISEs (all ISEs are part of the same cluster however).  This is because the NAD is a switch and its management interface is on the inside of the network while  the guest VLAN is in a DMZ.  If we authenticate the RADIUS and guest on the same ISE (by breaking routing/security) then the access is granted and it all works corrcetly.
  We are summarising that the session ID sent by the RADIUS ISE server is not avaialble to the Guest Portal ISE server so the session ID does not exist in the session cache.
  So does the  guest portal ISE server have to be the same ISE server that does the RADIUS/MAB session generation?  There is no obvious way to tie a FQDN (e.g. guest.ourdomain.com) to the ISE used by the NAD.
  Should the session ID not be shared across all enforcement nodes?
  Any other ideas or thoughts?
  Chris Davis

  Thanks Jan, do you know if this is by design, even across nodes in node groups?  I'm guessing that Bug CSCul10677 is the same issue.
  Thing is, it rather makes the CWA static IP/Hostname option redundant/useless in a resilient configuration.  It also means that the NAD must use the guest network for dot1x traffic or that the guest nework must be able to route over/into the internal network neither of which appear to be ideal from a security perspective...

• ISE 1.2 Guest portal user cannot change their passwords

  I have a WLC 5508(version 7.6) and a server installed  the ISE (version 1.2.1.198)，Now we configured the CWA，Use guest portal as an employee and guest login url，We can use the manually create internal user and password successfully logged in, and we set up allow guest users to change password in Multi-Portal, but the user can not change the password in the guest portal ,I suspect the change password option on the Guest  Portal actually works? Can anyone tell me how to change their own username password in the guest portal ?

  Requiring Guests to Change Password
  You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
  You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
  Before You Begin
  Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
  Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
  Step 2 Check the Guest portal to update and click Edit .
  Step 3 Click the Operations tab.
  Step 4 Check either or both options:
  Allow guest users to change password
  Require guest users to change password at expiration and first login
  Step 5 Click Save .

• How do I transfer an iphoto library from a guest login to either another login or a thumb drive?

  I am letting a friend use my computer as a surrogate for the time being to backup her phone and photos. I had never used the guest login before and didn't realize that all the files would be lost at logout. I haven't logged out yet but I need help trying to get the iphoto library onto a thumb drive. If at all possible I would like to get the backup from itunes as well.
  I have already copied all of the photos out of iphoto but that doesn't save the time, date and location of them. I cannot access the folder to move the iphoto library because of it being in the guest login. I have already deleted the photos off of the phone so that is a no go.
  I've been trying to search for an answer but haven't had any luck yet. Any help would be greatly appreciated.

  have already copied all of the photos out of iphoto but that doesn't save the time, date and location of them.
  Export them
  File -> Export
  This User Tip
  https://discussions.apple.com/docs/DOC-4921
  has details of the options in the Export dialogue.

• Guest Login feature in SRM 7.0

  Hi,
    How do we use Guest Login feature in SRM 7.0? Requirements are given below.
  1. Purchaser publishes Public RFx.
  2. In Conpany's web portal, link is given as "Open Tender-Click here" to enable one time bidder to participate in the Open tender.
  3. A new bidder who is not registered as bidder in the organisation would like to participate in the Bidding. He clicks on the above link in the organisation's web portal which will login as "Guest" and direct him to the SRM portal where the Bidder can see public tender Bids.
  4. He opens the Bid and analyse the details. Then he can decide to participate.
  5. Then either ROS can be used or conventionally he can send mail to the organisation requesting to be a Bidder.
  I heard some custom developments are done in few projects with custom screens. But can we achieve the same in a standard way. If developments are required, then complexities involved or process involved in the developments.
  Regards,
  Prasanna

  Hi Vineela,
  According to my information this BADI still exists.
  There was a note that entered this BADI into SRM 6.0
  1158310 SOCO: Missing BADI in search (first screen)
  In SRM 7 this code is here, you could have a look and set BP in /SAPSRM/IF_CLL_DOM_SOCO_GAF1~SEARCH
  to check what is happening, it may be something small.
  There is nothing on our database about other customers with similar complaints.
  The method you would need for sourcing is
  IF_EX_BBP_WF_LIST~BBP_WF_LIST_SOCO
  Hope this helps,
  Kind Regards,
  Matthew

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• How to disable the guest login in OBIEE 11g?

