cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

14596
Views
11
Helpful
25
Replies
disoares
Cisco Employee

ISE Password Change Portal (UCP) with My Devices Portal Customization

Hi team,

My customer plans to migrate to ISE and today they use the UCP feature in ACS to change enable passwords. Will this feature be included in ISE?

Thanks,

Diego

1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee

Steps to configure a My Devices portal as a User Change Password Portal

Changing passwords in ISE portals are not available for external ID stores today (active directory).

Access the Command-Line Interface to Change the Enable Password would work for AD users, however.

Be aware of this bug as well, it may have impact in your environment. Make sure running 2.2 with latest patch or 2.4 as current recommended long term releases as of 2/25/19
CSCvb96836 Change password flag is not reseting itself after password change happened under my devices portal

 

 

Behavior

1. User logins with old credentials

2. After click on "OK" button he redirecting to "Change password" page. "My devices" page is hidden.

3. After success changing password he got an alert password change is complete. (Using ISE browser will see My Devices Portal in background)

4. After click on "Ok" button he redirecting to "Login" page.

 

After login again goes through same process over again

 

There are 3 scripts, one for my devices and one for the password change page as well.

 

The password change functionality in ISE only works for internal user accounts and can be done via the Sponsor or My Devices Portals, ISE cannot change the enable password

 

These steps will change the behavior of the MYdevices Portal to send the user to password change immediately after they login to the portal. The script automatically selects password change. After the user changes the password there is no indication besides it returning the use to the my devices page where the user should sign-out

 

See this doc with working with javascript to understand how to use it

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-43_ISE_Web_Portal_Customization_Options.pdf

 

Make sure you have an internal user to test with and a valid identity source sequence

  1. Navigate to Administration > Identity Management > Identities
  2. Create an account and add to the employee group (end of the account creation page)
  3. (Optional as by default internal users is part of this sequence) Navigate to Administration > Identity Management > Identity Source Sequence > MyDevices_Portal_Sequence

 

Steps to configure Portal Settings

 

  1. Navigate to WorkCenters > BYOD > Portal & Components (or Configure) >  My Devices Portals
  2. Create a new My Devices Portal and name it User Password Change Portal
  3. Under portal settings:
    1. (optional) configure a FQDN such as passwordchange.domain.com (optional)
    2. make sure you have a valid authentication method to match the proper group
  4. Under Post Login banner page settings uncheck the option
  5. Under Employee change password settings check the box for allow internal users to change their own passwords

 

Steps to customize portal

  1. Choose Portal Page Customization at the top of the page
  2. Under Global Page Customization > Text Elements > Banner Title change banner form My Devices Portal to User Password Change Portal
  3. Under Pages > Login > Instructional Text change it to " You may change your password through this portal"
  4. Under Pages > My Devices > optional content 2 toggle into HTML Source and paste in the script below:
  5. Toggle out of HTML source
  6. Save the page in the upper right of page
  7. Click on the portal test URL button

 

Information on the script.

If you don't have this script the user will have to select password change in the upper right of the portal. This hides everything to the user so they only go to the password change screen (you may briefly see the My Devices page if your delay value below is not correct and needs to be tuned)

 

2.4 my devices page script

<script>
$(document).on('pageshow', function() {
    $('.ui-panel-content-wrap').hide();
    var error = $('.cisco-ise-errors');                 
    var hasErrors = error.length > 0;
    var passwordChanged = sessionStorage.getItem('passwordChanged') == "true";
    if (passwordChanged) {
        alert('Password has been changed successfully.');
        sessionStorage.setItem('passwordChanged', false);
        document.forms['logout'].submit();
    }
    else if (!passwordChanged){
        document.forms['changePasswordPreLoad'].submit();
    }      
});                                                                                                       
</script>
Login Page Script
<script>
$(document).on('pageshow', function() {
    sessionStorage.setItem('passwordChanged', false);
});
</script>

 

This is delay (200). If you have slow ISE server, you should raise this delay to 500 or sometimes to 1000 (ms).

 

The reason of using this delay is for those have a latent connection to the PSN

Sometimes, when page is loaded fast, you can see how one button of colour changing to another (when PC is fast).

