cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

19050
Views
11
Helpful
25
Replies
disoares
Cisco Employee

ISE Password Change Portal (UCP) with My Devices Portal Customization

Hi team,

My customer plans to migrate to ISE and today they use the UCP feature in ACS to change enable passwords. Will this feature be included in ISE?

Thanks,

Diego

1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee

Steps to configure a My Devices portal as a User Change Password Portal

Changing passwords in ISE portals are not available for external ID stores today (active directory).

Access the Command-Line Interface to Change the Enable Password would work for AD users, however.

Be aware of this bug as well, it may have impact in your environment. Make sure running 2.2 with latest patch or 2.4 as current recommended long term releases as of 2/25/19
CSCvb96836 Change password flag is not reseting itself after password change happened under my devices portal

 

 

Behavior

1. User logins with old credentials

2. After click on "OK" button he redirecting to "Change password" page. "My devices" page is hidden.

3. After success changing password he got an alert password change is complete. (Using ISE browser will see My Devices Portal in background)

4. After click on "Ok" button he redirecting to "Login" page.

 

After login again goes through same process over again

 

There are 3 scripts, one for my devices and one for the password change page as well.

 

The password change functionality in ISE only works for internal user accounts and can be done via the Sponsor or My Devices Portals, ISE cannot change the enable password

 

These steps will change the behavior of the MYdevices Portal to send the user to password change immediately after they login to the portal. The script automatically selects password change. After the user changes the password there is no indication besides it returning the use to the my devices page where the user should sign-out

 

See this doc with working with javascript to understand how to use it

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-43_ISE_Web_Portal_Customization_Options.pdf

 

Make sure you have an internal user to test with and a valid identity source sequence

  1. Navigate to Administration > Identity Management > Identities
  2. Create an account and add to the employee group (end of the account creation page)
  3. (Optional as by default internal users is part of this sequence) Navigate to Administration > Identity Management > Identity Source Sequence > MyDevices_Portal_Sequence

 

Steps to configure Portal Settings

 

  1. Navigate to WorkCenters > BYOD > Portal & Components (or Configure) >  My Devices Portals
  2. Create a new My Devices Portal and name it User Password Change Portal
  3. Under portal settings:
    1. (optional) configure a FQDN such as passwordchange.domain.com (optional)
    2. make sure you have a valid authentication method to match the proper group
  4. Under Post Login banner page settings uncheck the option
  5. Under Employee change password settings check the box for allow internal users to change their own passwords

 

Steps to customize portal

  1. Choose Portal Page Customization at the top of the page
  2. Under Global Page Customization > Text Elements > Banner Title change banner form My Devices Portal to User Password Change Portal
  3. Under Pages > Login > Instructional Text change it to " You may change your password through this portal"
  4. Under Pages > My Devices > optional content 2 toggle into HTML Source and paste in the script below:
  5. Toggle out of HTML source
  6. Save the page in the upper right of page
  7. Click on the portal test URL button

 

Information on the script.

If you don't have this script the user will have to select password change in the upper right of the portal. This hides everything to the user so they only go to the password change screen (you may briefly see the My Devices page if your delay value below is not correct and needs to be tuned)

 

2.4 my devices page script

<script>
$(document).on('pageshow', function() {
    $('.ui-panel-content-wrap').hide();
    var error = $('.cisco-ise-errors');                 
    var hasErrors = error.length > 0;
    var passwordChanged = sessionStorage.getItem('passwordChanged') == "true";
    if (passwordChanged) {
        alert('Password has been changed successfully.');
        sessionStorage.setItem('passwordChanged', false);
        document.forms['logout'].submit();
    }
    else if (!passwordChanged){
        document.forms['changePasswordPreLoad'].submit();
    }      
});                                                                                                       
</script>
Login Page Script
<script>
$(documen