Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
October 27, 2014 through November 7, 2014.
The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
Remember to use the rating system to let Craig know if you have received an adequate response.
Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
(Comments are now closed)

1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
Regarding AD multi-domain support...
Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
Regards,
Craig

Similar Messages

  • Ask the Expert: NGWC (3850/5760): Architecture and Deployment

    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about NGWC (3850/5760): Architecture and Deployment.
    Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015
    This Ask the Expert Session will cover questions spanning NGWC products (3850/5760) on Implementation and Deployment from the Wired and Wireless perspective. This will be more specific to Customer’s and Partners questions covering 3850/5760 configuration, Implementation and deployment.
    Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Wireless CUWN and NGWC Product line. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC-Written) and CCIE Wireless certification.
    Naveen Venkateshaiah is working as a Customer support engineer in High-Touch Technical Services (HTTS) handling  and supporting Lan-switching and Data center Products. His areas of expertise include Catalyst 3k,4k , 6500 , Nexus 7k Platform  He has over 7 years of industry experience working with large Enterprise and Service Provider networks. He also holds CCNA, CCNP (RS) and  CCDP-ARCH,CCIE-R&S Written, AWLANFE, LCSAWLAN Certification.
    Find other  https://supportforums.cisco.com/expert-corner/events.
    **Ratings Encourage Participation! **
    Please be sure to rate the Answers to Questions

    Hi Dhiyadav,
    thank you for your reply it cleared some doubts that were in my mind but i need your more support to guide me a converged access deployment which i am going to deploy within few days.
    i have 
    2x5508 in HA as MC
    30x3850 switches, and all will be used as MA(s) with multiple SPGs
    2X5508  1:1 as an anchor controller
    1xISE 1.3 for guest access
    1xCPI for wireless mgmt and monitoring purpose
    1xMSE3355 with wips and context aware licenses
    200x cisco 3702i WAP
    50x WSSI module for monitoring the channels
    can you please put a light on the design and guide me that which are the best possible solutions to get this job done very smoothly.
    i will also let you know about my proposed design scenario but for sure i need your recommendations as well :)
    so,
    i will use 2x5508 wlcs in HA as a MC which are AP-Count and HA licensed..
    3850 switches will be MA and i ll configure SPGs per floor switches stacks 
    WAPs will join on these 3850 MAs base on each floor
    i would have 2 ssid like employee and guest
    i will configure them on each 3850 stack MA along with their SVIs for users access like (empolyee and guest ssid)
    here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???
    i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???
    between foreign and anchor controller i will use new mobility instead of old EOIP!!!
    where shall place ISE in my network, in DMZ or with Core switch?
    my target for guest users to do not have access to any corporate network sources ?
    MSE:
    can i use both wips and context aware on the single MSE box?
    if yes, than what is the best practice for configuring them?
    are each 3850 MA will be added in MSE?
    WSSI module . will be used for monitoring purpose for wips and context aware profiles.
    all access point will be worked in local mode for serving users access.
    thank you

  • The Battery in my laptop has been replaced twice and this is the third time the battery has swollen up. Since the first time it was swollen I have asked the reason but Apple has not come up with a reason and just replaced it. Second time also the ser

    The Battery in my laptop has been replaced twice and this is the third time the battery has swollen up.
    Since the first time it was swollen I have asked the reason but Apple has not come up with a reason and just replaced it.
    Second time also the service centre replaced the battery but were unable to give me a reason.
    I had asked them to replace the laptop as this has been happening repeatedly and seems to be something with the laptop
    otherwise why should every battery they put swell ?
    This is the third time this has happened. And now they refuse to replace the battery or the laptop also.
    What is the solution?

    Make an appointment at the Genius Bar of an Apple store and press the problem. Elevate to store manager if necessary. Maybe the charging circuits are defective resulting in overcharging which is causing the battery problem.
      Apple Retail Store - Genius Bar

  • After repairing permissions, in Mac OS X, I ask the utility to verify permissions again and the same problems are shown, as if I had not repaired anything. What's happening?

    After repairing permissions, in Mac OS X, I ask the utility to verify permissions again and the same problems are shown, as if I had not repaired anything. What's happening?

    What you are seeing are messages. It's ok.. it won't do any good to repeatedly repair permissions. As long as you see Repair Permissions Complete when it's finished, you are good to go.
    Also, if you see any messages that say: SUID: That can be ignored.
    Mac OS X: Disk Utility's Repair Disk Permissions messages that you can safely ignore
    Keep in mind, the only time you need to repair permissions is for troubleshooting.

