07-19-2019 06:50 AM - edited 07-19-2019 07:04 AM
I have several ISE portal display bugs or apparent limitations. It's not feasible for me to log a TAC case for these so if anyone has any additional information please reply!
These are seen on ISE 2.4 patch 9, so as good as it gets currently!
BUGS
1) Guest expiration email reminder - the Use customization from dropbox only lets me pick the default sponsor and default or custom self-registered guest portals but not my configured sponsored guest portal (or the default guest portal). I tried creating a new portal and new Guest Type but the same issue occurs. Strangely I was initially able to pick my portal when I first tried but the ability to pick any non-custom portals has disappeared. This same issue occurs in may lab on ISE 2.4 (no patch).
2) Exporting the language file from a Guest Type, editing the e-mail subject (or body of the email) and then re-importing it does not have any effect on the guest expiration email received.
3) Within the Support Information page of the Hotspot and Sponsored Guest portals, there is text listed in the area of the page that the Instructional Text is inserted (above the table listing MAC address, etc.) even when there is no information in this Instructional Text box. This text is NOT shown in the mobile & desktop previews but is seen when you actually log in through the captive portal. The Hotspot portal lists the text Contact Information and the Sponsored Guest portals lists the text Support Information. These entries should be able to be deleted under the Content Area section of the Sponsor Information page but it looks like someone has fat fingered the code. I've tried hiding these via the following script but had no success:
<script>
(function(){
$(document).ready(function() {
$(".ui_contact_message").hide();
});
})();
</script>
4) On the sponsor portal, the guest account information page that is presented after creating a guest account lists the text Guest notifications are sent automatically. This text should be editable from the Notify Known Guests portal customization page using the Automatically email field however modifying this field doesn't modify the text.
5) As above, on the sponsor portal, the guest account information page presented after creating a guest account lists: From date and To date. If these fields are not used when creating the guest account and the accounts is simply created based on the number of days (e.g. - a 30 day account; no to and from are specified), it should be possible to remove this superfluous information from the guest account information page. Deleting the contents of the From and To fields doesn't remove these fields from the guest account information screen however.
LIMITATIONS
1) For CWA, I have an Identity Source Sequence setup with Guests first and an Ext. ID Source second. In some cases a user will have an account in each of the internal sources - Guests and the Ext. ID Source. If the user uses their Ext. ID Source login they will fail to authenticate in the Guests source but not continue trying to authenticate by the Ext. ID Source. I thought configuring the Authentication Policy to If Auth fail = CONTINUE would fix this issue however this option appears to be made for continuing to AuthZ, NOT continuing to the next identity source. If I reverse the order within the ISS, I will have the same problem but in reverse. Is there a work-around for this?
Solved! Go to Solution.
07-26-2019 02:30 AM
For anyone that reads this in the future, below are a few work-arounds I found.
1) ISE will not let you pick a portal in the Guest Type where the image associated with Logo (Email) has been removed from the portal you're trying to use. In other words, ISE forces you to use an image in the sponsor expiration email. My work-around was a white, 1x1 pixel PNG. Not perfect if the email client has a non-white background but that's usually going to be the minority of clients.
3), 4), 5). All of these display bugs were worked around by editing the language file for the respective portals.
07-19-2019 07:26 AM
07-19-2019 07:44 AM - edited 07-19-2019 07:46 AM
I have listed them one by one. I've confirmed all of them in prod and my lab so those listed as bugs clearly are. However some people may have also hit them and found a work-around or can provide some other info.
So, anyone else that has info, please chime in.
The reason this and every Cisco deployment I do ends up with a laundry list of bugs is because Cisco Wi-Fi is a huge buggy mess.
07-19-2019 08:21 AM
07-20-2019 06:37 PM
On 1, I am not seeing this issue. Try either logging out and back in or use the browser refresh button and attempt it again. Also try restarting ISE services.
On 2, Likely related to CSCvq42545
On 3, Check the setting in "Portal Behavior and Flow Settings"
On 4. CSCvq60564 new bug filed. Try updating the same text for "Notify Imported Guests (Desktop only).
On 5, if always creating using N-day, then we may update the templates for notification; For example, Email notification.
On 6. Check the advanced search list settings for the particular ISS.
07-23-2019 02:22 AM
Thanks for the replies.
Just a few follow-ups:
1. Are you able to select sponsored guest & non-default sponsor portals from the drop-down? This is occurring on two separate deployments so there's certainly an issue somewhere.
2. The issue seems like a related bug in that the language file is not overwriting the existing language file, after it's been uploaded.
3. Cheers. It's already configured to hide all empty fields but this particular field is not being hidden (the others are).
4. Thanks - I will try the work-around.
5. Sorry, I don't understand your reply.
6. That was the first option I confirmed and it's configured as "Treat as if the user was not found...". Assuming Cisco's description is accurate, this option only applies "If a selected identity store cannot be accessed for authentication". My use case is different; in my case, the first identity store IS available but I want ISE to continue on even if it matches a username in the first store but it fails authenticating in the first store. This doesn't seem possible in ISE?
07-26-2019 02:30 AM
For anyone that reads this in the future, below are a few work-arounds I found.
1) ISE will not let you pick a portal in the Guest Type where the image associated with Logo (Email) has been removed from the portal you're trying to use. In other words, ISE forces you to use an image in the sponsor expiration email. My work-around was a white, 1x1 pixel PNG. Not perfect if the email client has a non-white background but that's usually going to be the minority of clients.
3), 4), 5). All of these display bugs were worked around by editing the language file for the respective portals.
07-27-2019 04:43 PM - edited 07-27-2019 04:44 PM
6. That was the first option I confirmed and it's configured as "Treat as if the user was not found...". Assuming Cisco's description is accurate, this option only applies "If a selected identity store cannot be accessed for authentication". My use case is different; in my case, the first identity store IS available but I want ISE to continue on even if it matches a username in the first store but it fails authenticating in the first store. This doesn't seem possible in ISE?
You are correct on this. When we have the same user names in different ID stores in an ID source sequence, ISE will only check the first one. The authentication policy rules in network access policy sets are NOT for guest portal authentications. One potential workaround is to create two guest portals -- one to auth guests and the other to auth non-guests. See Linking one guest portal to another guest portal
07-29-2019 04:56 AM
Cheers.
I'll keep in mind the two portal options in the future.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide