cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE My Devices & Sponsor Portal as a User Change Password Portal (UCP)

909
Views
5
Helpful
4
Comments

This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP)

What are the licensing requirements for this solution?

  • My Devices - For using the password change with My Devices you need plus licenses as you're using a plus feature portal. 
  • Sponsor Portal - base licenses
  • Also see the ISE User Password Change Portal using API and Github  option which would use base licenses

What are the support options for this solution?

This solution is best effort support in the community. TAC doesn't support scripting.

Will this feature be included in ISE?

For feedback roadmap requests reach out to our PMs at http://cs.co/ise-feedback . For internal communication with the product managers for future roadmap use http://cs.co/ise-pm

My Devices portal as a User Change Password Portal

Changing passwords in ISE portals are not available for external ID stores today (active directory).

Access the Command-Line Interface to Change the Enable Password would work for AD users, however.

Be aware of this bug as well, it may have impact in your environment. Make sure running 2.2 with latest patch or 2.4 as current recommended long term releases as of 2/25/19
CSCvb96836 Change password flag is not reseting itself after password change happened under my devices portal 

Behavior

1. User logins with old credentials

2. After click on "OK" button he redirecting to "Change password" page. "My devices" page is hidden.

3. After success changing password he got an alert password change is complete. (Using ISE browser will see My Devices Portal in background)

4. After click on "Ok" button he redirecting to "Login" page.

 

After login again goes through same process over again

 

The password change functionality in ISE only works for internal user accounts and can be done via the Sponsor or My Devices Portals, provided Change Password configuration must be enabled in ISE.

 

These steps will change the behavior of the MYdevices Portal to send the user to password change immediately after they login to the portal. The script automatically selects password change. After the user changes the password there is no indication besides it returning the use to the my devices page where the user should sign-out

 

See this doc with working with javascript to understand how to use it

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-43_ISE_Web_Portal_Customization_Options.pdf

 

Make sure you have an internal user to test with and a valid identity source sequence

  1. Navigate to Administration > Identity Management > Identities
  2. Create an account and add to the employee group (end of the account creation page)
  3. (Optional as by default internal users is part of this sequence) Navigate to Administration > Identity Management > Identity Source Sequence > MyDevices_Portal_Sequence

 

Steps to configure Portal Settings

  1. Navigate to WorkCenters > BYOD > Portal & Components (or Configure) >  My Devices Portals
  2. Create a new My Devices Portal and name it User Password Change Portal
  3. Under portal settings:
    1. (optional) configure a FQDN such as passwordchange.domain.com (optional)
    2. make sure you have a valid authentication method to match the proper group
  4. Under Post Login banner page settings uncheck the option
  5. Under Employee change password settings check the box for allow internal users to change their own passwords

 

Steps to customize portal

  1. Choose Portal Page Customization at the top of the page
  2. Under Global Page Customization > Text Elements > Banner Title change banner form My Devices Portal to User Password Change Portal
  3. Under Pages > Login > Instructional Text change it to " You may change your password through this portal"
  4. Under Pages > My Devices > optional content 2 toggle into HTML Source and paste in the script below:
  5. Toggle out of HTML source
  6. Save the page in the upper right of page
  7. Click on the portal test URL button

 

Information on the script.

If you don't have this script the user will have to select password change in the upper right of the portal. This hides everything to the user so they only go to the password change screen (you may briefly see the My Devices page if your delay value below is not correct and needs to be tuned)

 

ISE Version 2.4

 

Enable Change password and disable Post-Login Banner Page and AUP from the settings.

Try to add the below code in Optional Content 2 of the respective pages.

In the below code, highlighted Portal id should be changed according to your portal.

 

change password page
=========================
<script>
    $('#ui_changepwd_submit_button').on('click', function(evt){
        sessionStorage.setItem('passwordChanged', true);
    });
 
    $(document).on('pageshow', function() {
        var logoutAction = '';
        $('a').each(function(){
            if($(this).attr('href').indexOf("Logout") !== -1){
                logoutAction = $(this).attr('href');
            }
        });
        $('a[href="HomePreLoad.action?from=MY_DEVICES_HOME"]').attr('href', logoutAction);
        var passwordChanged = sessionStorage.getItem('passwordChanged') == "true";
        if (passwordChanged) {
            alert('Password has been changed');
            sessionStorage.setItem('passwordChanged', false);
            var logoutUrl = $('[href="Logout.action?portal=582293e0-011a-11ea-88a9-e2ae93fcfd8a"]').attr('href');
            window.location = logoutUrl;
        };
    });
</script>

My Devices page
===============
<script>
    setTimeout(function(){
        $('.ui-panel-content-wrap').hide();
        $('.ui-link-inherit').first().click();
    }, 100);
</script>

This is delay (100). If you have slow ISE server, you should raise this delay to 500 or sometimes to 1000 (ms).

