Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1061
Views
5
Helpful
8
Replies

Confirmation of apparent ISE bugs & limitations

Go to solution
scott.stapleton
Level 1
Level 1

‎07-19-2019 06:50 AM - edited ‎07-19-2019 07:04 AM

I have several ISE portal display bugs or apparent limitations. It's not feasible for me to log a TAC case for these so if anyone has any additional information please reply!

 

These are seen on ISE 2.4 patch 9, so as good as it gets currently!

 

BUGS

1) Guest expiration email reminder - the Use customization from dropbox only lets me pick the default sponsor and default or custom self-registered guest portals but not my configured sponsored guest portal (or the default guest portal). I tried creating a new portal and new Guest Type but the same issue occurs. Strangely I was initially able to pick my portal when I first tried but the ability to pick any non-custom portals has disappeared. This same issue occurs in may lab on ISE 2.4 (no patch).

 

2) Exporting the language file from a Guest Type, editing the e-mail subject (or body of the email) and then re-importing it does not have any effect on the guest expiration email received.

 

3) Within the Support Information page of the Hotspot and Sponsored Guest portals, there is text listed in the area of the page that the Instructional Text is inserted (above the table listing MAC address, etc.) even when there is no information in this Instructional Text box. This text is NOT shown in the mobile & desktop previews but is seen when you actually log in through the captive portal. The Hotspot portal lists the text Contact Information and the Sponsored Guest portals lists the text Support Information. These entries should be able to be deleted under the Content Area section of the Sponsor Information page but it looks like someone has fat fingered the code. I've tried hiding these via the following script but had no success:

<script>
(function(){
$(document).ready(function() {
$(".ui_contact_message").hide();
});
})();
</script>

 

4) On the sponsor portal, the guest account information page that is presented after creating a guest account lists the text Guest notifications are sent automatically. This text should be editable from the Notify Known Guests portal customization page using the Automatically email field however modifying this field doesn't modify the text.

 

5) As above, on the sponsor portal, the guest account information page presented after creating a guest account lists: From date and To date. If these fields are not used when creating the guest account and the accounts is simply created based on the number of days (e.g. - a 30 day account; no to and from are specified), it should be possible to remove this superfluous information from the guest account information page. Deleting the contents of the From and To fields doesn't remove these fields from the guest account information screen however.

 

LIMITATIONS

1) For CWA, I have an Identity Source Sequence setup with Guests first and an Ext. ID Source second. In some cases a user will have an account in each of the internal sources - Guests and the Ext. ID Source. If the user uses their Ext. ID Source login they will fail to authenticate in the Guests source but not continue trying to authenticate by the Ext. ID Source. I thought configuring the Authentication Policy to If Auth fail = CONTINUE would fix this issue however this option appears to be made for continuing to AuthZ, NOT continuing to the next identity source. If I reverse the order within the ISS, I will have the same problem but in reverse. Is there a work-around for this?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scott.stapleton
Level 1
Level 1
In response to scott.stapleton

‎07-26-2019 02:30 AM

For anyone that reads this in the future, below are a few work-arounds I found.

 

1) ISE will not let you pick a portal in the Guest Type where the image associated with Logo (Email) has been removed from the portal you're trying to use. In other words, ISE forces you to use an image in the sponsor expiration email. My work-around was a white, 1x1 pixel PNG. Not perfect if the email client has a non-white background but that's usually going to be the minority of clients.

 

3), 4), 5). All of these display bugs were worked around by editing the language file for the respective portals.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-19-2019 07:26 AM

Sorry this is not the TAC and to take a laundry list of items and work on it isn't going to get anywhere. If you want to see if we can do some basic help you can list them one by one and will see what we can do but at least half of them quickly looking like they need a tac case and bug investigated.
0 Helpful

Go to solution
scott.stapleton
Level 1
Level 1
In response to Jason Kunst

‎07-19-2019 07:44 AM - edited ‎07-19-2019 07:46 AM

I have listed them one by one. I've confirmed all of them in prod and my lab so those listed as bugs clearly are. However some people may have also hit them and found a work-around or can provide some other info.

