Integration Safeword with Cisco ISE

Similar Messages

• Facing issue in integrating with Cisco ISE

  We are trying to integrate our product(Cisco Prime Infrastructure) with Cisco ISE for Authentication and Authorizations. We already support PAP/CHAP, and not trying to add support for EAP-TLS.
  Currently during our integration, facing TLS payload errors. We are using jradius library for talk to Cisco ISE for authentication and facing the below TLS error in ISE logs. Tried with Cisco ISE 1.2 and 1.3 versions.
  Event                                    5400 Authentication failed         
  Failure Reason                  11500 Invalid or unexpected EAP payload received        
  DetailedInfo                      TLS packet parsing failed: total accumulated size plus this last fragment size is greater than expected total TLS message size
  Any pointers to resolve this problem or any other free java based client library instead of jradius which is tried out successfully with Cisco ISE would also be great.
  Regards
  Chandrakumar

  DECLARE
  CURSOR s_cur
  IS
  SELECT eno FROM emp;
  TYPE fetch_array IS TABLE OF s_cur%ROWTYPE;
  s_array fetch_array;
  BEGIN
  OPEN s_cur;
  FETCH s_cur
  BULK COLLECT INTO s_array;
  CLOSE s_cur;
  FORALL i IN 1 .. s_array.COUNT
  INSERT INTO (select eno from emp_temp)
  VALUES s_array (i);
  END;
  Its working, but not understood the concept.
  INSERT INTO  (select eno from emp_temp)
  VALUES s_array (i);
  How it works?

• Afaria 7 SP3 integration with Cisco ISE

  Hi,
  I am trying to find the configuration procedure that is needed for Afaria MDM to integrate with Cisco ISE 1.2.
  1. What service should be installed/enabled?
  2. Which port or service path (<IP:port/abc/xyz?>) it will listen for the communication from Cisco ISE?
  3. Cisco ISE uses REST API to communicate with Afaria. Does this require REST API installation or service activation?
  4. What type certificates are supported in Afaria for this integration.
  5. Anything that related to this topic.
  Appreciate if someone can provide the configuration procedure or any information possible.
  Regards,
  Mudasir Abbas

  From the user guide it seems that LDAP only allows you to strip the prefix/suffix and can't add the suffix.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1054421
  Strip start of subject name up to the last occurrence of the separator
  Strip end of subject name from the first occurrence of the separator
  Regards,
  Jatin
  Do rate helpful posts-

• Coa issue with Cisco ISE 1.2

  Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa.  I have enabled debug and i can see ISE trying to push out the url redirection to the port,  however the url was not show when i issue a show authentication session interface gi 1/0/x command.  The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after.  Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
  please see attachment for the debugging i had mention above.  If anyone know or had this issue before please let me know how i can resolve this.

  finally figured it out.  redirection acl was mess up. 

• Strip @domain on LDAP Integration with Cisco ISE?

  Hi there ,
  I got a WLC conntect with a Cisco ISE. There are two SSID authenticated against the ISE.
  One SSID has AD-Integration as External Identity Source, the other SSID is authenticated through LDAP.
  Authentication ist working fine.
  When an user authenticates through LDAP, he/she has to enter "username@domain". The protocol is EAP-GTC.
  How can I change the ISE that the user has only to enter "username" and the "@domain" part ist already set on the ISE?
  Thansk a lot,
  Norbert

  From the user guide it seems that LDAP only allows you to strip the prefix/suffix and can't add the suffix.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1054421
  Strip start of subject name up to the last occurrence of the separator
  Strip end of subject name from the first occurrence of the separator
  Regards,
  Jatin
  Do rate helpful posts-

• Strip multiple @domain used in username on AD Integration with Cisco ISE?

  Hi there ,
  How to strip multiple domain suffixes from username through ISE with AD being used as external Identity Source. Username is being used in username@domain format.
  Cisco ISE 1.2 patch 4 introduced strip prefix or suffix @domain realm from username through ISE with AD being used as external Identity Source. But the documentation is not updated for this feature. I am able to strip 1 domain suffix successfully but subsequent ones listed in the suffix list fails to get stripped.
  Any thoughts on the same.
  Thanks Kumar

