Cisco Identity Services Engine User Guide, Release 1.2 - Customizing the End-User Web Portals [Cisco Identity Services Engine]

Table Of Contents

Setting Up and Customizing End-User Web Portals

Available End-User Portals

End-User Portals in Distributed Environment

Enabling Policy Services for End-User Portals

Specifying Ports and Ethernet Interfaces for End-User Portals

Tips for Assigning Ports and Ethernet Interfaces

Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals

Customizing the Portal Language, Text, and Error Messages

Adding a Custom Language Template

Customizing Portal UI Fields and Error Messages

Customizing the Web Portal Images and Color Scheme

Displaying Banner Messages to Users When Logging In or Out of Portals

Enabling Banner Messages

Customizing the Sponsor Portal Banner Messages

Customizing the My Devices Portal Banner Messages

Customizing the Guest Portal Login Banner Message

Setting Up and Customizing End-User Web Portals

Cisco ISE allows you to make global customizations that that effect the look, feel and behavior of the web pages users see in the Guest, Sponsor, and My Devices portals:

•Available End-User Portals

•Specifying Ports and Ethernet Interfaces for End-User Portals

•Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals

•Customizing the Portal Language, Text, and Error Messages

•Customizing the Web Portal Images and Color Scheme

•Displaying Banner Messages to Users When Logging In or Out of Portals

Available End-User Portals

Cisco ISE provides web-based portals for three primary sets of end users:

•Guests who need to temporarily access your enterprise network using the Guest portal

•Employees who are designated as sponsors who can create and manage guest accounts using the Sponsor portal.

•Employees who are using their personal devices on the enterprise network using the My Devices portal

Related Topics

•Chapter 17 "Supporting Personal Devices"

•Chapter 16 "Supporting Authorized Network Access for Guests"

End-User Portals in Distributed Environment

The end-user portals depend on the Administration, Policy Services, and Monitoring personas to provide configuration, session support, and reporting functionality.

Administration Node

Any configuration changes you make to users or devices on the end-user portals are written to the Administration node. If the primary Administration node fails, you can log into the end-user portals, but you cannot create, edit, or delete users or devices until the primary node comes back up or you promote the secondary node.

Policy Services Node

You must run the end-user portals on a Policy Services node, which handles all session traffic, including: network access, client provisioning, guest services, posture, and profiling. If the Policy Service node is part of a node group, and the node fails, the other nodes detect the failure and reset any pending sessions.

Monitoring Node

The Monitoring node collects, aggregates, and reports data about the end user and device activity on the My Devices, Sponsor, and Guest portals. If the primary Monitoring node fails, the secondary Monitoring node automatically becomes the primary Monitoring node.

Related Topics

•Administration Node

•Policy Service Node

•Monitoring Node

•Enabling Policy Services for End-User Portals

•Registered Endpoints Report

•Monitoring Sponsor and Guest Activity

Enabling Policy Services for End-User Portals

To support the end-user portals, you must enable portal-policy services on the node on which you want to host them.

Step 1 Choose Administration > System > Deployment.

Step 2 Click the node and click Edit.

Step 3 On the General Settings tab, check Policy Service.

Step 4 Check the Enable Session Services option.

Step 5 Click Save.

Specifying Ports and Ethernet Interfaces for End-User Portals

You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal.

You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices.

Step 1 Choose Administration > Web Portal Management > Settings > General > Ports.

Step 2 Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444.

Step 3 Check the Gigabit Ethernet interfaces you want to enable for each portal.

Step 4 Click Save.

If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.

Related Topics

•Tips for Assigning Ports and Ethernet Interfaces

•Ports Used by the Admin Portal

•Port Settings for Web Portals

•Configuring Client Provisioning

Tips for Assigning Ports and Ethernet Interfaces

Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals:

•All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.

•You must assign the Blacklist portal to use a different port than the other end-user portals.

•Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal.

•You must configure the Ethernet interfaces using IP addresses on different subnets.

Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals

You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues.

You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services.

Before You Begin

You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node.

Step 1 Choose Administration > Web Portal Management > Settings > General > Ports.

Step 2 Scroll to the Portal FQDNs section, and check the appropriate setting:

•Default Sponsor Portal FQDN

•Default My Devices Portal FQDN

Step 3 Enter a fully qualified domain name.

Step 4 Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete.

Step 5 Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes.

Related Topics

•Port Settings for Web Portals

•Wildcard Certificates

Customizing the Portal Language, Text, and Error Messages

The Sponsor, Guest, and My Devices portals can be set to display in any of the languages supported by Cisco ISE. If you need to support additional languages, you can create custom templates.

You can further customize the language display for each portal by modifying the UI text and error messages used by each portal.

Related Topics

Cisco ISE Internationalization and Localization

Adding a Custom Language Template

If you want to support any additional languages, you can create a custom language template. Each language template must use a unique browser locale mapping.

Step 1 Choose Administration > Web Portal Management > Settings > Guest, Sponsor, or My Devices > Language Template.

Step 2 Click Add to create a new language template.

Step 3 Enter a unique Name and Description for the language template, followed by a valid Browser Locale Mapping.

Step 4 Update the text strings in each section with localized content.

Step 5 Click Save.

Related Topics

•My Devices Portal Language Template Settings

•Guest Portal Language Template Settings

•Sponsor Language Template Settings

Customizing Portal UI Fields and Error Messages

You can fully customize the text and error messages used by the Guest, Sponsor, and My Devices portals. The Guest portal customizations also include the fields used by the Self-Provisioning portal and the Mobile Device Management (MDM) enrollment and compliance pages.

Step 1 Choose Administration > Web Portal Management > Settings > Guest, Sponsor, or My Devices > Language Template.

Step 2 Choose one of the languages from the list.

Step 3 Update the text strings in each section with localized content.

Step 4 Click Save.

Related Topics

•My Devices Portal Language Template Settings

•Guest Portal Language Template Settings

•Sponsor Language Template Settings

Customizing the Web Portal Images and Color Scheme

You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.

These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.

Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.

Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.

Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.

Step 4 Click Save.

Related Topics

•General Portal Theme Settings

•Customized Guest Portal

Displaying Banner Messages to Users When Logging In or Out of Portals

You can display messages to users when they log into one of the end-user portals. The pre-login banner displays on the login page for each portal. The post-login banner displays briefly for about 15 seconds on the bottom right side of the Sponsor and My Devices portals, and it does not apply to the Guest portal. You can customize the displayed text for each portal individually.

Enabling Banner Messages

If you want to display messages to users before or after they log into one of the end-user portals, you need to enable them. This option enables the setting on each portal, but you can then customize the displayed text specifically for each portal.

Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.

Step 2 Check the Display pre-login banner and Display post-login banner options enable the banners.

Related Topics

•General Portal Theme Settings

•Customizing the Sponsor Portal Banner Messages

•Customizing the My Devices Portal Banner Messages

•Customizing the Guest Portal Login Banner Message

Customizing the Sponsor Portal Banner Messages

You can customize the text that displays to sponsor users before and after logging into the Sponsor portal.

Step 1 Choose Administration > Web Portal Management > Settings > Sponsor > Language Template.

Step 2 Click the language, such as English.

Step 3 Click Configure Common Items and update the Pre-Login Banner Text and Post-Login Banner Text fields.

Step 4 Click Save.

Related Topics

•General Portal Theme Settings

•Enabling Banner Messages

Customizing the My Devices Portal Banner Messages

You can customize the text that displays to employees before and after logging into the My Devices portal.

Step 1 Choose Administration > Web Portal Management > Settings > My Devices> Language Template.

Step 2 Click the language, such as English.

Step 3 Click Configure Login Page and update the Pre-Login Banner Text and Post-Login Banner Text fields.

Step 4 Click Save.

Related Topics

•General Portal Theme Settings

•Enabling Banner Messages

Customizing the Guest Portal Login Banner Message

You can customize the text that displays to guests before logging into the Guest portal.

Step 1 Choose Administration > Web Portal Management > Settings > Guest > Language Template.

Step 2 Click the language, such as English.

Step 3 Click Configure Login Page and update the Pre-Login Banner Text fields.

Step 4 Click Save.

Related Topics

•General Portal Theme Settings

•Enabling Banner Messages

	Cisco Identity Services Engine User Guide, Release 1.2
	Customizing the End-User Web Portals
Cisco Identity Services Engine User Guide, Release 1.2 Preface What's New In This Release Introducing Cisco ISE Cisco ISE Features Navigating the Admin portal Deploying Cisco ISE Nodes Setting Up Cisco ISE in a Distributed Environment Setting up Inline Posture Setting Up Cisco ISE Management Access Administering Cisco ISE Managing Administrators and Admin Access Policies Cisco ISE Licenses Managing Certificates Managing Network Devices Managing Resources Logging Managing Cisco ISE Backup and Restore Operations Setting Up Endpoint Protection Service Managing Users and End-User Portals Managing Users and External Identity Sources Customizing the End-User Web Portals Supporting Authorized Network Access for Guests Supporting Personal Devices Enabling and Configuring Cisco ISE Services Setting up Policy Conditions Managing Authentication Policies Managing Authorization Policies and Profiles Configuring Endpoint Profiling Policies Configuring Client Provisioning Configuring Client Posture Policies Configuring Cisco Security Group Access Policies Monitoring and Troubleshooting Cisco ISE Monitoring and Troubleshooting Reporting Reference Administration UI Reference Operations UI Reference Policy UI Reference Sample Code for Sponsor and Guest Portal Customizations Network Access Flows Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions Troubleshooting Cisco ISE Supported Management Information Bases in Cisco ISE	Download this chapter Customizing the End-User Web Portals Download the complete book Book-length PDF (PDF - 16 MB) Feedback Table Of Contents Setting Up and Customizing End-User Web Portals Available End-User Portals End-User Portals in Distributed Environment Enabling Policy Services for End-User Portals Specifying Ports and Ethernet Interfaces for End-User Portals Tips for Assigning Ports and Ethernet Interfaces Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals Customizing the Portal Language, Text, and Error Messages Adding a Custom Language Template Customizing Portal UI Fields and Error Messages Customizing the Web Portal Images and Color Scheme Displaying Banner Messages to Users When Logging In or Out of Portals Enabling Banner Messages Customizing the Sponsor Portal Banner Messages Customizing the My Devices Portal Banner Messages Customizing the Guest Portal Login Banner Message Setting Up and Customizing End-User Web Portals Cisco ISE allows you to make global customizations that that effect the look, feel and behavior of the web pages users see in the Guest, Sponsor, and My Devices portals: •Available End-User Portals •Specifying Ports and Ethernet Interfaces for End-User Portals •Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals •Customizing the Portal Language, Text, and Error Messages •Customizing the Web Portal Images and Color Scheme •Displaying Banner Messages to Users When Logging In or Out of Portals Available End-User Portals Cisco ISE provides web-based portals for three primary sets of end users: •Guests who need to temporarily access your enterprise network using the Guest portal •Employees who are designated as sponsors who can create and manage guest accounts using the Sponsor portal. •Employees who are using their personal devices on the enterprise network using the My Devices portal Related Topics •Chapter 17 "Supporting Personal Devices" •Chapter 16 "Supporting Authorized Network Access for Guests" End-User Portals in Distributed Environment The end-user portals depend on the Administration, Policy Services, and Monitoring personas to provide configuration, session support, and reporting functionality. Administration Node Any configuration changes you make to users or devices on the end-user portals are written to the Administration node. If the primary Administration node fails, you can log into the end-user portals, but you cannot create, edit, or delete users or devices until the primary node comes back up or you promote the secondary node. Policy Services Node You must run the end-user portals on a Policy Services node, which handles all session traffic, including: network access, client provisioning, guest