Service Changes The Services administration is now much simplified. The configuration is centralized in the Admin portal under the Access menu. There are several changes in Cisco ISE Web Portals between the ISE and later releases. This chapter provides a list of upgrade considerations and dependencies that you must be aware of when you upgrade from to later releases. Admin Portal Changes, page 1 Other Portal-Related Changes, page 11 -Related Changes, page 13 Admin Portal Changes The following table lists the changes in the Admin portal, provides the UI navigation path, and change information. Refer to the Cisco ISE Administrator Guide for more details. 1
Admin Portal Changes Service Changes Language Template Device Registration Portal > Language Template > Multi-Portal Configuration > Portal > Edit > Operations > users should be allowed to do device registration Languages Device Registration Settings Portals or Portals > Edit > Portal Page Customization > Languages Portals > Create /Edit /Duplicate > Portal Behavior and Flow Device Registration Settings In and later, each portal type supports fifteen languages that you can use to display text to the user in the portal. These languages are available as individual properties files bundled together in a single zipped language file. The non-default languages that are created in are migrated to the new release. However, any new settings that are introduced in the new release are set to their default values in English for these profiles. You must ensure that these values comply with your company policies and standards and update these settings in the respective languages. In the new release, if the Automatically register guest devices check box is checked, then the device is automatically added to the endpoint identity group and the guest ID is associated with it automatically. 2
Service Changes Admin Portal Changes Time Profiles and Role > Time Profiles > Roles Configuration Groups > Group > Roles Types Types In the new release, if the Automatically register guest devices check box is checked, then the device is automatically added to the endpoint identity group and the guest ID is associated with it automatically. 3
Admin Portal Changes Service Changes Activated Role > Roles Configuration Allow guest to bypass the portal Type > Create / Edit 4
Service Changes Admin Portal Changes The following Types are available by default in the new release: Daily Default settings allow network access for just 1 to 5 days. Weekly Default settings allow network access for two weeks. Contractor Default settings allow network access for up to a year. Type in the new release is formed from the following data elements in : Groups, Roles, and Time Profiles. Using a combination of these three data elements, Types are created in the new release. If a Role is used in an authorization policy in, a corresponding Type is created in the new release. If any of these data elements are not used in any policies in, a Type is not created in the new release for that element. The upgrade process does not migrate time profiles that do not have active guests associated with them. If there are guests whose accounts are expired in, these guests are not migrated to the new release (irrespective of their status, for example, whether they are in the 'suspended' or 'awaiting initial login' state). Any guest types or sponsor groups that were associated with these guests are not migrated. If you want a time profile to be available in the new release ( Type), then, before upgrade, you must create a guest account, associate it with the required time profile, and activate it. Note The FromFirstLogin time profile in.x is not 5
Admin Portal Changes Service Changes Optional Data 1-5 > Language Template Custom Fields Type > Create / Edit available in. This time profile was used to allow the access time to start at first login. In.x, when you create a guest account using the FromFirstLogin time profile, the start date is set to the current date and the expiration date is set to the start date plus the duration configured in the time profile. This configuration is reset when the guest logs in for the first time. The upgrade process does not migrate guest accounts that have expired. You can use the Daily Type instead to allow network access for a day. In, sponsors had the ability to obtain additional information from guests such as an alternate email address or birth dates (optional data). In the new release, the optional data is called custom fields and is available under Type configuration. Time Restrictions > Time Profiles Maximum Access Time Types > Create / Edit > Maximum Access Time In, you can configure time restrictions (specify the time when guests should not be granted access), but in the new release, you can configure access time (specify the time when guests can be granted access). Device Registration Portal Limit > Portal Maximum devices guests can register Type > Create / Edit > Login Options 6
Service Changes Admin Portal Changes Groups Groups Groups Groups Groups in the new release include the following default sponsor groups: ALL_ACCOUNTS GROUP_ACCOUNTS OWN_ACCOUNTS AD External Group is present if you have configured Active Directory and joined to the Active Directory domain after you upgrade to the new release. The upgrade process does not migrate all the sponsor groups. groups that are not used in the creation of guests roles are not migrated. As a result of this change, some sponsors (internal database or Active Directory users) may not be able to log in after upgrade to the new release. You must check the sponsor group mapping for sponsors whose login fails. Map the sponsor to the appropriate sponsor group. Group Group Removed from the new release. groups in the new release contain users and AD group mappings and permissions for those users. 7
Admin Portal Changes Service Changes Group Permissions Groups > Group > Authorization Levels Permissions Groups > Create / Edit > Permissions The following fields have changed: Allow Login Removed in the new release Create Single Account The Known User option in the new release replaces the Create Single Account option in. Similar to, sponsors can create multiple random accounts and import guest details from a CSV file in the new release. Send Email In the new release, this option is available by default in the sponsor portal and all sponsors can send guest credentials through email. Send SMS In the new release, you have the Send SMS notifications with guest credentials option. Account Start Time In the new release, you have the Start date cannot be more than n days into the future option. Maximum Duration of Account In the new release, this option is available under Type configuration ( Access > Types > Create/Edit > Maximum Access Time > Maximum account duration). Allow Printing Details In the new release, this option is available by default in the sponsor portal and all sponsors can print the guest details. 8