  Hi,
  Whenever i click on analytics link, Guest automatically logs in , then i have to logout in order for the user to log in.
  How do we disable this Guest login?
  Thanks
  Ashish

  Hi,
  Whenever i click on analytics link, Guest automatically logs in , then i have to logout in order for the user to log in.
  How do we disable this Guest login?
  Thanks
  Ashish

• ISE 1.3 Guest API - using custom fields for guest creation?

  I am currently working with the new ISE 1.3 guest api, i have most everything working, i can create guests fine, with the basic information entered into the guest account like first name, last name, company, email, phone and so on. Now i need some more fields to enter other information in for that guest, and i have created 5 extra custom fields called option1-option5, and enabled them for the "Known Guests" page on my sponsor portal. I can however not figure out how they should be adressed in the xml input sent in the api request...anyone tried this ?
  Regards
  Jan

  Hi Johan,
  Sure i can lead on the way, the stuff i am doing is part of a complete system i build and sell, that integrates with ISE to give customers the ability to create guest accounts using a number of different social media facebook, google and so on, to self-provision accounts for guest acces (and many other things :-)
  I mainly use PHP for this, and for simplicity you can use a curl command line executed by any scripting you prefer, or use any curl library you might have available to you.
  So, you need an ise sponsor account that has the "api usage flag" allowed in the sponsor group it is a member of. Then you need to know a few things about the ise setup, that needs to be sent with your request to ise, to allow the creation of a guest account.
  If you need some code examples, send me a pm and we can figure something out
  API Reference :
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_guest.html