services, posture, and profiling. If the Policy Service node is part of a node group, and the node fails, the other nodes detect the failure and reset any pending sessions. Monitoring Node The Monitoring node collects, aggregates, and reports data about the end user and device activity on the My Devices, Sponsor, and Guest portals. If the primary Monitoring node fails, the secondary Monitoring node automatically becomes the primary Monitoring node. Related Topics •Administration Node •Policy Service Node •Monitoring Node •Enabling Policy Services for End-User Portals •Registered Endpoints Report •Monitoring Sponsor and Guest Activity Enabling Policy Services for End-User Portals To support the end-user portals, you must enable portal-policy services on the node on which you want to host them. Step 1 Choose Administration > System > Deployment. Step 2 Click the node and click Edit. Step 3 On the General Settings tab, check Policy Service. Step 4 Check the Enable Session Services option. Step 5 Click Save. Specifying Ports and Ethernet Interfaces for End-User Portals You can specify the port used for each web portal allowing you to use different ports for the end-user portals: Sponsor, Guest (and Client Provisioning), My Devices, and Blacklist portals. The Client Provisioning portal uses ports 8905 and 8909 for posture assessments and remediation, which you cannot change. Otherwise, it uses the same ports assigned to the Guest portal. You can also partition portal traffic to specific Gigabit Ethernet interfaces. For example, you might not want the Admin portal (which always uses GigabitEthernet 0) available on the same network as guest users or employee devices. Step 1 Choose Administration > Web Portal Management > Settings > General > Ports. Step 2 Enter the port value in the HTTPS Port field for each portal. By default, the Sponsor, Guest, My Devices portals use 8443, and the Blacklist portal uses port 8444. Step 3 Check the Gigabit Ethernet interfaces you want to enable for each portal. Step 4 Click Save. If you have changed the port settings, all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete. Related Topics •Tips for Assigning Ports and Ethernet Interfaces •Ports Used by the Admin Portal •Port Settings for Web Portals •Configuring Client Provisioning Tips for Assigning Ports and Ethernet Interfaces Refer to these guidelines to help you decide how best to assign ports and Ethernet interfaces to the end-user portals: •All port assignments must be between 8000-8999. This port range restriction is new in Cisco ISE 1.2. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction. •You must assign the Blacklist portal to use a different port than the other end-user portals. •Any portals assigned to the same HTTPS port also use the same Ethernet interfaces. For example, if you assign both the Sponsor and My Devices portals to port 8443, and you disable GigabitEthernet 0 on the Sponsor portal, that interface is also automatically disabled for the My Devices portal. •You must configure the Ethernet interfaces using IP addresses on different subnets. Specifying the Fully Qualified Domain Name for Sponsor and My Devices Portals You can set the Sponsor and My Devices portals to use an easy-to-remember fully-qualified domain names (FQDN), such as: mydevices.companyname.com or sponsor.companyname.com. Alternatively, Cisco ISE also supports wildcard certificates to address certificate name mismatch issues. You must configure DNS to resolve to at least one policy services node. If you have more than one policy services node that will provide portal services, you should configure high availability for the portal. For example, you could use a load balancer or DNS round-robin services. Before You Begin You must also update DNS to ensure the FQDN of the new URL resolves to a valid policy service node IP address. Additionally, to avoid certificate warning messages due to name mismatches, you should also include the FQDN of the customized URL in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE policy service node. Step 1 Choose Administration > Web Portal Management > Settings > General > Ports. Step 2 Scroll to the Portal FQDNs section, and check the appropriate setting: •Default Sponsor Portal FQDN •Default My Devices Portal FQDN Step 3 Enter a fully qualified domain name. Step 4 Click Save, and all nodes (Administration, Policy Services, and Monitoring) restart automatically, which may take several hours to complete. Step 5 Configure the network DNS server so that it resolves the FQDN to the Sponsor or My Devices portal nodes. Related Topics •Port Settings for Web Portals •Wildcard Certificates Customizing the Portal Language, Text, and Error Messages The Sponsor, Guest, and My Devices