 

ISE Version 2.6 

 

Enable Change password and disable Post-Login Banner Page and AUP from the settings. Try to add the below code in Optional Content 2 of the respective pages.

 

Login Page
============
<script>
    $(document).on('pageshow', function() {
        sessionStorage.setItem('passwordChanged', false);
    });
</script>
 
Change Password page
====================
<script>
    setTimeout(function(){
        sessionStorage.setItem('passwordChanged', false);
        $('#ui_changepwd_cancel_button').attr('href', 'javascript&colon;document.forms["logout"].submit()');
        $('#ui_changepwd_submit_button').on('click', function(evt){
            sessionStorage.setItem('passwordChanged', true);
        });
    }, 1000);
</script>
 
My Devices page
===============
<script>
    $(document).on('pageshow', function() {
        $('.ui-panel-content-wrap').hide();
        var passwordChanged = sessionStorage.getItem('passwordChanged') == "true";
         if (passwordChanged) {
             alert('Password has been changed');
             sessionStorage.setItem('passwordChanged', false);
            document.forms['logout'].submit();
        }
        else if (!passwordChanged){
            document.forms['changePasswordPreLoad'].submit();
        }
    });
</script>

 

To remove the dropdown/pulldown in the right side corner of the change password page, please use the below script in the Optional content 2 of Change Password page. This will be applicable for both 2.4 as well as 2.6 ISE versions.

 

<script>
    setTimeout(function(){
                var deskUser = $(".cisco-desktop-header-menu-button").text();
                $(".cisco-desktop-header-menu-button").remove();
                $(".cisco-mobile-header-menu-button").remove();
                var infoiconDesc = $(".cisco-desktop-menu-button")[0].outerHTML
                $(".cisco-desktop-menu-button").replaceWith('<div class="ui-btn-right">'+deskUser+infoiconDesc+'</div>');
                $('.ui-btn-icon-notext .ui-btn-inner .ui-icon').css('margin','16px 1px 2px 3px');
    }, 1000);
</script>
 

The reason of using this delay is for those have a latent connection to the PSN

Sometimes, when page is loaded fast, you can see how one button of colour changing to another (when PC is fast).

Please adjust to your liking

 

On the change password page put this in under Optional Content, this will log you out of the portal after you change the password so the user doesn't get in a loop going back to change password. It also presents a message after the password is changed to tell them

 

How to get Portal ID

 

You will need to replace the portal ID below with the one from your My Devices Portal, this can be found in your browser URL bar

portal=71180af0-e387-11e6-aeb1-005056873bd0

  

Screen Shot 2016-11-08 at 10.31.33 AM.png

Screen Shot 2016-11-09 at 11.49.56 AM.png

 

Sponsor portal as a User Change Password Portal

Sponsor portal customization --> Create Account for Known Guests --> Instructional Text

 

 

<script>

    var pwdBtnDisplayed = false;

    $(document).on('pageshow', function() {

        $('.cisco-navbar').remove();       

        $('.create-guest-type-step').remove();       

        $('.create-guest-info-step').hide();

        $('.create-access-info-step').hide();

        if(!pwdBtnDisplayed){

            for(var i=0; i<5 ; i++){

                $('.ui-listview').children()[0].remove();

            }

        }

        if(!pwdBtnDisplayed){

            $('.cisco-nav-content').append('<center><input onclick="changePasswordFn()" target="_self" type="button" value="Password Change"/></center>');

            pwdBtnDisplayed = true;

        }    

        window.addEventListener('resize', function(){

            if(window.innerWidth < 960){

                removeMedisqueryCSS();

            }

        });

    });

    function changePasswordFn (){

        location.href='#changePwd';

    }



    function removeMedisqueryCSS() {

        if (typeof window.CSSMediaRule !== "function") return false; //Your browser doesn't support media query feature

        var s = document.styleSheets,r, i, j, k;



        if (!s) return; //no style sheets found

        // walk throuth css sheets

        for (i = 0; i < s.length; i++) {

            // get all rules

            r = s[i].cssRules;

            if (!r) continue;



            for (j = 0; j < r.length; j++) {

                //If there's a rule for media query

                if (r[j] instanceof CSSMediaRule){

                    if((r[j].media.mediaText).indexOf("60em") < 0){

                        for (k = 0; k < r[j].cssRules.length; k++) {

                            r[j].deleteRule(r[j].cssRules[k]);

                        }

                    }

                }

            }

        }

    }

</script>

 

Comments
Beginner

Hi,

I have ISE version 2.4 and I added the two codes in the optional content 2. I test the portal URL and after login I always see

the "My Devices" page.

 

change psw content 2.JPGmy device page content2.JPG

could you help me?

 

Cisco Employee
What is the URL you are sent to? Do you have javascript enabled per the general how to customization guide listed at http://cs.co/ise-guest
Beginner
Cisco Employee

please open new question not attach to this.