Service Changes Admin Portal Changes Time Zone > Time Profiles Locations Locations and SSIDs locations in the new release are obtained from the guest accounts. When you create a guest in, you associate a time zone for the guest. This time zone is used to create the guest location in the new release, and these locations are associated with the respective guest groups. Account Purge Settings General > Purge Schedule purge of expired guest accounts Account Purge Username > Username Username Username During upgrade, the guest username policy might have changed. You must review the guest username policy and ensure that it conforms to your standards. Any changes that you made to the default guest username policy in is migrated as a custom policy to the new release. Supported special characters in the guest username are different between Release and the new release, and the supported special characters are migrated as custom entries. Password Password Password Password During upgrade, the guest password policy might have changed. You must review the guest password policy and ensure that it conforms to your standards. Any changes that you made to the default guest password policy in is migrated as a custom policy to the new release. Supported special characters in the guest password are different between and the new release, and the supported special characters are migrated as custom entries. 9
Admin Portal Changes Service Changes SMTP Server Settings > System > SMTP Server Email Settings Email Settings > System > SMTP Server In, the SMTP server settings and guest email notification settings were in the same UI page. In the new release, the SMTP server settings and email notification to guests are available in two different locations (see the UI navigation path for the new release). Personal Devices Portals Settings Configure Device Portals > Device Portal Management The following personal devices portals are available by default in the new release: Blacklist Portal BYOD Portal Client Provisioning Portal MDM Portal My Devices Portal If you changed the default portal interfaces and ports in, new BYOD and Client Provisioning portals are created in the new release that correspond to the portals. The authorization profiles are updated accordingly. Portal Theme General > Portal Theme Portal Theme > Device Portal Portal > Edit > Portal Page Customization In the new release, you can customize the portal theme and view your changes before you save them. Mobile-Optimized Portal > Mutli-Portal Configuration > Edit > Operations > Enable Mobile Portal All portals are mobile optimized by default. Depending on the type of device that is used, the mobile or desktop version is used. 10
Service Changes Other Portal-Related Changes SMS Text Message Notification > Language Template SMS Gateway Settings > System > SMS Gateway SMS gateways in the new release enable: s to manually send SMS notifications to guests with their login credentials and password reset instructions. s to automatically receive SMS notifications with their login credentials after they successfully register themselves. s to automatically receive SMS notifications with actions to take before their guest accounts expire. Other Portal-Related Changes During upgrade, all Cisco ISE portals are migrated to the new release. Default Portals You can edit and make changes to the default portals (,, My Devices, and so on) after migration to the new release. Any portal settings that are newly introduced in Release are set to their default values. The port, allowed interfaces, and portal theme configuration for the default portals are retained during upgrade. Custom Portals for and Personal Devices This release of Cisco ISE provides a new streamlined guest and employee on-boarding experience as well as a new portal customization experience with a host of new features from multi-language support to WYSIWYG customization. When you upgrade to the new release, all custom portals are migrated to the new experience. Here are a few considerations that you must be aware of: The basic look and feel customizations that were done using CSS & HTML in previous releases of ISE are migrated by the upgrade process in to the new and Personal Devices flows. Customizations done using basic html and native administration tools should migrate properly. Customizations that use custom JavaScript to alter the flow might not migrate properly. After upgrade, you can recreate these portals from the ISE Admin portal. You cannot edit any of the custom portals that are migrated to the new release. If you want to make changes to the look and feel, flow, or function, you must create a new portal after upgrade (from the ISE Admin portal). ISE and.1 customers were capable of making a wide variety of portal customizations. Some of those customizations might not migrate to the new release predictably. We recommend that you review your newly migrated portals in a lab setting before using them in a production environment. 11
Other Portal-Related Changes Service Changes ISE fails to create a guest account in the new release when you: 1 Configured your guest portal in ISE or.1 to allow self-service 2 Hardcoded the time zone value during portal customization 3 Migrated the customized portal to the new release through the ISE upgrade process This occurs because the hardcoded time zone value in your customized portal might not match the Location names in the new release. Time zones in ISE and.1 are renamed to Locations in the new release. As a workaround, after upgrade, add the same time zone that you hardcoded in or.1, as a Location in the new release. To do this, from the ISE Admin portal, choose Access > Locations and SSIDs, add the time zone in the Location name text box, choose the corresponding time zone, click Add, and save the settings. Portals All guest portals from or.1 are migrated to the new release and you will see the following portals upon upgrade. If you do not have the equivalent or.1 guest portal, a default guest portal is created. DRW Portal in or.1 Hotspot Portal in the new release Portal with no Self-Service in or.1 ed Portal in the new release Portal with Self-Service Enabled in or.1 Self-Registered Portal in the new release Portals In and.1, you can customize the following sponsor portal settings from Manage Accounts > My Settings: Language Template, Location, Email Address, Role, Account Duration, Time Zone, Notification Language, and Password Settings. After upgrade, only the sponsor email address gets migrated and the rest of the settings are not migrated. If you have customized your language preference, after upgrade, when you log in to the sponsor portal, your language preference is not retained. BYOD Portals The following BYOD portals are migrated from or.1: My Devices Portal from or.1 Portals with BYOD-related configuration The following default BYOD portals are created after you upgrade to the new release (these portals were not available in or.1): Default Blacklist Portal Default BYOD Portal Client Provisioning Portal Default Client Provisioning (CP) Portal is created when you upgrade to the new release. For more information on the new ISE and Personal Devices features and administrative experience, see the Cisco Identity Services Engine Administrator Guide. 12
Service Changes -Related Changes -Related Changes The following policy and policy element changes and enhancements are introduced in this release of Cisco ISE: Group The sponsor group policy is removed. groups in the new release contain users and AD group mappings along with permissions for those users. Authorization Profile The redirect URL is formatted according to the new format. For example, the URL redirect for a hotspot portal is: https://ip:port/guestportal/gateway?sessionid=sessionidvalue&portal=portalid&action=cwa&type=drw. Authorization A new identity group ( Type identity group) is available for use in authorization policy. 13
-Related Changes Service Changes 14