• SDDM guest login, transition to KDE Framework

  Hi,
  I am preparing the Transition to KDE Frameworks and as a first step I want to install SDDM, as suggested here.
  Some time ago I set up an Ubuntu-style guest-account or guest-login with KDM/KDE4 and would like to keep that in SDDM. A home directory is set up on a temporary file system on kdm start (as root before login dialog appears, see below), and cleaned/recreated after each logout.  I copied it from here. Now the question:
  Is it possible to do that in SDDM?
  There is an entry "Guest-login" on a TODO page of SDDM at github, which is about half a year old. So don't know if that has been implemented or not. Do you know?
  Also, there is a Wishlist entry on the SDDM github site, which seems to request just what I need. There it is suggested to use pam_mount and systemd (auto)mount units in a user-session, but I'm not sure if that would help in my problem?
  Currently I'm calling a script "guest-account" (see below) in /usr/share/config/kdm/Xsetup. Xsetup is looks like:
  #! /bin/sh
  # Xsetup - run as root before the login dialog appears
  /root/scripts/guest-account add
  And  /usr/share/config/kdm/Xreset looks like:
  #! /bin/sh
  # Xreset - run as root after session exits
  if [ $USER = 'guest' ];
  then
  /root/scripts/guest-account remove guest
  /root/scripts/guest-account add
  fi
  The script guest-account (found it here) looks like:
  #!/bin/sh -e
  # (C) 2008 Canonical Ltd.
  # Author: Martin Pitt <[email protected]>
  # License: GPL v2 or later
  # modified by David D Lowe and Thomas Detoux
  # Setup user and temporary home directory for guest session.
  # If this succeeds, this script needs to print the username as the last line to
  # stdout.
  add_account ()
  mkdir /tmp/guest
  HOME="/tmp/guest"
  USER=`echo $HOME | sed 's/\(.*\)guest/guest/'`
  # if $USER already exists, it must be a locked system account with no existing
  # home directory
  if PWSTAT=`passwd -S "$USER"` 2>/dev/null; then
  if [ "`echo \"$PWSTAT\" | cut -f2 -d\ `" != "L" ]; then
  echo "User account $USER already exists and is not locked"
  exit 1
  fi
  PWENT=`getent passwd "$USER"` || {
  echo "getent passwd $USER failed"
  exit 1
  GUEST_UID=`echo "$PWENT" | cut -f3 -d:`
  if [ "$GUEST_UID" -ge 500 ]; then
  echo "Account $USER is not a system user"
  exit 1
  fi
  HOME=`echo "$PWENT" | cut -f6 -d:`
  if [ "$HOME" != / ] && [ "${HOME#/tmp}" = "$HOME" ] && [ -d "$HOME" ]; then
  echo "Home directory of $USER already exists"
  exit 1
  fi
  else
  # does not exist, so create it
  # Arch Linux modification: Ubuntu/Debian uses their own adduser package,
  # which works differently from the own provided by the shadow package.
  # Instead, use useradd, which works in any distro.
  # Only the syntax is changed
  # adduser -> useradd
  # --system -> --system
  # --no-create-home -> --no-create-home
  # --home -> --home-dir
  # --gecos -> --comment
  # --group -> --user-group
  # --shell -> --shell
  #adduser --system --no-create-home --home / --gecos "Guest" --group --shell /bin/bash $USER || {
  useradd --system --no-create-home --home-dir / --comment "Guest" --user-group --shell /bin/bash $USER || {
  umount "$HOME"
  rm -rf "$HOME"
  exit 1
  echo "guest:guest"|chpasswd
  fi
  # create temporary home directory
  mount -t tmpfs -o mode=700 none "$HOME" || { rm -rf "$HOME"; exit 1; }
  chown $USER:$USER "$HOME"
  gs_skel=/etc/guest-session/skel/
  if [ -d "$gs_skel" ] && [ -n "`find $gs_skel -type f`" ]; then
  cp -rT $gs_skel "$HOME"
  else
  cp -rT /etc/skel/ "$HOME"
  fi
  chown -R $USER:$USER "$HOME"
  usermod -d "$HOME" "$USER"
  # Load restricted session
  #dmrc='[Desktop]\nSession=guest-restricted'
  #/bin/echo -e "$dmrc" > "$HOME"/.dmrc
  chown -R $USER:$USER "$HOME"
  echo $USER
  remove_account ()
  USER=$1
  PWENT=`getent passwd "$USER"` || {
  echo "Error: invalid user $USER"
  exit 1
  USERUID=`echo "$PWENT" | cut -f3 -d:`
  HOME=`echo "$PWENT" | cut -f6 -d:`
  # deluser is provided by the adduser package on Debian/Ubuntu. useradd
  # doesn't have a '--system' parameter, which causes deluser to only delete
  # system users, so this will be handled using this script.
  SYS_UID_MIN="$(cat /etc/login.defs | grep SYS_UID_MIN | awk '{print $2}')"
  SYS_UID_MAX="$(cat /etc/login.defs | grep SYS_UID_MAX | awk '{print $2}')"
  if [ "$USERUID" -lt "$SYS_UID_MIN" ] || [ "$USERUID" -gt "$SYS_UID_MAX" ]; then
  echo "Error: user $USER is not a system user."
  exit 1
  fi
  if [ "${HOME}" = "${HOME#/tmp/}" ]; then
  echo "Error: home directory $HOME is not in /tmp/."
  exit 1
  fi
  # kill all remaining processes
  while ps h -u "$USER" >/dev/null; do
  killall -9 -u "$USER" || true
  sleep 0.2;
  done
  umount "$HOME" || umount -l "$HOME" || true
  rm -rf "$HOME"
  # remove leftovers in /tmp
  find /tmp -mindepth 1 -maxdepth 1 -uid "$USERUID" -print0 | xargs -0 rm -rf || true
  #deluser --system "$USER"
  userdel "$USER"
  case "$1" in
  add)
  add_account
  remove)
  if [ -z $2 ] ; then
  echo "Usage: $0 remove [account]"
  exit 1
  fi
  remove_account $2
  echo "Usage: $0 add|remove"
  exit 1
  esac
  Last edited by stri (2015-01-29 04:00:19)

  Release 12 enforces multi-org. We have the profile options 'MO: Operating Unit' and 'MO: Default Operating Unit' set to our one and only org_id. Is there also a default responsibility that needs to be set to allow GUEST access to an OAF page in R12?
  Thanks,
  Elaine

• Cisco ISE or NAC Guest with web security (IronPort) integration

  All,
  We have a scenario where guests will be authenticated against the ISE or NAC Guest server, and customer will place an IronPort to provide web security, however, we can not find referentes whether IronPort can or cannot integrate with Guest Server, so that guests are not requested to be authenticated twice, one by the Guest Server, a one by the proxy. The idea is to keep it transparent for the guests with a single authentication.
  Has anyone there implemented such scenario?
  Thank you!

  I see. So, lets say we disable proxy authentication for the guest segment, can I still provide content filter for the segment, even though there is no proxy authentication? I assume customer will lose the reportinga and tracking granularity, but the scenario will work withou proxy authentication. This may be some sort of "man in the middle" only, but with content filter. Does it make sense?
  Thank you!

• Multiple Simultaneous ODBC Connections

  Running into a problem when trying to pull data from Oracle via the Merrant drivers. If two databases are building simultaneously and both need to connect to the same Oracle servers at the same time (or, if one database is loading data and a developer is building a data load rule that hits the same server) we get an error stating:SQL driver for [ODBC name] is in use and does not allow multiple connections.This is a problem not only as it slows development (waiting for one load to finish before building another load rule) but can prevent a successful automated build should one app still be loading data prior to the second app starting to load data.Is there a way to allow an Essbase server to connect multiple simultaneous connections to a data source, like Oracle?

  joepvd wrote:
  I need to connect to two vpn networks, and I am using netcfg. I can connect to both networks separately, but it does not work to have both networks up at the same time.
  This is the configuration:
  vpn1: 10.0.0.0/255.0.0.0 vpnc
  vpn2: 10.0.0.0/255.0.0.0 pptp
  There is of course a collision in the address space. These are my routing requirements:
  default gateway should stay at the gw without VPNs.
  All traffic to 10.0.0.0/255.0.0.0 should go to vpn1
  Traffic to 10.1.2.3 and 10.5.6.7 should go to vpn2
  You need to configure your VPN servers differently. You can not have conflicting subnets.
  Also, PPTP is not secure. You should look into OpenVPN if you are in control of the VPN servers and have the authority to chose. OpenVPN is also much easier to configure. You simply add this to the end of the server config for vpn2.
  push "route 10.1.2.3 255.255.255.255"
  push "route 10.5.6.7 255.255.255.255"
  Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2
  DEFCON 19: Whitfield Diffie and Moxie Marlinspikeby
  https://www.youtube.com/watch?v=sIidzPntdCM
  Last edited by hunterthomson (2013-01-28 09:06:24)

• ERROR: NO_GUEST: Guest login not allowed from client startup

  we are getting the following error with express 6.3.4 when connectting to the express server from Objects using a connection editor.
  The error message is
  Error #12150 in XPCUBE: Non-fatal (0300): Data Manager is unable to generate transmission.
  Error #10300 in XDMRESP: Non-fatal (0300): ERROR: NO_GUEST: Guest login not allowed from client startup
  Encountered similar error while calling from OLAP web application.
  In stored procedure XWD_RAMSTARTUP: The following Express
  Server error occurred: NO_GUEST: Guest login not allowed from
  client startup
  Which I believe is the same reason.
  Can you pls suggest what could be the problem and how can we over come this.

  In the Connection Editor, under "Relational Data-> Settings" did you check the "Personal Configuration" box?
  If you did, you should ensure the Authentication type is not set to "None".