Cisco ISE and AD group

Similar Messages

• Cisco ISE and WLC Access-List Design/Scalability

  Hi,
  I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
  User group 1 -- Apply ACL 1 --On Vlan 1 
  User group 2 -- Apply ACL 2 -- On Vlan 1
  User group 3 -- Apply ACL 3 -- On Vlan 1
  The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
  Any suggestion is appreciated.
  Thanks.

  Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
  The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
  Overall, I see three ways to overcome your current issue:
  1. Shrink the ACLs by making them less specific
  2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
  3. Use SGT/SGA
  Hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE and forest trusts vs domain trusts

  Hi All,
  Is there any issues with forest trusts with Cisco ISE ?
  I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
  They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
  I can search and get lists of AD groups ok for the remote domain. 
  Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
  I have done "leave" and "join" domain again.
  In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
  Cheers
  Peter. 

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no.170

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• ISE and Node Groups

  Hi,
  Does anyone know if node groups are purely for policy server nodes behind a load balancer such as ACE.  If you have a pair of policy server nodes at a site with no load balancer, and both nodes configured in all NAS's can these be in a node group.
  Does anyone know if you can use a load balanced set of policy nodes with LWA and WLC.  There has to be affinity between the portal ISE and the AAA ISE configured in the WLC, these would be two different sessions one Radius and one HTTP, so the ACE would not be able to distinguish.
  Thanks.
  Gary

  Hi Pon -
  Do you mean groups of users or group of pages?
  If you mean groups of users, you can create your sub-groups as a regular groups, and then when assigning users to your Main Finance group ... add the 2 groups which are your subGroups.
  If you are talking about the Portal Page Group structure, you cannot nest page groups, but you can create pages and subpages.
  Hope this helps,
  Candace

• Inline Posture between Cisco ISE and Wireless LAN Controller

  Hi,
  I was looking into Cisco ISE solution for deploying NAC.
  I have a question about the network topology.
  In  the user guide documents of cisco ISE, it is written that for Wireless  LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
  However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
  https://supportforums.cisco.com/docs/DOC-18121
  I  want to know if Inline Posture is a requirement, if not a  requirement, what are the benefits of having it between Cisco ISE Server  and WLC.
  Thanks & Regards
  Sinan

  Hello,
  Please go through below mentioned links which might be helpful for you.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
  http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
  Best Regards,

• Cisco ISE and Fast User Switching

  Greetings,
  In our deployment, we are interested in utilizing the "Fast User Switching" that is contained within the Windows Functionality.   After searching for quite a while, I see that the native Windows supplicant is not compatible with Fast User Switching.   It does not appear that Anyconnect is either.   Can you please inform me as to what suppluicant I would need to research in order to allow for the User Switchign Functionality?
  We are currently using ISE 1.2 Patch 4.
  Thank You for any assistance.
  David

  The  NAC Agent for Cisco ISE does not support Windows Fast User Switching  when using the native supplicant. This is because there is no clear  disconnect of the older user. When a new user is sent, the Agent is hung  on the old user process and session ID, and hence a new posture cannot  take place. As per the Microsoft Security policies, it is recommended to  disable Fast User Switching.
  Source:
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_pos_pol.html

• Cisco ISE and authentication for 802.1x printer

  Hello
  What is the best practice to authenticate a 802.1x printer in Cisco ISE?
  The printer can store a certificate for authentication and support EAP-TLS.
  Thanks for answer.
  Marco

  EAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports. 
  I hope this puts you in the right direction!
  Thank you for rating helpful posts!

• Cisco ISE and Switch 3560-X

  Good Morning,
  I am conducting an implementation of Cisco ISE version 1.2.1.198 with all its features on a switch 3560-X and in the ISE compatibility chart the minimum version for this switch would be the IOS v 15.0.2-SE2 (ED).
  My doubt is whether i need the feature ipbase or just the lanbase would be sufficient to meet all the features of 802.1x for the Cisco ISE.
  I appreciate the attention and Thanks,

  Please see the "Cisco Secure Access and Cisco TrustSec Release 5.0 System Bulletin".
  It notes that the 3560-X requires IP base license for all the 802.1X features.

• Cisco ISE and NDES?

