Sponsor Portal Alternatives

I'm currently using ISE 1.2 to administer policy for two SSIDs.  The first SSID is basically for domain devices only, and we utilize 802.1X and AD.  Works great.
The second is currently utilizing the Sponsor Portal, and basically gives Internet-Only access to anybody with an e-mail address and who has a sponsor.  In this way, we limited access and knew who was on our network, even though it was Internet Only.  This access was intented for temps, contractors, and others who worked with us, but did not require access to domain devices or data.
Well, that's what the intent was.    It seems that every once in a while, somebody with an AD computer from some other domain comes in and they are unable to utilize our SSID, because our requirement for a credential and their home domain's AD group policy are incompatible.  Presumably, the policy in question is a restriction banning the ability for a computer to join an unknown infratsructure network, hidden deep inside Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network (IEEE802.11) Policies.
I can't really tell others that their GP is too restrictive, and I can't really feel good about having a completely open SSID.
Is there some middle ground?  Am I overlooking something?

I totally understand your point when you say that "it becomes your problem" :) Nobody likes security but everyone wants it. Now with that being said, if the SSID is "Open" can these laptops connect to it? If yes, I believe that there is a setting in GPO that can prevent users from connecting to any other SSIDs besides the ones configured in GPO, thus you would still face the same problem. Also, the "not advertising" the SSID will not provide you with any additional security measures. The word will get out and you will see how everyone now is starting to use it :) Perhaps what you can do is make it less attractive by throttling the bandwidth and/or use some sort of a web filter and block sites like facebook, youtube, etc. 
Just some food for thought :)
Thank you for rating helpful posts!

Similar Messages

  • ISE 1.2 patch 3 - Sponsor Portal default timezone changed to non-existant ECT

    Hi everybody,
    We've applied patch3 to our ISE 1.2 cluster and after the upgrade all the sponsor accounts (externally autenticated on Active Directory) now have GMT +01:00 Europe/ECT as default Time Zone. Thus all the guest account created have the same time zone and guest authentication fails.
    This is the error from ise-console.log:
    guest:- com.cisco.cpm.guest.exceptions.PortalUserException: java.lang.IllegalArgumentException: The datetime zone id 'ECT' is not recognised
    guest:-        at com.cisco.cpm.guest.edf.GuestUserAdaptor.isAcctValid(GuestUserAdaptor.java:489)
    I checked the admin interface and the 1.2 documentation but could not find any default setting for sponsor users Time Zone
    Time zone for the 3315 is CET:
      clock timezone CET
    A workaround is to have each sponsor user update its Time Zone setting on the Sponsor Portal, but this is impratical.
    Did anybody experience the same issue?
    Regards,

    Hi Luigi Gangitano,
    From when are you experiencing this issue? I suspect this would have been an issue when the server timezones are changed from CEST timezone to CET timezone.
    To further figure out where exactly the issue is , 
    1.Can you please let us know what is the timezone in the UI on the top most right corner in the server information section is ?
    2.Similarly can you please check the timezone in the CLI of Primary ISE node.
    If the above two locations are displaying correct timezone then we have to suspect with the sponsor portal.

  • ISE 1.2 Patch 6 Bulk account creation Sponsor portal bug

    Hi all, not sure whether anyone has this issue but I noticed yesterday when I do a bulk csv import of users into the sponsor portal that it does not hold the user group I specifiy. In summary I select my CSV file, choose my user type as contractor (guest or contractor) and submit. The import succeeds except that all users are placed into the guest group not the contractor group I specified. You then have to manually alter every single one of them to be in the right group.
    Any ideas?

    Hi -
    I also see this when I import a CSV file of accounts for a different guest role.  We have created a second portal (other than the default "guest").  All the new accounts get assigned to Guest regardless of what is specified. The fix has so far been simply reassigning them manually.

  • ISE 1.2 Sponsor portal port change not working

    Hi,
    Has anyone else had an issue where they change the default port number of the sponsor portal on the Admin node, all ISE restart, but the sponsor portal still only works on the default 8443 port?
    Thanks,
    Ct

    Hi,
    As you know that default port is 8443, but you can change this value so ensure that the same value you assign to the switch and it matches the setting in Cisco ISE.

  • ISE 1.2 Sponsor Portal issue

    Hi
    we have an ISE version 1.2 installation and are trying to customise the Sponsor Portal login page to show the Terms and conditions for staff whan accessing the page, by using the display pre-loign banner under the sponsor portal themes settings.
    We have added the text for both pre and post login banners and have selected the check boxes for both but for some reason when saved the text does not display and the check boxes show as being un checked when going back to the page. Is this a bug ?? i have reset to factory defulats and re tried but still not working.. any help would be appreciated

    It may be a browser issue. Please check the supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals:
    These Cisco ISE portals support the following operating system and  browser combinations. These portals require that you have cookies  enabled in your web browser.
    Table 8     Supported Operating Systems and Browsers
    Supported Operating System Browser Versions
    Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
    •Native browser
    Apple iOS 6, 5.1, 5.0.1, 5.0
    •Safari 5, 6
    Apple Mac OS X 10.5, 10.6, 10.7, 10.8
    •Mozilla Firefox 3.6, 4, 5, 9
    •Safari 4, 5, 6
    •Google Chrome 11
    Microsoft Windows 82
    •Microsoft IE 10
    Microsoft Windows 73
    •Microsoft IE 9
    •Mozilla Firefox 3.6, 5, 9
    •Google Chrome 11
    Microsoft Windows Vista, Microsoft Windows XP
    •Microsoft IE 6, 7, 8
    •Mozilla Firefox 3.6, 9
    •Google Chrome 5
    Red Hat Enterprise Linux (RHEL) 5
    •Mozilla Firefox 3.6, 4, 5, 9
    •Google Chrome 11
    Ubuntu
    •Mozilla Firefox 3.6, 9

  • ISE 1.2 Sponsor Portal- Account Expiration Date Defaults to same time as Start Date

    We have a time profile setup for ISE Sponspr Portal with Start/End.  I understand this allows the sponsor to specifially set the start and end time for the guest account.  When creating an account, the Start/End time is the same time.  If a Sponsor forgets to set the end time, then the guest account will be created, but will expire not allowing the guest to login.  It would be nice to have the end time default to something other than the start time, like 8 hours default.  Is this possible?  Can the expiration time default to something like 8 hours, but still give the Sponsor the ability to adjust the start/end times if needed?  This is very simple, and I cannot believe this is not available.

    Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
    Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
    DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
    DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
    DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.
    Upon expiration of their account per their assigned time profile, they will no longer be able to login or access the company network.
    If a guest were to return to the network, the sponsor can change the account duration via the sponsor portal to grant them access again and then require them to change their password if deemed necessary (depending on the settings). Changing account duration can be used for extending a guest users access longer than the original setup.
    If you upgrade to Cisco ISE 1.2, the older time profiles are still available, but you can delete them if you are not using them. If the older time profiles are assigned to a sponsor group, a message alerts you before deleting. If you perform a new installation of Cisco ISE 1.2, only the new time profiles display.

  • ISE 1.2 sponsor portal - disabling default languages

    Hi,
    We are implementing Cisco ISE 1.2 and have a question on the sponsor portal languages.
    The client company's official language is English and so we would like to disable all other languages from the sponsor portal. If we don't do it, the users might select their native language (on the sponsor settings and/or the guest notification language) meaning that we have to customize and maintain all 15 language templates.
    It has alread happened during the tests: a sponsor created a guest account and choose a notification language other than English - the SMS was not sent because the "Destination" on the "SMS text message notification" default value is "[email protected]".
    Thanks in advance.
    Regards,
    Telmo Oliveira

    Hi all,
    This reply to myself is done for documentation proposes, it can help someone with the same challenge.
    Today I was at an event at Cisco where ISE 1.3 beta was presented. This version will have already the option to choose between browser locale or static language template. Talking to the Cisco eng. responsible for the presentation, he told me that 1.2 had no way to do it.
    Cisco ISE 1.3 is now planned to be release end of 2014.
    Regards,
    Telmo Oliveira

  • ISE 1.2 corrupted sponsor portal

    Hi,
    since I started to use ISE sponsor portal it showes me wrongly, see attached screenshot.
    I tried various browsers, but the problem is the same. Other pages are okay, just the main with guest users has problem.
    Looks like it happened after upgrade from previous ISE version.
    Does anybody know how to fix this?
    Thanks and greets
    Karel

    Hi Karel,
    As regarding to your query,
    These selections will allow guests to change their password, perform self-service, and require
    acceptance of a default AUP upon login.
    Changed in ISE 1.2: Now that we have the ability to Change Account Duration (discussed later in the lab) the option
    to Require guest and internal users to change password at expiration and first login has been updated so that
    the guest must change the password when not only first logging in but then also when the expired account has been
    reactivated. It’s not being used in this lab so be aware of this option.
    Self-service allows any user to generate access credentials without requiring a sponsor to perform this task.
    As this is not a sponsored user and any user may create their own account with this policy setting, it is
    common to assign self-service guests to an Identity Group with minimal network access privileges such as
    “Internet_Only”.

