cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10091
Views
0
Helpful
7
Replies

ISE 2.0 Sponsor Portal is not opening https://ISE:8443/

kamlenegi
Level 1
Level 1

Hi,

Can anyone help me, how to configure Guest Portal access through different port or generate certificate.

I am not able to access sponsor portal or guest portal in ISE 2.0 (http://ISE-IP:8443/).

Thanks

Kamlesh

1 Accepted Solution

Accepted Solutions

Oh, and if your ISE server actually responds on port 8443, maybe try this url instead, which is the correct way to reach the sponsorportal, if you haven't DNS registered and configured a specific url under the portal settings :

https://ISE:8443/sponsorportal/PortalSetup.action?portal=79a17ce0-76b6-11e5-bf99-005056bf2f0a

View solution in original post

7 Replies 7

nspasov
Cisco Employee
Cisco Employee

Hi Kamlesh-

You can change the portal at Under the "Portal Settings" section. There you can define the HTTPS port as well as the certificate group tag that you want to use. On the same page you should also see  "Portal test URL" button that will allow you to see what the portal will look like. 

To generate a certificate go to: "Administration > System > Certificates > Certificate Management > Certificate Signing Requests > Generate Certificate Signing Request (CSR)"

One you generate the CSR, you will need to submit it to a CA (like GoDaddy) for signing. Once the CA provides you with a certificate you will need to go back to the CSR page in ISE and click on the "Bind Certificate" button and follow the prompts. 

I hope this helps!

Thank you for rating helpful posts!

Hi Neno,

I am not able to open Sponsor Portal to mange guest users account.

When I open it from admin portal then it is ok but when opening from separate browser, it is not.

https://ISE:9002/sponsoradminportal/PortalSetup.action?portal=79a17ce0-76b6-11e5-bf99-005056bf2f0a&autoLogout=true

Thanks

Kamlesh

- So what url are you trying when you manually connect to ISE on 8443 ?

- Are you getting any response at all (an error page or so), or is your browser timing out ?

- Do you have multiple ISE servers in your deployment?,if yes : which role is assigned to the ISE you are trying to connect to ?

Oh, and if your ISE server actually responds on port 8443, maybe try this url instead, which is the correct way to reach the sponsorportal, if you haven't DNS registered and configured a specific url under the portal settings :

https://ISE:8443/sponsorportal/PortalSetup.action?portal=79a17ce0-76b6-11e5-bf99-005056bf2f0a

Thanks Nielsen,

I am able to login now, but there is some mistake in policy configuration or adjustment. 

I am able to login through guest username & password and showing that "you now have internet access". but the system VLAN is not going to change with actual guest VLAN let suppose 89. 

I have configured policy for guest flow and tag vlan 89, attached are snapshots.

& redirect ACL in switch.

Extended IP access list WEB_REDIRECT_ACL
    10 deny udp any eq bootpc any eq bootps
    20 deny udp any any eq domain (260 matches)
    30 deny ip any host ISE-IP (4478 matches)
    40 permit tcp any any eq www (2306 matches)
    50 permit tcp any any eq 443 (1200 matches)

I am not sure where I am doing wrong.

The same situation  with my other policy which is for domain users.

only first policy matched.

Such as:

User particular AD group policy is one then Policy for AD Domain users where all users exist.

Please help on this.

Thanks

Kamlesh

Please show us the live log from ISE, to see what authorization profiles are being hit when you try to login.

And, just so you know, if you are actually changing the vlan on the port from something else to vlan 89, that is not best practice after successful login on a guest portal (or any portal), it might work in your lab, but you will get many support calls, where devices don't understand that they need to ask for an address again after the vlan change. A workaround can be to enable the vlan change web app thing on the portal, but it also has many issues that make it a bad solution.

So, try to land the devices in the same vlan as you will grant them access to after login, so they can keep the adress they got initially, or use closed mode on your ports.

Hi Nielsen,

I have changed my guest vlan design, now they will stay in unauth vlan and dynamic & named ACL is used for restriction. I am stuck in one solution for mobile devices, please help me in this.

There are three SSIDs configured for mobile users (such as VIP, EMP, MGMT) and get three different subnet IP for websense authorization. Wireless setup is like WLC 5520 & AP1700 installed in flexconnect mode & mac filtering is not supported in flexconnect.

Now we want the mac filtering should be from ISE so how can I do that & what would be the SSID security profile.

We have on base license in ISE.

Thanks.

Kamlesh