  Wanting to use Cisco ICE in front of Windows Server 2012 or R2 NDES.  The following article states that NDES should NOT be clustered or load balanced and setting a single password is not supported.
  https://social.technet.microsoft.com/wiki/contents/articles/12610.network-device-enrollment-services-ndes-frequently-asked-questions-faq.aspx#Can_I_use_a_Static_Passphrase_across_multiple_NDES_servers_and_then_load_balance_them
  The Cisco article says to disable the password altogether and lock the IPs down to the ISE devices in IIS that will access NDES.
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml
  If NDES is configured this way and dedicated to Cisco ISE will this be a supported configuration by Microsoft?  If the password is turned off altogether can two NDES servers then be load balanced as the password generation is not an issue.
  Thanks

  Hi,
  Please refer to this article.
  CA cluster and NDES
  http://blogs.technet.com/b/techniatures/archive/2011/07/07/ca-cluster-and-ndes.aspx
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Cisco ISE and external syslog server

  Hi Security Experts,
  We are starting with deploying cisco ISE (Identity Services Engine) in our network. We have allocated 250GB space for (Admin+Monitor) ISE node.
  I want to know if we can send the logs from monitoring node to external syslog server after a defined time interval.
  For example, logs which are more than 10 days old should be sent to external syslog server. So basically our monitoring node will have logs which are at the max 9 days old. Is it possible? Could you point me to some doc which explains configuration of the same?
  Thanks,
  Kashish

  No this isnt possible via syslog. What you are looking for is database purging, so that the monitoring database is purged after a specific time interval. Here is a guide that will help shed some light on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_mnt.html#wp1054328
  Tarik Admani
  *Please rate helpful posts*

• HTTP Error 403 - Forbidden on Cisco ISE and SCEP RA

  Dear Experts,
  We are in process of deploying ISE 1.2 in our environment for BYOD.
  The initial step of this process is to configure ISE as an SCEP Proxy and it requires certain configuration on the local CA. We have done all the required configurations on the local CA server.
  Now, when we try to connect ISE with the local CA using SCEP RA Profiles, it gives "HTTP Error 403 - Forbidden". The URL we are using is http://ipaddress/certsrv/mscep/mscep.dll.
  It seems that the local CA is not letting the ISE access the mscep.dll file. Now I dont understand how to allow ISE to access this file or the url. Please advise if there is any step by step process guide. Although, I have followed the ones from Cisco but it doesn't state how to give ISE the required rights for accessing mscep.dll.
  Thanks in advance.
  Jay

  Jay,
  You should use this URL:
  https://ipaddress/certsrv/mscep
  If you try to get the cert from an http address, you will get an error.  You should be using https.  Also, the mscep.dll should not be part of the URL.
  You can test this connectivity from any browser by putting that URL in the sddress bar.  You should see a page similar to this:
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE and New Version of AntiVirus...not DAT

  So I have ISE ready to go for our VPN users. Testing has been great and it looks like we are ready to roll out.
  Then comes along a new version of our corporate AntiVirus software. We have had Kaspersky EndPoint Security v8 since last August. Now Kaspersky has released Endpoint Security v10. It took about 3 months for the Compliance Module in ISE to allow NAC Agent to recognise KESv10. But now when we connect I get an error from NAC stating bascially that the version of KES installed doesn't have any posture/rules setup and it can't do anything. (see attached for exact wording)
  I remember when we first set the ISE up there was a screen that broke down the different AV makers, and the various versions that ISE/NAC would support. I have no idea where that is now.
  How to I update my policies/remediation/rules to reflect either including KES10, or just change them to allow version 8+, or even ANY version?
  I am sure this is a simple fix, but I just can't find it. I have looked through a lot of documentation, and I even looked through a Global Lab PDF on setting up ISE posturing and can't find it there.
  Thanks,
  Dirk

  Well I am now seeing that, yes the NAC agent recognizes Kaspersky Endpoint Security v10, but I was able to see in the ISE settings that REMEDIATION ACTION is NOT supported. WHY would this be? And how/when will this be fixed....this completely invalidiate a MAIN puprose for implementing ISE to keep our A/V definitiions updated.
  Why would you implement support for antivirus if you don't support the remediation of it?!?!?!??
  VERY aggrivating Cisco....VERY!!!

• Cisco ISE and WLC Timeout Best Practices

  I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.
  I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.
  Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

  I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.
  Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.
  The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

• Cisco ISE and Catalyst 2950

  Hello!
  Please, could you help me? Is it possible to install ISE on Catalyst 2950? In Component Compatibility Guide
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
  Catalyst 2950 only support 802.1X and VLAN.
  At first I need to know about VLAN change(from resticted to corporate). Is Catalyst 2950 support it?
  Thaks for help!

  this would let both user and machine authenticate. for"5434Endpoint conducted several failed authentications of the same scenario" check  Suppress Anomalous Clients option.  This issue comes in to picture when endpoint attempts a couple of failed authentications and if Suppress Anomalous Clients option with Reject Requests After Detection is enabled then  ISE Policy nodes protect themselves from overwhelming numbers of authentication requests by sending an immediate reject for suppressed clients as opposed to processing all the steps in a normal authentication. So if that user did some authentication failure, he will be locked for 1 hours (bydefault).