  • Activation screen and asks the previous owner's Apple ID and password

    Hello
    case 45548
    I have a problem with the activation of my iPhone 4S. I bought an iPhone in the store half a year ago used as a simple phone And then about a week ago I updated the IOS 7.0.4. After updating the iPhone has activation screen and asks the previous owner's Apple ID and password I do not know of any Apple ID or password, I had no contact with him. I can not use my iPhone for a week. I am so disappointed with this situation. Can you help me to disable this feature, please?
    Serial number of my mobile is DNQHW1XUDTD2 and IMEI is 013173000524538. I attach a photo box
    Дело 45548
    У меня есть проблема с активацией моих IPhone 4S. Я купил iPhone в магазине полгода назад использоваться как простой телефон, а затем около недели назад я обновил IOS 7.0.4. После обновления iPhone имеет экран активации и просит предыдущего владельца Apple ID и пароль, я не знаю любого идентификатора Apple, или пароль, у меня не было никаких контактов с ним. Я не могу использовать мой iPhone в течение недели. Я так разочарован с этой ситуацией. Вы можете мне помочь, чтобы отключить эту функцию, пожалуйста?
    Серийный номер моего мобильного телефона является DNQHW1XUDTD2 и IMEI является 013173000524538. Я придаю фото окно

    You're facing activation lock: http://support.apple.com/kb/TI174 and http://support.apple.com/kb/PH13695. You need to contact the previous owner and have them remove Find My iPhone using these steps: http://support.apple.com/kb/PH2702?viewlocale=en_US

  • Best practice for .war?  Configure and deploy or deploy and configure?

    In Apache Tomcat for example, I can deploy an app, stop the server, reconfigure the app in situ, then start the server again...
    Is this recommended for deploying Java web apps to Oracle App Server 10g?
    We currently have a consulting firm that is recommending to configure the web app before deploying. Sounds reasonable, except that they want this done via JDeveloper so that the Sys Admin can right click on the "deploy to OAS" button (ie: have the tools generate the .war file after configuration and deploy automagically).

    Thanks for your feedback.
    Are you aware of any way to use the *.deploy configuration file that is created by JDeveloper in an ANT script to create the .war or .ear file?
    If not, I can picture the Sys Admin and developers groaning when they're told that they're JDeveloper web-app configuration cannot be used for production -- and that they must somehow duplicate that functionality in an ANT script!
    I do have the below ANT scripts from Debu to do the deployment etc. But they only help after the .ear is built.
    EAR file deployment:
    <target name="deploy" depends="core">
    <java jar="${j2ee.home}/admin.jar" fork="yes">
    <arg value="${oc4j.deploy.ormi}"/>
    <arg value="${oc4j.deploy.username}"/>
    <arg value="${oc4j.deploy.password}"/>
    <arg value="-deploy"/>
    <arg value="-file"/>
    <arg value="${this.build}/${this.ear}"/>
    <arg value="-deploymentName"/>
    <arg value="${this.application.name}"/>
    </java>
    </target>
    Web application binding:
    <target name="bind-web-app" depends="deploy">
    <java jar="${j2ee.home}/admin.jar" fork="yes">
    <arg value="${oc4j.deploy.ormi}"/>
    <arg value="${oc4j.deploy.username}"/>
    <arg value="${oc4j.deploy.password}"/>
    <arg value="-bindWebApp"/>
    <arg value="${this.application.name}"/>
    <arg value="${this.war}"/>
    <arg value="http-web-site"/>
    <arg value="/${this.uri}"/>
    </java>
    </target>
    Undeployment:
    <target name="undeploy" depends="init">
    <java jar="${j2ee.home}/admin.jar" fork="yes">
    <arg value="${oc4j.deploy.ormi}"/>
    <arg value="${oc4j.deploy.username}"/>
    <arg value="${oc4j.deploy.password}"/>
    <arg value="-undeploy"/>
    <arg value="${this.application.name}"/>
    </java>
    </target>

  • How to configure and deploy OAM 11g with DB setup using silent mode

    Hello all,
    I am trying to create automation process to install and configure OAM 11g on WLS. This task involves three stages
    1. Install WLS
    2. Install OAM 11g
    3. Create DB schema using RCU
    4. Configure and deploy OAM 11g
    I have done first 3 stages in silent mode using scripts and response files. I am stuck at 4th stage. I know how to configure and deploy OAM 11g using config.sh via GUI installer as well as console mode. But I would like to run config.sh in silent mode something like
    ./config.sh -mode=silent -silent_script=<script_location>
    I have searched a lot, but could not find any resource on how to do it? I tried passing the parameters via a text file. But that has not worked. I have also explored WLST, but it also does not work. Given that first 3 things are relatively very simple, the 4th step is becoming complex. I would be very thankful if someone can please point me in the right direction.
    Thanks!

