topic Correct in Network Access Control

ISE 1.4 - Sponsor CAN or can not view password

cisartomas — Mon, 11 Mar 2019 06:09:41 GMT

Hello,

We have set for some Sponsor group the possibility to not "view Guest password". Then we enabled "Send SMS notification". - We would like to limit some sponsors to not be able to see the Guest password, but have the possibility to send the credentials via SMS.

but after the guest account creation, we were unable to notify Guest - The button notify completely disapear. After we set "view Guest password" back to online, the button "notify " appeard again.

Do anybody know, if this a feature ? I mean, if you disable the "view password" you are unable to do anything with the account during the account creation?

Correct

Jason Kunst — Fri, 06 Nov 2015 13:13:47 GMT

Correct, this is the same with ISE 1.3,1.4, and 2.0, please work with your account team on a feature request to change this behaviour

defect to track is CSCux11556

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_011011.html#reference_19692E3539F24C429EE73EAF376767CC

View guests’ passwords

For guest accounts that they can manage, allow the sponsor to view the passwords.

If the guest has changed the password, the sponsor can no longer view it; unless it is reset by the sponsor to a random password generated by Cisco ISE.

Note
If this option is disabled for a sponsor group, the members of that group cannot send email and SMS notifications regarding the login credentials (guest password) for the guest accounts that they manage.

The recommendation would be to have the user change the password after they login. This way the user has a private password and the sponsor is no longer able to see it.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/sponsor_guide/b_spons_SponsorPortalUserGuide_20/Create_Guest___Accounts.html#concept_04C7A2F95DB94EEC88B6A4653286DC68

You can create guest accounts for authorized visitors requiring access to your company’s network and internal resources. When you create accounts, whether it is for a known guest, or randomly for a multiple set of guests, or when importing a batch of guest accounts from an external database, Cisco ISE generates passwords for these accounts.

If your system administrator set you up with the required privileges, you can view these system generated passwords:
When managing guest accounts in the account details for each account.
If you choose to be notified of the account details at the same time you notify your guests.
However, if your guests are permitted to change their passwords and do so after they log into the Guest portals, you can no longer view these passwords, as they are considered private.

If guests lose or forget their passwords after they change them, you cannot simply resend their passwords to them. You have to reset their passwords to random passwords and notify them of the new passwords.

i found solution for this

anilcokgungor — Fri, 06 Nov 2015 13:13:48 GMT

i found solution for this problem. i changed language templete and css folder of sponsor portal. Althoug guest password completely disappear, i can use notification. in language templete delete key.sponsor.ui_password_label=Password line or Delete word in Password box on Sponsor Portal Page Customization > Notify Known Guest.

However, password is visible when sponsor created user with import option. if you want to disappear password on import page, you should customize css folder.

There is two css folder in default theme

"/sponsorportal//css/sponsor.structure.css

"/sponsorportal/css/guest.theme.1.css

You can see with viewing page source codes.

Only guest.theme.1.css can be export and customize. You can access sponsor.structure.css on web browser and combine two css folder. Then write "display none" for div id of username password section.

If you want to css folder i can share with you

Keep in mind that this only

Jason Kunst — Fri, 06 Nov 2015 13:20:35 GMT

Keep in mind that this only superficially hides the private information

if you do view source the password is listed there

i test this. Password is not

anilcokgungor — Fri, 06 Nov 2015 14:06:23 GMT

i test this. Password is not listed in page source. Password field completely disapear. you can see in following image

That is not correct.

Jason Kunst — Fri, 06 Nov 2015 14:38:08 GMT

That is not correct.

The code you are looking at is the “runtime” code that changes on the fly.

If you look at the “network” tab you will see everything

Thx both of you for the

cisartomas — Tue, 10 Nov 2015 09:23:49 GMT

Thx both of you for the answers. We will try to use the workaround at least. Let me explain it in more detail:

First we wanted the weak diffie-helman ciphersuite on the guest portal to be fixed in the 1.2 ISE. The answer was „it will not be fixed in the 1.2 release, you have to upgrade to ISE 1.2.1, 1.3 or 1.4“. So did we. We upgraded the ISE deployment for which the customer paid several thousands of Euros just because of the bug which you were not willing to fix. We have found several features not having parity features on the 1.4. We had to change the design of several services. We found many new bugs which may severely affect us and not being fixed still. So the upgrade is still pain in the ass and we thank to god for each day without a networking issue! If you push us to upgrade (not update) the ISE release just to get rid of the basic Cisco should maintain the products backward compatible, so in my opinion there is no need to discussion whether implement or not such feature. It was available in 1.2, customers use it so why not to have it in 1.4 and 2.0 and other releases. And at last, few days ago Cisco released the patch 17 for ISE 1.2 - No comment.

Customer has a robus Sponsor portal environment, right now the Sponsor has just the possibility of view own, group or all accounts. He have integrated the solution of Sponsor portal at the customer site due tu possibilities of handling of guest password. I like the new face of ISE Guest but, still sometimes i dont know what Cisco means with their steps....

Anyway Jason - you have right, Guest should be forced to change the password after they first login to portal. But what about the old function of "Activated Guest" - customer using those account for direct access to wifi for VIP users - they apply those credentials directly to supplicant, no guest portal. There is no possibility to tell those people, hey go to the guest portal first and they use new credential in the supplicant..

And in the end what about the guest users - they are just visitors of the customer network, Customer do not want to use HOTSPOT for them, he wants the u/p possibilities. Your suggestion is to force the change of the password - Guest recieve the credentials and than is force to change it. YES, looks nice, but guest usually do:

1. forgot the new credentials 2, password policy for new password could be paintfull.. 3. Disconnect from Guest 🙂

Tomas

Sorry to hear all your

Jason Kunst — Tue, 10 Nov 2015 12:51:54 GMT

Sorry to hear all your troubles we are working to try to bring back what you're looking for please do get your info to your account team so we can work through fixes and making things better

trying to address too many things here and should be talking through with tac and or your account team

please note 1.2.x fixes are only going to be included if critical 1.2 and 1.2.1 are similar, customer will at some point always need upgrade if going to support newer protocols security fixes etc, we can't keep support forever

Customer will need upgrades at some points and should be evaluated completely before doing so

i don't get your reference to hotspot but seems like you are just venting your frustration! 🙂 understandable

2nd activated guest is still in product, on guest type it's called allow guest to bypass portal search the release notes

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/upgrade_guide/b_ise_upgrade_guide_14/b_ise_upgrade_guide_14_chapter_011.html

Jason, thanks for reply. We

cisartomas — Tue, 10 Nov 2015 13:06:46 GMT

Jason, thanks for reply. We know that the customer MUST sometimes upgrade the ISE deployment. But first at all Cisco told us weak DH cipher will not be resolved in 1.2.......

Anyway, I spoke about hotspot portal due to no u/p required for access and that means, Sponsor are not allowed to see password of guests 🙂

Yes, i know that 2nd activated guest are still in product, but how you can force them to change their password in the supplicant? - It’s not possible. As I wrote you at the beginning, Sponsors are the external organization at customer site. Customer just do not want to have possibilities for Sponsors to view the guest password (classical guest account/ activated guest account), just send the ISE generated credentials via SMS...

The "activated" guest account have expiration time set to 1 year, so those accounts can be used with 3rd party...

I understand, we will work on

Jason Kunst — Tue, 10 Nov 2015 13:11:41 GMT

I understand, we will work on it

please make sure to get tac case open and your customer assigned to a defect, I know they are working on opening one right now

Defect opened CSCux11556 no

Jason Kunst — Wed, 11 Nov 2015 12:52:53 GMT

Defect opened CSCux11556 no ETA to resolution as this is product feature change and will need to be designed into a release have customers attach themselves to this defect

Hello Jason,

cisartomas — Wed, 11 Nov 2015 14:55:38 GMT

Hello Jason,

thx for the information. I got the message from TAC. We have opened the case related to this thread two weeks ago.. Now we got at least some tiny progress 🙂

I worked with them, thanks!

Jason Kunst — Wed, 11 Nov 2015 15:29:41 GMT

I worked with them, thanks!

Hi , Anyone get this bug

Gilbert Prakosa — Tue, 26 Apr 2016 10:30:40 GMT

Hi , Anyone get this bug resolution from Cisco?

hello Gilbert,

Jatin Katyal — Tue, 26 Apr 2016 16:12:03 GMT

hello Gilbert,

Unfortunately this is going to be fixed in ISE 2.2 - that is scheduled for end of 2016.

Regards,

Jatin

Do rate helpful posts !

we are trying to get this

Jason Kunst — Tue, 26 Apr 2016 17:45:45 GMT

we are trying to get this fixed in earlier releases as well, please do contact the TAC and attach a case with the release you're running