  • ISE 1.1 sponsor portal different type of guest accounts

    Hi there
    I just played around with the ISE 1.1.2.145 sponsor portal. I have the following 3 requirements, but I don't see a way the get there with the actuals sponsor portal features:
    1. I would like to create a event user (one single user for multiple logins) with a given username and a given password
    2. I would like to create a single user with a given username and a given password
    3. How can I change the password of such a user
    At the moment I am a little disappointed from the sponsor portal, there are not that features or I can't see the way to get there ;-)
    Can anybody confirm the above problems?
    Best regards
    Dominic

    It is possible to use internal users as well as AD users for admin.
    I'm not actually sure whetehr it's possible to stop using Internal Users.
    I have it working using both, primarily as I don't have AD credentials on customer site, so they use AD credentials and I stick to using Internal Admin User.
    I still haven't understood your original question entirely, but if you select the guest username to be created based on email address (rather than first name/last name), then you can create a single username using a fictional email address, and allow the user to change the password on first login. You can then change the password to whatever you want.
    Does that fit?

  • Sponsor Portal after upgrade ISE 1.2 - 1.3

    Hi,
    After upgrade ISE to version 1.3 I can't access to Sponsor Portal via ://ISE_IP:8443/sponsorportal/ as it was done in version 1.2 (error: [ 404 ] Sponsor Portal Resource Not Found. The resource requested cannot be found). I have to open it through ISE (Guest Access -> Configure -> Sponsor Portals -> Sponsor Portal (Default) -> Portal test URL). But then in address bar i can see the exact same address i tried to reach (://ISE_IP:8443/sponsorportal/) but it works.
    I deleted migrated portal from version 1.2 and now using only default one. Should I additionally activate it somewhere after this upgrade?

    Nice to hear that. I just want to add something to take into account:
    When you create the CSR directly from ISE, the documentation says for version 1.2 that you need minimum CN field. I did it and then I started having issues with Chrome Browser/ChromeBook which was triggering a certificate warning even though I had signed it with the correct CA Server and I had the Trusted Certificate Authority included in the browser list.
    When I was using 1.1.3, I did not have that problem when using ISE internal CSR feature and only using Common Name (CN) for the CSR.
    I tried using Openssl as usual to create the CSR for ISE running 1.2. Signed and imported it into the ISE and the problem was solved. I am using like you FQDN in the WLC URL Redirect on LWA or CWA with the corresponding entry into the DNS. One important thing I found is that openssl uses some additional fields which I included in the CSR and I think after reviewing the ISE 1.2 documentation we need to include those as well in the ISE CSR feature. Looks like also there is a sequence/order for those fields in the ISE when creating the ISE CSR. The list is the following:
    countryName       = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName  = optional
    organizationalUnitName  = optional
    commonName        = supplied
    emailAddress            = optional
    Finally, with Openssl I could create as well SAN Certificates and I included the IP of the PSN , PAN and MNT ISE's so I would not need the DNS Entry. This feature was added on version 1.2 of the ISE which helps a lot. I will give it a few more testing since that I have a lab deployment with 5 ISE's (PAN, MNT and 3 PSN's).

  • ISE Time Management for Sponsor Portal User

    Hi all,
    I'm currently using ISE version 1.2 and when I create a custom time management for each user, the rule applied to each user is only applied for a maximum 10 days eventhough I configured it for ex.30 days.
    want to check with all of you if anyone have the same issue?
    Firstly I think it's because the purge time is default set for 15 days, but even when I already changed it. The expiration time will still not get over than 10 days.
    Cheers
    Ryan

    Default Guest Time Profiles
    Time profiles provide a way to give different levels of time access to different guest accounts. Sponsors must assign a time profile to a guest when creating an account, but they cannot make changes to the time profiles. However, you can customize them and specify which time profiles can be used by particular sponsor groups. Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
    Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
    •DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
    •DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
    •DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.
    If you upgrade to Cisco ISE 1.2, the older time profiles are still available, but you can delete them if you are not using them. If the older time profiles are assigned to a sponsor group, a message alerts you before deleting. If you perform a new installation of Cisco ISE 1.2, only the new time profiles display.

