Solved: Re: ISE sponsor single click issue

jpoh · ‎08-08-2017

Hi Expert,

I am running a ISE POC with customer doing guest portal and sponsor portal. The guest flow and sponsor approval flow as below.

(1) guest get redirect to self-registration portal and key in his info plus the email address of the sponsor

(2) ISE will send an email to sponsor and has a "approve" and "deny" embedded link in email

(3) Sponsor open email and click on "approve" button. We verify that guest account is approved.

But the issue here is ISE should match to below statement and send below message to sponsor.

Approved

Guest ($ui_guest_username$) has been approved.

But instead ISE match to below and send invalid link

Link invalid

Link is invalid. Please sign on to the sponsor portal to approve/deny guests.

Appreciate your advise on why ISE is matching to "link invalid" instead of "approved". Is there any configuration that we did wrongly?

Regards &

Have a nice day

Jason Kunst · ‎08-09-2017

What kind of sponsors are you using? If they are internal they won't work they need to be in active directory and the email address needs to be populated in the ad account

Have you looked at this information?

https://communities.cisco.com/docs/DOC-70777?mobileredirect=true

Sent from my iPhone

View solution in original post

ognyan.totev · ‎08-09-2017

Is this guest portal is written in DNS ?? is this portal written in ISE configuration like this : ip host 10.10.10.10 guestportal.com. I think the link is invalid because there is no DNS write.

Jason Kunst · ‎08-09-2017

What kind of sponsors are you using? If they are internal they won't work they need to be in active directory and the email address needs to be populated in the ad account

Have you looked at this information?

https://communities.cisco.com/docs/DOC-70777?mobileredirect=true

Sent from my iPhone

jpoh · ‎08-09-2017

Hi Jason,

we do study the link and that's why sponsor is able to get the email and click on the "approve" or "deny" wording, which is the tokenized link.

Unfortunately, the next screen we saw on IE after clicking on the "approve" on email is:

"Link is invalid. Please sign on to the sponsor portal to approve/deny guests."

But when we go into sponsor page, we saw the guest account is being approved.

So by right ISE should match to below account actions messages and send the approved message on IE.

Approved

Guest ($ui_guest_username$) has been approved.

But instead ISE match to below and send invalid link to IE.

Link invalid

Link is invalid. Please sign on to the sponsor portal to approve/deny guests.

What we did is the change the "Link is invalid. Please sign on to the sponsor portal to approve/deny guests." to "I change this link". And true enough, when we do another test, guest is created but IE show "I change this link".

What could be the issue that cause ISE to match to "link invalid" when sponsor click on the "approve" on email?

Take note everything works accordingly and guest account get created, but ISE just show link invalid message on IE. Could it be due to we modify the language file and corrupted ISE algorithm?

Appreciate for sharing your thoughts.

Regards &

Have a nice day

Jason Kunst · ‎08-09-2017

I believe there maybe a bug here and possibly heard of this before

Are you running patch 2?

I would suggest working with tac to debug reproduce and open bug if not already

jpoh · ‎08-09-2017

we are running ISE 2.2 but not patch 2. We do saw bug CSCvd29533, but figure out that we should not be hitting into this since we are using "Any pending account", which is in the workaround suggestion.

Yup, have open a case SR 682843334 : ISE sponsor single click issue and will work with TAC.

Thanks for your time and advise.

Jason Kunst · ‎08-09-2017

Thanks please share info when you find out

JASON BOYERS · ‎09-21-2017

Did you get an answer to this issue? We have a customer running ISE 2.2, patch 2 who is experiencing the same issue. I've gone through and verified the sponsor group, sponsor portal, guest portal, AD schema, and everything else in Jason's video (thanks for the video!)

Jason Kunst · ‎09-21-2017

I would suggest you open your own case

JASON BOYERS · ‎09-21-2017

Will do. Thanks.

jpoh · ‎09-21-2017

So far no good news from TAC. Will be going in a few weeks time to re-test again. Jason is right, please log your case and share your SR number. My case here has been stuck as customer is not around and I cannot access into their site to re-test.

JASON BOYERS · ‎09-21-2017

I did open a case - SR 683108386 - "ISE One-Click Sponsor Invalid Link". My customer is upgrading to 2.2 patch 3 tonight. He'll check to see if that makes any difference.

JASON BOYERS · ‎09-21-2017

And, just to clarify, we're upgrading as a shot in the dark, not because TAC said to. TAC hasn't provided anything as yet.

dazza_johnson · ‎10-09-2017

Did patch 3 fix this?

We are running ISE 2.2 patch 2 and see this Link Invalid issue intermittently. Do you see the issue intermittently as well, or did it occur consistently?

DJ

JASON BOYERS · ‎10-25-2017

No, Patch 3 did not correct this. I will be reopening the TAC case in a couple of weeks when I can get back on site to work with the customer.