    Have a look at your software directory : <sofware directory>/Disk1/stage/Response
    Here you will find 2 rsp files which you can use to install and then configure it all.
    Good luck.
    Filip

  • My ipod nano is no longer recognized by itunes after I installed windows 8.1.  The ipod nano still is recognized and works with a Windows 7 computer

    My ipod nano is no longer recognized by itunes after I installed windows 8.1.  The ipod nano still is recognized and works with a Windows 7 computer

    Hello, Pete. 
    Here is an article I would recommend going through when an iPod is not recognized by iTunes or the computer.
    iPod not recognized in My Computer and in iTunes for Windows
    http://support.apple.com/kb/ts1369
    Usually the resolution is updating the Apple Mobile Device Driver.  See the section labeled Verify that the Apple Mobile Device USB Driver is installed > For Windows Vista, Windows 7, and Windows 8 > Update the Apple Mobile Device Driver.
    iOS: Device not recognized in iTunes for Windows
    http://support.apple.com/kb/TS1538
    Cheers,
    Jason H. 

  • I received an ipod touch 5th gen for Christmas.  The first songs i've downloaded and synced with my touch have created ghost songs.  They are only on my computer in itunes once but appear on my ipod twice, one copy that won't play.  I can't delete them

    The first songs i've downloaded and synced with my new touch have created ghost songs.  They are only on my computer in itunes once but appear on my ipod twice, one copy that won't play.  I can't delete them.  I've tried unticking all the music that was on the ipod via itunes and re-syncing, which in theory should delete all music from my ipod.  It does except for the 5 ghost songs.   So at present I have no music on ipod except the 5 ghost songs.   Has anyone got any ideas how I can get rid of these?  
    I had no problems with my ipod touch 4th, which I had for years.   Any help would be great.  

    iOS: Device not recognized in iTunes for Mac OS X
    Or
    See
    iOS: Device not recognized in iTunes for Windows
    - I would start with
    Removing and Reinstalling iTunes, QuickTime, and other software components for Windows XP
    or                     
    Removing and reinstalling iTunes and other software components for Windows Vista, Windows 7, or Windows 8
    However, after your remove the Apple software components also remove the iCloud Control Panel via Windows Programs and Features app in the Window Control Panel. Then reinstall all the Apple software components
    - Then do the other actions of:
    iOS: Device not recognized in iTunes for Windows
    paying special attention to item #5
    - New cable and different USB port
    - Run this and see if the results help with determine the cause
    iTunes for Windows: Device Sync Tests
    Also see:
    iPod not recognised by windows iTunes
    Troubleshooting issues with iTunes for Windows updates
    - Try on another computer to help determine if computer or iPod problem

  • My HP mini 210 will not boot up. The repair utility starts, but runs and runs with no results.

    My HP mini 210-2080NR will not boot up.  The repair utility starts, but runs and runs with no results. Safe mode start up also fails. Tried BIOS diagnostics with f10, memory passed, but HD startd but did not finish.  Diagnostic log shows rusult 0303.  Any ideas would be helpful.  Thanks.

    You can order HP recovery media here, or call HP on the phone to order 1-800-474-6836
    http://h10025.www1.hp.com/ewfrf/wc/document?docname=bph07143&cc=us&lc=en&dlc=en#N76
    If HP no longer has Recovery Media for your model, order them here
    http://www.computersurgeons.com/Default.aspx

  • I am considering buying an iPad 3. I have an iMac with OSX 10.6.8. On the iMac I have many photos and work with iPhoto and Photoshop Elements on the computer. Can I interchange or transfer photos and other work from the iMac to the iPad? How?

    I am considering buying an iPad 3. I have an iMac with OSX 10.6.8. On the iMac I have many photos and work with iPhoto and Photoshop Elements on the computer. Can I interchange or transfer photos and other work from the iMac to the iPad? How?

    velma Monreal wrote:
    I am considering buying an iPad 3. I have an iMac with OSX 10.6.8. On the iMac I have many photos and work with iPhoto and Photoshop Elements on the computer. Can I interchange or transfer photos and other work from the iMac to the iPad? How?
    Yes you can. In iPhoto create a Album with the photos you want in it. You can drag them from your Events folder. In iTunes with your iPad connected go to Photos by cliking on your iPad. You can then select the album or events you want.

  • Assistance in configuring and deploying OS to domain

    Kindly provide info about in configuring and deploying OS to domain

    Pls have a look, Best place to start , in and out
    http://www.windows-noob.com/forums/index.php?/topic/4468-using-sccm-2012-rc-in-a-lab-part-7-build-and-capture-windows-7-x64/
    http://www.windows-noob.com/forums/index.php?/topic/4512-using-sccm-2012-rc-in-a-lab-part-8-deploying-windows-7-x64
    http://www.windows-noob.com/forums/index.php?/topic/5124-using-sccm-2012-rc-in-a-lab-part-15-deploying-windows-8-consumer-preview-using-configuration-manager-2012-rc2/
    Video Pls
    <cite class="_Fe">www.youtube.com/watch?v=99I354t500g</cite>
    <cite class="_Fe"></cite><cite class="_Fe">www.youtube.com/watch?v=8uEvEVul1Vk</cite>
    Thanks, Prabha G

  • ICloud version provided by Apple updater is damaged or just won't install. Is the version I have properly working and syncing with all my devices?

    iCloud version provided by Apple updater is damaged or just won't install. Is the version I have properly working and syncing with all my devices?
    J.Verano

    Try quitting Pages on the iPad, restart the iPad -  and then see if the app works OK.
    To quit Pages - Go to the home screen first by tapping the home button. Quit/close open apps by double tapping the home button and the task bar will appear with all of you recent/open apps displayed at the bottom. Tap and hold down on any app icon until it begins to wiggle. Tap the minus sign in the upper left corner to close the apps. Restart the iPad. Restart the iPad by holding down on the sleep button until the red slider appears and then slide to shut off. To power up hold the sleep button until the Apple logo appears and let go of the button.

  • I bought a movie on iTunes and when it loads up I can only play the bonus features and not the actual film. The title screen is also glitched and merges with the scene selection. I don't think it downloaded properly. what can I do?

    I bought a movie on iTunes and when it loads up I can only play the bonus features and not the actual film. The title screen is also glitched and merges with the scene selection. I don't think it downloaded properly. what can I do?

    It happens sometimes. Delete the current copies, don't hide from iTunes in the cloud if prompted, close iTunes, reopen, download from iTunes Store > Quicklinks > Purchased > Music > Not on this computer.
    While downloading click the download icon at the top right and uncheck Enable simultaneous downloads. You may find it more reliable that way.
    tt2

  • I was told at the Mac store, if download Numbers and Pages with my Imac I could install it on my Macbook for no extra charge. True?  Tried it and was charged twice

    I was told at the Mac store, if download Numbers and Pages with my Imac I could install it on my Macbook for no extra charge. True?  Tried it and was charged twice

    Cynthia7 wrote:
    so if i'm trying to use keynote on my imac after i purchased it on my ipad first, can i do that for free if i already paid for it once? and if i can, how? any advice will help. thanks.
    Sorry, no. The versions for Macs and iDevices are different.

Maybe you are looking for

  • Powerbook G4 will not install OS X

    Hey guys, so my sister gave me her old Powerbook G4 15inch 1.5 ghz. She had a lot of stuff on it and I had the great idea of reinstalling the system software and starting fresh. I did the following: 1) Started up in Target Disk Mode 2) Plugged it int

  • Connecting SAP Netweaver ABAP Trial Version from 2 Laptops

    Hi All, I have a scenario where in I have installed SAP NetWeaver  ABAP  Trial 7.1 version on one Laptop. All the Presentation and application server are also installed on the same laptop and everything is working fine. Here NetWeaver  is installed o

  • Technical Reference question: Relationship between WIP Tables & INV Tables

    Hi Community, Due to my profile is more closer to the Financials Area than the Manufacturing and Work In Process Area, I want to leave the following question in the community, in order to see if anybody can give me an answer. We want to modify a view

  • User Library

    I successfully added my own library but now can't get back into it to edit (the button is grayed out). My new library doesn't show up in the list boxes, either. Help.

  • About paintComponent method

    Hello, I am using swing to develop an user interface for a medium-complex program. Here is the code in the paintComponent method: public void paintComponent (Graphics g) {         Graphics2D g2 = (Graphics2D)g;         super.paintComponents(g2);