Please adjust to your liking

 

On the change password page put this in under Optional Content, this will log you out of the portal after you change the password so the user doesn't get in a loop going back to change password. It also presents a message after the password is changed to tell them

 

 

You will need to replace the portal ID below with the one from your My Devices Portal, this can be found in your browser URL bar

portal=71180af0-e387-11e6-aeb1-005056873bd0

 

2.4 code script for change password

<script>
setTimeout(function(){
    sessionStorage.setItem('passwordChanged', false);
    $('#ui_changepwd_cancel_button').attr('href', 'javascript&colon;document.forms["logout"].submit()');
 
    $('#ui_changepwd_submit_button').on('click', function(evt){
        sessionStorage.setItem('passwordChanged', true);
    });
}, 1000);
</script>

  

Screen Shot 2016-11-08 at 10.31.33 AM.png

Screen Shot 2016-11-09 at 11.49.56 AM.png

 

View solution in original post

25 REPLIES 25
Jason Kunst
Cisco Employee

There is no native User change password portal in ISE but I have posted a way to make the My Devices Portal into a password change portal. This is for internal accounts and not for the enable password change, for product feature request please reach out to the ISE Product Managers internally through account team.

ACS to ISE comparison

https://communities.cisco.com/docs/DOC-63901

Jason Kunst
Cisco Employee

Steps to configure a My Devices portal as a User Change Password Portal

Changing passwords in ISE portals are not available for external ID stores today (active directory).

Access the Command-Line Interface to Change the Enable Password would work for AD users, however.

Be aware of this bug as well, it may have impact in your environment. Make sure running 2.2 with latest patch or 2.4 as current recommended long term releases as of 2/25/19
CSCvb96836 Change password flag is not reseting itself after password change happened under my devices portal

 

 

Behavior

1. User logins with old credentials

2. After click on "OK" button he redirecting to "Change password" page. "My devices" page is hidden.

3. After success changing password he got an alert password change is complete. (Using ISE browser will see My Devices Portal in background)

4. After click on "Ok" button he redirecting to "Login" page.

 

After login again goes through same process over again

 

There are 3 scripts, one for my devices and one for the password change page as well.

 

The password change functionality in ISE only works for internal user accounts and can be done via the Sponsor or My Devices Portals, ISE cannot change the enable password

 

These steps will change the behavior of the MYdevices Portal to send the user to password change immediately after they login to the portal. The script automatically selects password change. After the user changes the password there is no indication besides it returning the use to the my devices page where the user should sign-out

 

See this doc with working with javascript to understand how to use it

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-43_ISE_Web_Portal_Customization_Options.pdf

 

Make sure you have an internal user to test with and a valid identity source sequence

  1. Navigate to Administration > Identity Management > Identities
  2. Create an account and add to the employee group (end of the account creation page)
  3. (Optional as by default internal users is part of this sequence) Navigate to Administration > Identity Management > Identity Source Sequence > MyDevices_Portal_Sequence

 

Steps to configure Portal Settings

 

  1. Navigate to WorkCenters > BYOD > Portal & Components (or Configure) >  My Devices Portals
  2. Create a new My Devices Portal and name it User Password Change Portal
  3. Under portal settings:
    1. (optional) configure a FQDN such as passwordchange.domain.com (optional)
    2. make sure you have a valid authentication method to match the proper group
  4. Under Post Login banner page settings uncheck the option
  5. Under Employee change password settings check the box for allow internal users to change their own passwords

 

Steps to customize portal

  1. Choose Portal Page Customization at the top of the page
  2. Under Global Page Customization > Text Elements > Banner Title change banner form My Devices Portal to User Password Change Portal
  3. Under Pages > Login > Instructional Text change it to " You may change your password through this portal"
  4. Under Pages > My Devices > optional content 2 toggle into HTML Source and paste in the script below:
  5. Toggle out of HTML source
  6. Save the page in the upper right of page
  7. Click on the portal test URL button

 

Information on the script.

If you don't have this script the user will have to select password change in the upper right of the portal. This hides everything to the user so they only go to the password change screen (you may briefly see the My Devices page if your delay value below is not correct and needs to be tuned)

 

2.4 my devices page script

<script>
$(document).on('pageshow', function() {
    $('.ui-panel-content-wrap').hide();
    var error = $('.cisco-ise-errors');                 
    var hasErrors = error.length > 0;
    var passwordChanged = sessionStorage.getItem('passwordChanged') == "true";
    if (passwordChanged) {
        alert('Password has been changed successfully.');
        sessionStorage.setItem('passwordChanged', false);
        document.forms['logout'].submit();
    }
    else if (!passwordChanged){
        document.forms['changePasswordPreLoad'].submit();
    }      
});                                                                                                       
</script>
Login Page Script
<script>
$(document).on('pageshow', function() {
    sessionStorage.setItem('passwordChanged', false);
});
</script>

 

This is delay (200). If you have slow ISE server, you should raise this delay to 500 or sometimes to 1000 (ms).

 

The reason of using this delay is for those have a latent connection to the PSN

Sometimes, when page is loaded fast, you can see how one button of colour changing to another (when PC is fast).

Please adjust to your liking

 

On the change password page put this in under Optional Content, this will log you out of the portal after you change the password so the user doesn't get in a loop going back to change password. It also presents a message after the password is changed to tell them

 

 

You will need to replace the portal ID below with the one from your My Devices Portal, this can be found in your browser URL bar

portal=71180af0-e387-11e6-aeb1-005056873bd0

 

2.4 code script for change password

<script>
setTimeout(function(){
    sessionStorage.setItem('passwordChanged', false);
    $('#ui_changepwd_cancel_button').attr('href', 'javascript&colon;document.forms["logout"].submit()');
 
    $('#ui_changepwd_submit_button').on('click', function(evt){
        sessionStorage.setItem('passwordChanged', true);
    });
}, 1000);
</script>

  

Screen Shot 2016-11-08 at 10.31.33 AM.png

Screen Shot 2016-11-09 at 11.49.56 AM.png

 

View solution in original post

Hi, I have an ISE Version 2.4 patch level 3 for my customer and we should have the posibility that the user could change theyr password. 

I try to use this script, but with ISE 2.4 it dose not work any more. 

Have some one an update for this script or an other solution  ?

thank you 

 

Hi Jason,

 

This is really helpful and I'm now able to change the internal password through My Devices, but since My Devices need a Plus license and my customer doesn't have a Plus license. do you have a guide that can instruct me in changing user password through Sponsor?

 

Thanks in advance.

 

 

We don’t have a customization through sponsor portal as its too complex. The password change works the same. Just tell your users it will look like this.

Or you can create your own with API as seen in the customization section here:

https://community.cisco.com/t5/security-documents/ise-byod/ta-p/3641689#toc-hId-1174971897

Idea NOC
Beginner

Hi All, i have tried with same procedure, after login page we got blank screen, please suggest me how to get change password page after login page.

I updated the 1st script please try that, also what browser and ISE version are you using if still problems

I followed your instructions, and everything through the first script works fine (step 7).  The user is prompted to change password, the password gets changed, but then you see the "change password" screen again (the loop that was mentioned).

In an attempt to fix this loop, I added the 2nd script in the "change password page" under Optional Content1 by toggling the html button, and it broke the password change function.  Now after the initial log in, the browser just hangs.  I also tried it in optional content 2, with no difference.  I am running ISE 2.1 and Firefox 52.0, 32 bit. How can I get this to work? 

Thanks-

Jason,

Thank you for your reply!  I have carefully cut and pasted the script, paying careful attention not to include extra spaces, and toggled the html screen.  I tried numerous times but got the same result of the browser hanging.  Then I tried omitting the following 2 lines:

var logoutUrl = $('.ui-popup-container .ui-btn-icon-right:nth-child(3) a').attr('href');

        window.location = logoutUrl;

and it worked fine.  I get the pop-up alert that says 'Password has been changed', and the change is successful when tested.

But then of course it takes you back to the previous screen.  It still may be ok this way because at least the user gets the confirmation that their change was successful.  It is probably useable this way, but I can't figure out why the logout part of the script is not working for me though.

Thanks!

v/r

Julie

I added new script in the original reply at the end, please try

I will try the new script, but I started seeing "error loading page" messages on the password change page when trying to submit the password change.  I have tried creating a new portal with only the first script and settings, and have tried stopping and restarting the ise app, but no luck getting past this error. I don't know why this has started appearing.  

Is this with a clean portal and no javascript? If so please work with TAC sorry

err_ldg_page.pngYes, clean portal and just your first script.  I will have to contact the TAC before proceeding with your new script.  Thanks-

How about without any script

Content for Community-Ad