Bug CSCup27305 in ISE 1.2.1.198 patch3

Similar Messages

• ISE 1.2.1.198 patch 5 - Operations Authentications not loading or displaying

  Is anyone else having an issue with getting Authentications to display under operations? We were running 1.2.0.899 and started to run into a couple bugs so we upgraded to 1.2.1.198. Ever since then the Operations - Authentications have not been working right. I may occasionally see and actual authentication but not as many as I should. Most of the messages I saw yesterday pertained to radius processes already in progress from endpoint which was my wireless controller. Today I just get a loading data message at the bottom of the screen. It does not seem to be affecting system operation as users are still properly authenticating but I am unable to monitor the process or troubleshoot a users if they were to have an issue. We are on the edge of moving this into full production but really cannot until I get this resolved.
  I have a case open with tac and their comment was that the issue of authentications not displaying was fixed in 1.2.1 and not sure what may be happening. We went ahead and applied patch 5 just in case there was something else going on. That did not fix things and it now seens to be getting worse.
  I just wanted to see if anyone else had seen this and could possible shed some light on a resolution.
  I am running a cluster containing the following. Primary admin on a VM - two policy Services servers both on VMs - secondary admin on retired ACS 2111 appliance. All three VMs are on the same physical server. Memory utilization on the admin server is just under 50% with the Policy servers both in the 30% range. I do have one policy server that is showing authentications in the 10-12ms latency but do not think that should affect anything. The ISE cluster is also tied into our 5508 wireless controller for support of the wireless networks. I have two SSIDs in production here at corporate and trying to figure out FlexConnect for the remote locations so we can centralize everything.
  Brent

  TAC recommendation was to install patch 5 which should include patch 4 plus other things. They took logs from my servers and asked to give them a day or so to look at the issue. Today is day three with no update.
  I am going to reboot all the servers in the cluster tonight. I do not have console access to the VMs so am hoping that I can reload from the CLI and accomplish the same thing rather than just reload the services.
  I tried a wired connection this morning and it popped into the authentications report but will have to test to make sure it repeats.
  What is mostly in the log is simply the reports of the supplicant stopped responding to ISE. I know thought that I have at least 5 people that are connected via wireless. Here is a sample of what is in the log.

• ISE 1.2.1.198 Wired - Central WebAuth Fail

  Hello, I have a trouble with WebAuth.
  I follow this guide to implement this, but it does not work.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html
  Port Redirection is working, because when I am trying to access any page, and open guestportal.
  After GuestPortal is open, I set user/pass on the webpage.
  user: webauthuser
  After this, display the page Self-Provisioning Portal "Welcome webauthuser" but with the error "The system administrator has either not configured or enabled a policy for your device. Contact your system administrator".
  I have this Authorization Profiles
  On Operations / Authentication, I have the following...
  Event 21:28:21.801

  Partner help to troubleshoot this. It was fix.
  Uncheck "Enable Self-Provisioning Flow" on
  Administration > Web Portal Management > Settings > Guest > Multi-Portal Configurations > DefaultGuestPortal > Operations
  Tks.

• ISE 1.2.1.198 - Guest Portal Configuration

  Is it possible to customize the default portal and add a paragraph any where on the login page with instructions?  I've tried adding the text in the Pre-Login Banner Text field, and it does wrap to the next line, but text goes of the screen before wrapping.  Would like to be able to add carriage return in the text, so text would scroll off the screen.

  ISE 1.3 (due out in November time frame) will have a huge amount of customization of the portal available for your use.
  If you really need to do it before then, and you have an ISE-certified Authorized Technology Partner you're working with, they have access to a Guest Portal Builder tool that can be used.
  Failing those, you're back to changing the native html code for the portal by hand. Not recommended.

• Bug CSCun42967 fixed: ISE 1.2 : SNMP process stops randomly

  As of June 9th, the status of this bug is "Fixed" with "Known Affected Releases" being 1.2(0.899), which is the one we are running.
  Known Fixed Releases is (0) and then there is a link to the download area where I can download an update to 1.2.1. The release notes does not mention bug "CSCun42967"
  Does anyone know if this bug has been fixed?