So, anyone else that has info, please chime in.

 

The reason this and every Cisco deployment I do ends up with a laundry list of bugs is because Cisco Wi-Fi is a huge buggy mess.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to scott.stapleton

‎07-19-2019 08:21 AM

thanks, by one by one listing out separate threads so we didn't have 20 comments on one post making it hard to follow. Really need to get with a tac engineer and log the issues you see and have them researched as this is not the place for that.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-20-2019 06:37 PM

On 1, I am not seeing this issue. Try either logging out and back in or use the browser refresh button and attempt it again. Also try restarting ISE services.
On 2, Likely related to CSCvq42545
On 3, Check the setting in "Portal Behavior and Flow Settings"

Screen Shot 2019-07-20 at 5.52.29 PM.png
On 4. CSCvq60564 new bug filed. Try updating the same text for "Notify Imported Guests (Desktop only).

Screen Shot 2019-07-20 at 6.09.36 PM.png
On 5, if always creating using N-day, then we may update the templates for notification; For example, Email notification.

Screen Shot 2019-07-20 at 6.32.40 PM.png 

On 6. Check the advanced search list settings for the particular ISS.

 Screen Shot 2019-07-20 at 6.36.01 PM.png

Go to solution
scott.stapleton
Level 1
Level 1
In response to hslai

‎07-23-2019 02:22 AM

Thanks for the replies.

 

Just a few follow-ups:

 

1. Are you able to select sponsored guest & non-default sponsor portals from the drop-down? This is occurring on two separate deployments so there's certainly an issue somewhere.

 

2. The issue seems like a related bug in that the language file is not overwriting the existing language file, after it's been uploaded.

 

3. Cheers. It's already configured to hide all empty fields but this particular field is not being hidden (the others are).

 

4. Thanks - I will try the work-around.

 

5. Sorry, I don't understand your reply.

 

6. That was the first option I confirmed and it's configured as "Treat as if the user was not found...". Assuming Cisco's description is accurate, this option only applies "If a selected identity store cannot be accessed for authentication". My use case is different; in my case, the first identity store IS available but I want ISE to continue on even if it matches a username in the first store but it fails authenticating in the first store. This doesn't seem possible in ISE?

 

0 Helpful

Go to solution
scott.stapleton
Level 1
Level 1
In response to scott.stapleton

‎07-26-2019 02:30 AM

For anyone that reads this in the future, below are a few work-arounds I found.

 

1) ISE will not let you pick a portal in the Guest Type where the image associated with Logo (Email) has been removed from the portal you're trying to use. In other words, ISE forces you to use an image in the sponsor expiration email. My work-around was a white, 1x1 pixel PNG. Not perfect if the email client has a non-white background but that's usually going to be the minority of clients.

 

3), 4), 5). All of these display bugs were worked around by editing the language file for the respective portals.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to scott.stapleton

‎07-27-2019 04:43 PM - edited ‎07-27-2019 04:44 PM

6. That was the first option I confirmed and it's configured as "Treat as if the user was not found...". Assuming Cisco's description is accurate, this option only applies "If a selected identity store cannot be accessed for authentication". My use case is different; in my case, the first identity store IS available but I want ISE to continue on even if it matches a username in the first store but it fails authenticating in the first store. This doesn't seem possible in ISE?

You are correct on this. When we have the same user names in different ID stores in an ID source sequence, ISE will only check the first one. The authentication policy rules in network access policy sets are NOT for guest portal authentications. One potential workaround is to create two guest portals -- one to auth guests and the other to auth non-guests. See Linking one guest portal to another guest portal

0 Helpful

Go to solution
scott.stapleton
Level 1
Level 1
In response to hslai

‎07-29-2019 04:56 AM

Cheers.

 

I'll keep in mind the two portal options in the future.

0 Helpful
Customers Also Viewed These Support Documents