Keep in mind that this only superficially hides the private information

if you do view source the password is listed there 

i test this. Password is not listed in page source. Password field completely disapear. you can see in following image

That is not correct.

The code you are looking at is the “runtime” code that changes on the fly.

If you look at the “network” tab you will see everything

Thx both of you for the answers. We will try to use the workaround at least. Let me explain it in more detail:

First we wanted the weak diffie-helman ciphersuite on the guest portal to be fixed in the 1.2 ISE. The answer was „it will not be fixed in the 1.2 release, you have to upgrade to ISE 1.2.1, 1.3 or 1.4“. So did we. We upgraded the ISE deployment for which the customer paid several thousands of Euros just because of the bug which you were not willing to fix. We have found several features not having parity features on the 1.4. We had to change the design of several services. We found many new bugs which may severely affect us and not being fixed still. So the upgrade is still pain in the ass and we thank to god for each day without a networking issue! If you push us to upgrade (not update) the ISE release just to get rid of the basic Cisco should maintain the products backward compatible, so in my opinion there is no need to discussion whether implement or not such feature. It was available in 1.2, customers use it so why not to have it in 1.4 and 2.0 and other releases. And at last, few days ago Cisco released the patch 17 for ISE 1.2 - No comment.

Customer has a robus Sponsor portal environment, right now the Sponsor has just the possibility of view own, group or all accounts. He have integrated the solution of Sponsor portal at the customer site due tu possibilities of handling of guest password.  I like the new face of ISE Guest but, still sometimes i dont know what Cisco means with their steps....

Anyway Jason - you have right, Guest should be forced to change the password after they first login to portal. But what about the old function of "Activated Guest" - customer using those account for direct access to wifi for VIP users - they apply those credentials directly to supplicant, no guest portal. There is no possibility to tell those people, hey go to the guest portal first and they use new credential in the supplicant..

And in the end what about the guest users - they are just visitors of the customer network, Customer do not want to use HOTSPOT for them, he wants the u/p possibilities. Your suggestion is to force the change of the password - Guest recieve the credentials and than is force to change it. YES, looks nice, but guest usually do:

1. forgot the new credentials 2, password policy for new password could be paintfull.. 3. Disconnect from Guest :-)

Tomas

Sorry to hear all your troubles we are working to try to bring back what you're looking for please do get your info to your account team so we can work through fixes and making things better

trying to address too many things here and should be talking through with tac and or your account team

please note 1.2.x fixes are only going to be included if critical 1.2 and 1.2.1 are similar, customer will at some point always need upgrade if going to support newer protocols security fixes etc, we can't keep support forever 

Customer will need upgrades at some points and should be evaluated completely before doing so

i don't get your reference to hotspot but seems like you are just venting your frustration! :) understandable

2nd activated guest is still in product, on guest type it's called allow guest to bypass portal search the release notes

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/upgrade_guide/b_ise_upgrade_guide_14/b_ise_upgrade_guide_14_chapter_011.html

Jason, thanks for reply. We know that the customer MUST sometimes upgrade the ISE deployment. But first at all Cisco told us weak DH cipher will not be resolved in 1.2.......

Anyway, I spoke about hotspot portal due to no u/p required for access and that means, Sponsor are not allowed to see password of guests :-)

Yes, i know that 2nd activated guest are still in product, but how you can force them to change their password in the supplicant? - It’s not possible. As I wrote you at the beginning, Sponsors are the external organization at customer site. Customer just do not want to have possibilities for Sponsors to view the guest password (classical guest account/ activated guest account), just send the ISE generated credentials via SMS...

The "activated" guest account have expiration time set to 1 year, so those accounts can be used with 3rd party...

I understand, we will work on it 

please make sure to get tac case open and your customer assigned to a defect, I know they are working on opening one right now

Defect opened CSCux11556 no ETA to resolution as this is product feature change and will need to be designed into a release have customers attach themselves to this defect 

Hello Jason,

thx for the information. I got the message from TAC. We have opened the case related to this thread two weeks ago.. Now we got at least some tiny progress :-)

I worked with them, thanks!

Hi , Anyone get this bug resolution from Cisco?

hello Gilbert,

Unfortunately this is going to be fixed in ISE 2.2 - that is scheduled for end of 2016.

Regards,

Jatin

Do rate helpful posts !