  Hi,
  I just ran into the same issue.
  I would assume that if it was fixed in 1.3 it would be mentioned in the release notes as resolved caveats. Can anyone confirm the problem is fixed in 1.3?
  Soren, have you upgraded and is the issue resolved?
  Thank you :)

• Cisco ISE 1.2.1.198 Guest Portal Vlan Override at Mobile Device (android,IOS) not working

  Hi Guy, 
  In my ISE deployment, once the guest succcesful authenticated will be assign guest VLAN for internet access.
  we are using guest portal to do the vlan override once user authenticated.
  Window 7 Internet explorer (Active X), Chrome (Java Aplet) is working fine.
  but Android,Apple IOS devices unable to release the DHCP and get new DHCP.
  because from ISE and WLC we can see the Vlan have change, how mobile devices initiate dhcp release for Guest Portal
  Kindly advice.
  Regards
  Freemen

  I don't have such documentation nor I could find any on Cisco's site. With that being said, it doesn't mean that it doesn't exist. I just know that Active X is windows specific framework and Java is not supported on either iOS nor Android:
  http://www.java.com/en/download/faq/java_mobile.xml
  The good news is that Cisco appears to be steering away from Java so it is possible that in the future this will be supported. 
  Hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 VMware 4.1 Installation Failure

  For a customer evaluation, we're trying to install ISE 1.2.1.198  on a VMware ESXi 4.1 VM from an iso image in a VMware datastore mounted as the VM DVD drive; the installation starts, but after the initial boot fails with an error that the ISE software DVD is not in the DVD drive.  I'm wondering:
  1) Has anyone else experienced this?
  2) Has anyone successfully installed this version from an iso in a datastore?
  The install guide only mentions installing from iso with a DVD in the VM host drive.
  I'm currently downloading the .ova file as a workaround, but as Cisco have provided the .iso to the customer I'd prefer to get that working if possible.
  tia
  JonS

  Jon,
  I install from an iso in the datastore all the time.  Everytime I have seen the error that you are receiving, it is due to a damaged/corrupt iso file.  Try downloading the iso file again.  That will likely fix the issue.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.2.1 Installation fails

  Hi,
  I have a ISE POC that I need to get running for a customer, but the installation seems to fails everytime.
  This runs on a VMWare environment. The install goes through but after final reboot and system restart none of the services is starting up. So I can only SSH into the machine but not http etc...
  I happened to notice that during the install the vmware-tools install fails and I think this is related.

  Did you download the file directly from CCO?  Have you compared the hash values?
  What filename are you using?  It should be this one:
  ise-1.2.1.198.x86_64.iso
  with a file size of 3,940,336 KB
  If yours does not match what is above, you may need to download the file again.  I have experienced partial file download issues with CCO in the past.  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• IOS 8.x Apple users and CISCO ISE native supplicant provisioning not working

  Hi there guys ,
  I was wondering if anybody else have the following problem:
  Apple iOS 8.x users are not able to register their devices on the ISE portal (native supplicant provisioning).
  After they receive the redirection from the WLC, they freeze. Apple 7.x users have no problem.
  ISE is version 1.2.1.198 patch 2.  WLC is running 8.0.102.14.
  Anybody experienced the same?
  MB

  I am also running ISE 1.2.1.198 patch 2 with 8.0.100.  I am testing with an iPad running IOS 8.1.  The device will register in the registration portal, but is not being classified as an IOS device within client provisioning, I believe.  It is getting profiled as a workstation even though all apple device profiles are enabled.  I have an authorization policy for registered devices, and ipad, iphone, ios devices to gain access to the network without going through posture assessment.  I then have my posture assessment authorization rules with apple IOS devices set for a ssid native supplicant profile.  I keep getting an error page on the iPad when connecting to the ISE SSID saying "Client Provisioning Portal     ISE is not able to apply an access policy to your log-in session at this time.  Please close this browser, wait approximately one minute, and try to connect again".  It gives this message over and over.  If I turn off the posture checking authorization profiles, the IOS device is selected as a rule further down which tells me that ISE does not recognize it as an IOS device in the profiling or client provisioning.

• ISE : Radius Request Drop

  I've implementing cisco ise. But i got something weird. The communication cisco ise and switch has down about 1 hours, and when i check on monitoring, the report just said Radius Request Drop. The communication is good before this happening. Do you know what is happen?
  Regards,
  Gandhi

  I think the problem has solved now.
  But, what i want to know is what is happening, there is a bug on Cisco ISE?
  Regards,
  Gandhi

• Access Point Radios trying to authenticate via PEAP against ISE

  I have a working installation including a 5508 controller with ISE. The ISE is configured for EAP Chaining and clients are authenticating fine.
  We are seeing some weird behavior from the Access Points. We see authentication failures from devices trying to authenticate via PEAP, the funny thing is that the username and endpoint ID are the MAC addresses of our APs. we see it once or twice a day from several of the APs.
  Any ideas on what would cause this and what function of the AP is causing this?

  Hi Rasika,
  kindly advice. running on 7.6.130 and Cisco ISE 1.2.1.198, but my case is rejected the authentication, why radio base mac address is try to authenticating to ISE?
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.6.130.0
  Bootloader Version............................... 1.0.20
  Field Recovery Image Version..................... 7.6.101.1
  Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
  Build Type....................................... DATA + WPS
  (Cisco Controller) >show radius summary
  Vendor Id Backward Compatibility................. Disabled
  Call Station Id Case............................. lower
  Acct Call Station Id Type........................ Mac Address
  Auth Call Station Id Type........................ Mac Address
  Aggressive Failover.............................. Enabled
  Keywrap.......................................... Disabled
  Fallback Test:
      Test Mode.................................... Off
      Probe User Name.............................. Radius_KeepAlive
      Interval (in seconds)........................ 300
  MAC Delimiter for Authentication Messages........ hyphen
  MAC Delimiter for Accounting Messages............ hyphen
  Authentication Servers
  Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  1    NM    x.x.x.x              1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
  2    NM  x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none <-- ISE
  3    NM    x.x.x.x             1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
  4    NM    x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none <-- ISE
  Accounting Servers
  Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  2      N    x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none
  3      N     x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none

• CIsco ISE use two different local certificates for EAP

  Hi Experts,
  ISE 1.2.1.198
  It is possible to use two different local certificates on cisco ISE, generated by two different root CA, for EAP?
  Example:
  1 - Microsoft CA for notebooks
  2 - Different CA (public, openssl, other) for mobiles
  And, in case it is possible, which will be the first one presented from the server to the client for EAP-TLS authentication?
  Thanks
  Andrea

  Thanks for your reply,
  i think i'll go for another pair of PSN for the mobiles
  Andrea

• Guest Wlan multiple login with Cisco Identity Services Engine

  Dear all,
  I have been looking for some details with regards to multiple logins on Guest WLAN.
  Currently my customer is facing the following problem
  When a Guest Wlan user logs in, the same user could login again on the same time frame,
  in other words guest Wlan user can login multiple times.
  is this intentional or a bug on the ISE
  product name : L-ISE-BSE-250=
  any advice or any article related to this would really appreciate it
  thanks in advance
  Lnacellot

  Ok, Ranjane you took me back to 1900BC, had to dig the case up for you.
  to be clear this is what customer wants
  a guest user concurrently login from two devices at the same time
  What  he wants is: any given time Guest user should be only able to login  once (Ex if you login to your PC and leave it logged on, then go to a  another PC with same user you would be able to login – this need to be  limited)
  So under the User login Policy this should be able to limit to one login
  you may want to check  the concurrent session limit on the WLC: It is under  Security > AAA > User Login Policies. There is a global number,  that will limit the concurrent logins from a single user name.
  hope it was useful
  regards,
  lancellot

• ISE 1.2 Patch 7 possible guest CWA bug

  Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
  In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
  If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.

  Hi,
  I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
  The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7.