Re: Cisco ISE v3.1 - Using https://isepb.cisco.com/#/ (Portal builder

Jay233 · ‎06-05-2023

Hi All,

Got an issue with the ISE portal builder (https://isepb.cisco.com/#), built a new portal followed the documentation (e.g. downloaded the config/uploader tool) but this tool is not working correctly??.. Filled in the required criteria but apparently ISE is resetting the connection/tool??.. Using an admin (SuperAdmin) account and confirmed access to ISE using a browser.

ISE v3.1 - ISEPB Portal Upload & Config Tool v1.0.10

Raised a TAC case and the Cisco engineer instructed me to gather some debug files, TAC have come back and said -

I have checked the Support bundle and pcap. I can see ISE resetting the connection, but this integration is not supported by TAC.

Please reach out to isepb@external.cisco.com for further support.

Anyone seen errors like this and have a workaround??.. Tried internal and external accounts, the documentation for this tool is virtually non-existent. Not sure what the AD setting at the bottom is for, by default it populates with "Internal" so assume a local admin account is required which I have tried so many times.

Rich R · ‎06-05-2023

Not familiar with this tool but AD stands for Active Directory so presume it expects you to have a connection to a Windows Active directory configured which it can use to authenticate the user?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Jay233 · ‎06-05-2023

Hi Rich R,

Thanks for the reply, yes understand what AD stands for and in the attached picture it actually says "active directory". My question was more if its internal (the default) whats the point? This wouldn't auth to AD anyway, and I'm not sure if I wanted to use AD to auth the tool would I then change it to external or include my join point?

The lack of documentation is worrying, have looked at the tool website (https://isepb.cisco.com/#/) again and have discovered that newer ISE versions may not be compatible

Overall my experiences with Cisco DNAC and ISE are a bit rubbish, DNAC upgraded to 2.3.3.6 for AP zoning feature but doesn't work (TAC told us to upgrade to 2.3.3.7)??

DNAC portal support still only supports hotspot or self reg, the portal builder is so limited (not like Aruba ClearPass) I need sponsor portal for my customer but still want my WLC to be compliant and able to provision without intervention.

Have requested support from isepb@external.cisco.com but just by the e-mail name containing external I'm not holding my breath.

Rich R · ‎06-05-2023

Yes I think you're probably right. Have you read the blog and FAQ?
It does say supplied AS-IS and no support except the email. External is used for mailing lists which people outside Cisco can send emails to so that's all that means.
The FAQ also mentions that it references a javascript file on ISE so if that file has changed or moved in later versions then that would break it.

PS: You know DNA Spaces (now Cisco SPACES) can also do portals?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Jay233 · ‎06-05-2023

Hi Rich R,

Yes using Spaces but again limited to portal type, no support for sponsored

John1922 · ‎10-17-2023

@Jay233 Did you ever get this working? Running into the same issue

Rich_U · ‎09-21-2024

I figured out what was going on. Go to Work Centers >> Device Administration >> External Identity Sources.
Look at the name that you gave your Active Directory and enter that into the field.

If you are logging in via Internal, I'm guessing it will try to authenticate you with an internally stored credential. If you don't have one there, then add one and I'm guessing you can use those creds to upload the portal.

Jay233 · ‎10-18-2023

@John1922

No update sorry, ISE portal builder still not working for me using ISE ver 3.x.

Maybe its our install? We did (inline) upgrade ISE so would be interesting to see it it works on a clean 3.x build, not had time to test that scenario.

JPavonM · ‎01-31-2025

I'm also receiving this error with ISE 3.3, and trying to use "Internal" user is not working, and not even using the AD "name" I have as External Identity Source like "AD:DOMAIN" format used in the Admin login on ISE dashboard, or just "DOMAIN" seems not to work.
Sadly, all videos that I've sees in the portal builder and Youtube show this connection working straight away with the "Internal" option, but not in my case.

Sending emails to the support inbox is the only way to progress.

JPavonM · ‎01-31-2025

See what I've seen in the Audit Logs for the Admin access:

And disabling the "Pre-login banner" has made the trick and now I have access:

And enable login back again after the portal is uploaded.

Scott Fella · ‎01-31-2025

I might have to play with this also to see if I run into any issues:)

-Scott
*** Please rate helpful posts ***

JPavonM · ‎01-31-2025

now the only issue that I see is when trying to Authenticate ISEPB in Cisco with my CCO account, as it's returning an error while loading the page with the login screen:

New email to the support team has been sent, but they take a lot to respond.

Rich R · ‎01-31-2025

Presume you've tried the usual trick of deleting all Cisco cookies and restarting the browser?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

bickmnell · ‎02-25-2025

@JPavonM Did support ever respond to you with a solution, or did you find a solution on your own?

JPavonM · ‎02-25-2025

Yes and they told me they are working on it.

The only way to do it is by downloading the portal .TAR file, using the ISEPB Tool, Connect to your ISE deployment and upload the portal file.

Cisco ISE v3.1 - Using https://isepb.cisco.com/#/ (Portal builder)