portals can be set to display in any of the languages supported by Cisco ISE. If you need to support additional languages, you can create custom templates. You can further customize the language display for each portal by modifying the UI text and error messages used by each portal. Related Topics Cisco ISE Internationalization and Localization Adding a Custom Language Template If you want to support any additional languages, you can create a custom language template. Each language template must use a unique browser locale mapping. Step 1 Choose Administration > Web Portal Management > Settings > Guest, Sponsor, or My Devices > Language Template. Step 2 Click Add to create a new language template. Step 3 Enter a unique Name and Description for the language template, followed by a valid Browser Locale Mapping. Step 4 Update the text strings in each section with localized content. Step 5 Click Save. Related Topics •My Devices Portal Language Template Settings •Guest Portal Language Template Settings •Sponsor Language Template Settings Customizing Portal UI Fields and Error Messages You can fully customize the text and error messages used by the Guest, Sponsor, and My Devices portals. The Guest portal customizations also include the fields used by the Self-Provisioning portal and the Mobile Device Management (MDM) enrollment and compliance pages. Step 1 Choose Administration > Web Portal Management > Settings > Guest, Sponsor, or My Devices > Language Template. Step 2 Choose one of the languages from the list. Step 3 Update the text strings in each section with localized content. Step 4 Click Save. Related Topics •My Devices Portal Language Template Settings •Guest Portal Language Template Settings •Sponsor Language Template Settings Customizing the Web Portal Images and Color Scheme You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal. These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead. Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme. Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals. Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal. Step 4 Click Save. Related Topics •General Portal Theme Settings •Customized Guest Portal Displaying Banner Messages to Users When Logging In or Out of Portals You can display messages to users when they log into one of the end-user portals. The pre-login banner displays on the login page for each portal. The post-login banner displays briefly for about 15 seconds on the bottom right side of the Sponsor and My Devices portals, and it does not apply to the Guest portal. You can customize the displayed text for each portal individually. Enabling Banner Messages If you want to display messages to users before or after they log into one of the end-user portals, you need to enable them. This option enables the setting on each portal, but you can then customize the displayed text specifically for each portal. Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme. Step 2 Check the Display pre-login banner and Display post-login banner options enable the banners. Related Topics •General Portal Theme Settings •Customizing the Sponsor Portal Banner Messages •Customizing the My Devices Portal Banner Messages •Customizing the Guest Portal Login Banner Message Customizing the Sponsor Portal Banner Messages You can customize the text that displays to sponsor users before and after logging into the Sponsor portal. Step 1 Choose Administration > Web Portal Management > Settings > Sponsor > Language Template. Step 2 Click the language, such as English. Step 3 Click Configure Common Items and update the Pre-Login Banner Text and Post-Login Banner Text fields. Step 4 Click Save. Related Topics •General Portal Theme Settings •Enabling Banner Messages Customizing the My Devices Portal Banner Messages You can customize the text that displays to employees before and after logging into the My Devices portal. Step 1 Choose Administration > Web Portal Management > Settings > My Devices> Language Template. Step 2 Click the language, such as English. Step 3 Click Configure Login Page and update the Pre-Login Banner Text and Post-Login Banner Text fields. Step 4 Click Save. Related Topics •General Portal Theme Settings •Enabling Banner Messages Customizing the Guest Portal Login Banner Message You can customize the text that displays to guests before logging into the Guest portal. Step 1 Choose Administration > Web Portal Management > Settings > Guest > Language Template. Step 2 Click the language, such as English. Step 3 Click Configure Login Page and update the Pre-Login Banner Text fields. Step 4 Click Save. Related Topics •General Portal Theme Settings •Enabling Banner Messages
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks