Re: Ise 1.2, cannot access guest portal

Giuliano Gerardi · ‎08-01-2013

I upgraded from 1.1.4 patch 3 to 1.2 but cannot access guest portal anymore nor with FQDN:8443 nor with IP:8443

any idea?

Tarik Admani · ‎08-01-2013

Can you post the screenshot of your authorization profile for guests? Also can you hover over the green status button in the authentications report to see which av pairs ise is sending back to the network access device?

Also if this is a wireless scenario can you check the client attributes on the controller, if this is for wired can you issue a show authentication sessions interface type x/y.

Thanks,

Sent from Cisco Technical Support iPad App

Giuliano Gerardi · ‎08-01-2013

Thank you tarik, the cwa is succesful and browser gets correctly redirected but cannot open webpage

same for sponsor portal from my network (wich was working before the upgrade) it cannot be reached via default 8443 port

Tarik Admani · ‎08-01-2013

Did you add in the static ip or hostname feature for your guest portals or are they still redirecting to the same url as the ISE fqdn? If so can you verify that dns is resolving. Also did you modify any of the port mappings for any of the "8443" portals?

Also is this a standalone node or is this a distributed deployment? If distributed are there firewalls in between the admin node and the psns? There are additional ports that need to be opened for communication between the deployment.

Sent from Cisco Technical Support iPad App

Giuliano Gerardi · ‎08-01-2013

standalone deployment

did not change default ports

no static ip nor customized fqdn....

TY

Tarik Admani · ‎08-01-2013

Can you verify the output of the "show application status ise"? make sure all the services are up. Also for grins try restarting the applications "app stop ise" "app start ise"

You can also pull a pcap from the node itself by going to the operations > troubleshooting tools and run the tcp dump with "ip host " as the filter. Pull the pcap and see if the 8443 traffic is hitting the ise node.

Give these a shot and let me know what that yields.

Sent from Cisco Technical Support iPad App

Giuliano Gerardi · ‎08-01-2013

restarted, no success

ISE Database listener is running, PID: 30857

ISE Database is running, number of processes: 26

ISE Application Server is running, PID: 19898

ISE Profiler DB is running, PID: 18611

ISE M&T Session Database is running, PID: 18486

ISE M&T Log Collector is running, PID: 19980

ISE M&T Log Processor is running, PID: 20079

tcp dump:

Server error:

Server not reachable, Please try later

-.-

reload?

TY

Tarik Admani · ‎08-01-2013

Reload and open a tac case, is this a lab box or is this a production node? Can you check the dns records, ntp settings and make sure those are intact? Is the live authentications working on your setup?

Also do you have backup of your pre-upgraded database? I would consider resetting the configuration on ise "app reset-config ise" and then try restoring your ise1.1.x backup.

Thanks,

Sent from Cisco Technical Support iPad App

Giuliano Gerardi · ‎08-01-2013

maybe it needed some time but this is the tcpdump

13:52:16.340227 IP (tos 0x0, ttl 126, id 3481, offset 0, flags [DF], proto: TCP (6), length: 48) sansw9_na.aeronautica.alenia.it.cplscrambler-in > ISELAB3315.pcsync-https: S, cksum 0xd4fb (correct), 1581540674:1581540674(0) win 64512 
13:52:19.331254 IP (tos 0x0, ttl 126, id 3487, offset 0, flags [DF], proto: TCP (6), length: 48) sansw9_na.aeronautica.alenia.it.cplscrambler-in > ISELAB3315.pcsync-https: S, cksum 0xd4fb (correct), 1581540674:1581540674(0) win 64512 
13:52:25.357674 IP (tos 0x0, ttl 126, id 3488, offset 0, flags [DF], proto: TCP (6), length: 48) sansw9_na.aeronautica.alenia.it.cplscrambler-in > ISELAB3315.pcsync-https: S, cksum 0xd4fb (correct), 1581540674:1581540674(0) win 64512

when calling https://FQDN:8443

records are ok as I can access gui..

yes I do have a 1.1.4 backup do you think this can be restored on 1.2?

and yes this is a laboratory ISE, in place to test the upgrade procedure

Tarik Admani · ‎08-01-2013

Yes ise 1.2 can upgrade an older version of db. I upgraded mine from 1.1.4 p3 to 1.2 and it runs flawlessly.

Sent from Cisco Technical Support Android App

Giuliano Gerardi · ‎08-01-2013

thank you very much for your support Tarik

I finally got it

the problem was the running config, one interface (G 2) was set to be a clone of G1 for ethernet hardware troubleshooting although it was shutdown it seems it was conflicting with the other (in this ise version), so I cleared it configuration and reenabled it to have the portal work

finally....

TY

blenka · ‎08-01-2013

I had attached the steps to configure the guest portal and hope will address the problem.

Configuring the Guest Portal

Adding a New Guest Portal You must configure settings for the Guest portal before allowing guests to use it to access the network. Some settings apply globally to all Guest portals and other require you to set them for each portal individually.

You can add a new Guest portal or edit an existing one.

Step 1Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations.

Step 2Click Add.

Step 3Update the fields on each of these tabs:

•General—enter a portal name and description and choose a portal type.

•Operations—enable the customizations for the specific portal

•Customization—choose a language template for displaying the Guest portal with localized content

•File Uploads—displays only if you have chosen a portal type requiring you to upload custom HTML files.

•File Mapping— identify and choose the HTML files uploaded for the particular guest pages. Displays only if you have chosen a portal type requiring you to upload custom HTML files.

•Authentication—indicate how users should be authenticated during guest login.

Step 4Click Submit.

Specifying Ports and Ethernet Interfaces for End-User Portals

You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.

You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.

Step 1Choose Administration > Web Portal Management > Settings > General > Ports.

Step 2Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.

Step 3Check the Gigabit Ethernet interfaces you want to enable for each portal.

Step 4Click Save.

If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.

Tips for Assigning Ports and Ethernet Interfaces

•All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.

•You must assign the Blacklist portal to use a different port than the other end-user portals.

•Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.

•You must configure the Ethernet interfaces using IP addresses on different subnets. Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:

Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals

You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.

Before You Begin

Step 1Choose Administration > Web Portal Management > Settings > General > Ports.

Step 2Scroll to the Portal FQDNs section, and check the appropriate setting:

•Default Sponsor Portal FQDN

•Default My Devices Portal FQDN

Step 3Enter a fully qualified domain name.

Step 4Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.

Step 5Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node.

timur.bessembe · ‎09-30-2013

Hi all,

I have the same problem. Have been upgraded from 1.1.4 patch 6 to 1.2 patch 2 and everything works fine, exept Guests Portal, its every time redirect me back to enter credential page, on port, i'm connecting wired, i see authentication on the port that Status: Authz Success, but ACL didn't change, i mean CoA.

wojtek.siodelski · ‎11-14-2013

Are u matching internal users on authentication rule?

There is a new guest store in 1.2 so that rule would no longer work...

You would need to create new store including guest users and reference that store in your authentication rule.

That was the fix in my case