HI Neno.

I know this post is old. However i wanted to know something:

One of my clients has guest portal setup. Now whenever a guest connects to this portal, the hostname of ISE is displayed on the top portion of his mobile device.

Is there a way to hide this ???

Thanks in advance.

Nick

Hi Nick-

I don't think you can hide this as it is the expected behavior since the guest portal resides on the ISE node and the client's browser must resolve that FQDN. 

With that being said, there are several ways to secure ISE from guest users. You can:

1. Configure the Guest Portal so it is "attached" to a dedicated Ethernet port on ISE. That way Guest users are not hitting the regular Management interface. 

2. You can lock down the management access of ISE to specific IPs, thus eliminating the Guest subnet from being able to access ISE's mgmt IP

I hope this helps!

Thank you for rating helpful posts! 

hi Neno,

thanks for the reply..

the security is already configured.

actually the issue i am facing is that the client had given a wierd hostname to the device and it is a 6 star Hotel. So whenever the guest logs in the portal, the name is displayed on top.

now for this reason, he wants the name changed and i have already faced the challenges of doing that. I just wanted to know if there will be any way i can make it either disappear from the top bar of the device or change the name without actually needing to change the hostname.

i understand that the Guest portal is hosted internally on ISE. so i doubt evan making a change in the DNS (without actually changing the hostname on the device) will have any effect on the display.

i was just trying to see if there is an alternative to resolve this as changing the Hostname of ISE as i have experienced can be tricky and tiresome sometimes.

what would be your suggestion.

regards,

nick

Hi Nick-

Unfortunately, I don't see any other way but to rename the ISE server. Each guest portal is given a name but that is pre-pended with the ISE node that is getting the request. I was thinking that perhaps this can be masked with a load balancer but I don't think that is an option either. Even with a load balancer, the client still resolves the ISE host:

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf

You will most likely have to get new certificates issued to the ISE nodes. 

Thank you for rating helpful posts! 

thanks for the reply Neno,

have scheduled activity with client.

I just hope all goes well.. i am always scared to do this as everytime i did this.. i have had issues with nodes coming up... so i have also now suggested an upgrade to 1.4... i hope all goes well.

Fingers crossed now... :-)

thanks a lot for the knowledge.

Good luck! :) Let us know how it goes!

Neno,

there is one more issue i see at this client site.

whenever i configure a switchport to work with ise, i see MAC addresses being dropped on that interface.

In ise, the status for device is : posture pending.

the device does not get an ip address, the device cannot ping the dns server.

there are only a few random PC that i encounter these issues on. say 2 out of 100

although many other PC on the same switch work flawlessly.

this rules out the ACL or posture redirect ACL/portal issue.

the pending status has been there for 4 days straight. and it does not recover.

i have to manually remove the configuration from the switch to get the PC back on network.

have you encountered any such issue. if yes, what were your steps to resolve it.

we are using certificate for machine auth. the internal windows firewall also has the requested services allowed in and out.

please advise.

Regards,

Nick

It is hard to tell without knowing more about the environment and seeing some configs. Perhaps it would be best to start a new thread about this issue :) Provide as much details as possible (client types, versions and models of switches, posture/anyconnect versions, etc). 

Thank you for rating helpful posts!