  • Sponsor Portal Showing Sponsor Information

    Has anyone had success with getting the Sponsor Portal to provide the sponsor information for guest accounts?  This would be a very helpful piece of information.
    If this information is not displayed on the homepage, can it be made available in the details of the user?
    I am currently using ISE 1.2 Patch 3.
    Thank you,
    Rich

    Hello Rich,
    You mean you want to know what sponsor created which user from the Sponsor Portal, with a sponsor having right for GroupAccounts or AllAccounts, right ?
    This is, to my knowledge, currently not possible, but you can get this information from Admin Interface, under operations > Reports > Guest Sponsor Mapping

  • Sponsor portal and internal users

    Hi
    I have configured on our ISE to use AD-users as sponsors. And this works perfect.
    but I'm also trying to configure an internal user, for the sponsor portal.
    I Have configured it almost the same way so i don't understand why the ISE is reporting :
    Sponsor authentication has failed : Sponsorgroup not found for user        
    My identity store is a sequence for AD and internal users, and i can see from the log that it looks in the right place :
    Identity Store:
    Internal Users
    My condition is that the internal user, should be a member of identity group : sponsorAllAccount
    my identity group : 
    Identity Group:
    SponsorAllAccount
    and then get a created sponsor group, this sponsor grop that is allocated to the condition, works fine for det AD-users.
    Evaluating Identity Policy
    5435 Sponsor authentication has failed
    any suggestions of why ?    I'm now running the lastes 1.1.1 version.
    Br
    Tuva

    Hi  Tarik
    thanks for the answer.
    I'm certain that the user does not exist in the AD domain,  anyhow, then my log would tell me that the authentication failed because of wrong password !? 
    I can se from the log that the ISE is doing lookup in the internal database.
    this is output from he logging : 
    Identity Store:
    Internal Users
    I have ,made a identity store sequence with both AD and internal users.
    Br
    Tuva

  • ISE 1.3 Sponsor Portal problem

    Hello Guys,
    I configured one Guest WLAN to authenticate via ISE Web Portal.
    The wlan, the redirect, everything is working fine. Y
    Yesterday i created one user and password using the sponsor portal normally, but today, i tried to connect on the sponsor page and i got the error:
    Sponsor Portal Internal Error
    Please contact System Administrator. If you are the System Administrator please consult the logs.
    I tried to restart the application ise via cli but didin't works.
    Can you help me? Where these logs are located?
    Thank you.

    Look at you Rafael, coming up with problems and solving them yourself! :) Thanks for sharing the solution with everyone (+5 from me). Let's close the thread if the issue is resolved :)

  • ISE 1.3 Sponsor Portal.

    Hi There, Just trying out ISE Version 1.3 and encountering some issues getting access to the sponsor portal.
    Just checking about a Standalone deployment is it OK to have the sponsor portal interface the same as you manage the ISE from?
    I cant seem to get to the sponsor portal on 8443 it just doesn't display the page. It doesn't even fill out the URL at the end.
    When I fill in the URL for it. I get this.
    The Portal is set up like this So from what I see it should work. If I use the preview button in the portal set up I can get to it fine. Am I missing something?

    Graham,
    I've seen this a few times.  Do you have separate PSNs?  Note that the DNS entry (Alias) for the Sponsor Portal needs to point to a PSN and NOT the Admin Node.  This usually fixes the issue.  Create an alias in DNS for sponsor.domain.com (replace domain.com to reflect your domain name) and point it to a PSN.  Then type sponsor.domain.com into your browser.  The system will redirect to the default Sponsor Portal.
    Note this Capture from the ISE 1.3 Admin Guide:
    The full guide can be found here:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13.pdf
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

Maybe you are looking for

  • Using Apple Remote Desktop to Deploy Filemaker Pro 10 /Create Filemaker pkg

    I need to deploy Filemaker Pro 10 to a number of Macs in our office, all of them with Apple Remote Desktop installed. I have the FileMaker Pro 10 installation file (it's listed as an .app) and the text file called "assisted install." If I have these

  • Condition suppression in crystal reports

    I need help in conditional suppression of data in a crystal report I have created. It is hard to explain so I will show you with example data that has no reference to real data. Here is an example of non suppressed data in two columns. Column A     C

  • Can't connect to server "Cannot load Interface Builder File "NSAlertPanel"

    all of a sudden, one of my Macs cannot connect to our server due to this error in the Console: NetAuthAgent [ 128 ] Cannot load Interface Builder File 'NSAlertPanel' This is on a MacPro running 10.6.4 - rebooting this computer didn't help. My searche

  • Number Range with interval C00001 u2013 CZZZZZ

    Hi all, I have to create number range with interval C00001 u2013 CZZZZZ. Suggest me the steps to do the same. Thanks, Nidhi Sharma Moderator message: please try yourself before asking. locked by: Thomas Zloch on Sep 16, 2010 4:59 PM

  • HT1918 About billing address

    when i tap the done button in confirm billing address, itune say i come here for infomation and i see nothing here. Please help