  In the ISE Under Administration > Identity Management > External Identity Sources
  Choose Active Directory on the Left, Select your AD Server and select Advanced Settings
  Under Identity Suffix Strip, Make sure Strip prefixes listed below: is selected (I know, it says prefix).
  In the List of Suffixes box, enter your list of domain suffixes to strip.  The separating character is a comma (,). 
  If this doesn't fix your issue, then I am afraid that a call to TAC may be in order.
  *****UPDATE*****
  Spaces are significant characters.  When listing domains, do so as such:
  @domain.com,@domain.local,@testdomain.com
  *****END UPDATE*****
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton
  Message was edited by: Charles Moreton

• WLC RADIUS attribute with Cisco ISE

  Hi All,
  Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?
  My Authentication Policy :
       Name: IsGuestAuthen
       IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"
  My Authorization Policy :
       Name: IsGuestAuthen
       IF "Guest" THEN "InternetOnly"
  When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?
  Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.
  Thanks,
  Pongsatorn Maneesud

  Exactly...here is the list of attributes sent in the access-request from the wlc -
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
  The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
  If you are up to speed on rest api's here is some reference material on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
  You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Remote Access VPN posturing with Cisco ISE 1.1.1

  Hi all,
  we would like to start using our ISE for Remote VPN access.
  We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
  That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
  I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
  We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
  I know ISR's are support NADs but what about ASRs? There is no mention.
  Any advise will be appreciated!
  Mario

  OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
  thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
  essentially my requirements are
  2-factor authentication VPN using a Certificate & RSA Token
  Posturing of the VPN endpoint.
  Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
  Can anyone help?
  Mario

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

• Cisco ip phones authenticate 802.1x with cisco ise

  Dears,
  I want to  configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
  I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
  Thanks. 

  802.1x configuration for IP Phones
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217

• SealthWatch intrgration with Cisco ISE-3315

  Hello Experts,
  i have Cisco ISE-3315 version 1.3 
  Can i order and SealthWatch Lancop and use it with this series of ISE 3315 ? Or i must have SNS ?

  Hi Imran-
  The 3315 appliance supports all personas running ISE 1.3
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/release_notes/ise13_rn.html#pgfId-527567
  Now, with that being said, keep in mind that this appliances has a lot less resources compared to the SNS appliances. Thus, if you are planning on running all personas on it then you will be greatly limited to the number of concurrent endpoints. 
  Thank you for rating helpful posts!

• Design guide for integrating unigy with cisco HUCS 7.1.1 Environment

  Hi,
  I have a requirement to integrate unigy dealer board with cisco HUCS environment.  please provide if any design and  integration document is there.
  Regards,
  baskaran.M

  Fix you contact resolution to your LDAP and you'll get just that, what you're seeing right now is expected as the fact you get JID and not the friendly username, means you're not looking at LDAP.
  Right now you're also unable to dial, assuming you have softphone or deskphone control, from jabber as the DNs for the contact, are also brought over with the contact resolution from LDAP.
  Make sure you have SRVs, or manually configure the integration in jabber-config.xml.

• Issues getting url-redirect working with Cisco ISE

  Hi,
  I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch  which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
  DEVLABSW01#show epm session ip 10.0.1.104
      Admission feature:  DOT1X
                ACS ACL:  xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa
  I have also attached my switch config. Any help would be greatly appreciated.
  Dan

  So im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.
  everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......
  my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....
  if anyone can explain why, it would help out a great deal..
  My setup BTW is
  1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)
  2. ISE 1.2 - Doing simple Wireless only implementation
  3. 3650 - Just acting like a switch - no ACLs etc - just a switch
  4. Integrated into AD
  Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...
  thanks again how i can get some feedback

• AD Machine Authentication with Cisco ISE problem

  Hi Experts,
  I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
  Authentication policy:
  Allowed protocol = PEAP & TLS
  Authorization Policy:
  Condition for computer to be checked in external identity store (AD) = Permit access
  Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
  All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
  Switchport configuration:
  ===============================================
  ip access-list extended ACL-DEFAULT
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  permit ip any host (AD)
  permit icmp any any
  permit ip any host (ISE-1)
  permit ip any host  (ISE-2)
  permit udp any host (CUCM-1) eq tftp
  permit udp any host (CUCM-2)eq tftp
  deny ip any any
  ===============================================
  switchport config
  ===============================================
  Switchport Access vlan 10
  switchport mode access
  switchport voice vlan 20
  ip access-group ACL-DEFAULT in
  authentication open
  authentication event fail action next-method
  authentication event server dead action authorize vlan 1
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity 180
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 100
  ====================================================
  One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
  Your help will highly appreciated.
  Regards,

  You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
  I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
  I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.