Cisco ISE 1.1.3 - Node unreachable

Cisco ISE 1.1.3 is running in standalone mode, when I made any configuration it show me the notification that "Configuration changes has been recorded  but remain pending" any idea experts what could be wrong here.
Thanks

For issues regarding this you need to check the Cisco ISE Operations > Troubleshoot > Diagnostic Tools > General Tools > Evaluate Configuration Validator options. It also validate the several check on the  potential network access device (NAD) configuration issues, including AAA,RADIUS, profiler, and web authentication.

Similar Messages

  • Cisco ISE inline posture node Posture assessment query

    Hi all,
    i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
    "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
    they are likely to fall into one of the identity groups that already have authenticated and authorized users
    connected to the network.
    For instance, there may be an employee, executive, and guest that have been granted access through the
    outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
    groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
    and authorization uses the existing installed profiles on the Inline Posture node, unless the original
    profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
    with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
    Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
    I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
    Thanks!
    Mario

    I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
    After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
    So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
    If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
    https://communities.cisco.com/docs/DOC-30977
    HTH,
    Ryan

  • Unable to register secondary node on Cisco ISE 1.1.4

    Hello,
    I have a problems with registering the secondary node on Cisco ISE 1.1.4.
    I did all like described on User Guide:
    - Primary ISE is promoted to PRIMARY.
    - DNS entries are added and resolved for both ISEs
    - The "Certificate Store" on both ISEs are populated with self-signed certificates from both ISEs.
    Durring the registration process (from Primary node), when I add the IP, username and password for secondary node, an empty popup message displayed with only button "OK".
    So, I cannot proceed to far and don't see the error indicated what's wrong.
    In attachment - screenshot with popup message.
    I use IE 8.0.6001.
    The lattest patch (1.1.4.218-7-87377) applied on both ISEs.
    Is somebody had the similar problem?
    Thanks,
    PC

    Hello,
    In the debug logs "ise-psc.log" I see :
    2013-11-11 08:43:47,534 ERROR 2013-11-11 08:43:47,534  [http-443-7][] cpm.admin.infra.action.DeploymentEditAction- An exception occurred during the registration of a deployment node: java.lang.NullPointerException
    java.lang.NullPointerException
    at com.cisco.cpm.admin.infra.action.DeploymentEditAction.registerSubmit(DeploymentEditAction.java:455)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.cisco.webui.action.common.PojoActionProxy.performExecution(PojoActionProxy.java:176)
    at com.cisco.webui.action.common.PojoActionProxy.execute(PojoActionProxy.java:89)
    at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
    at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
    at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
    at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
    at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
    at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.xmp.wap.dojo.servlet.filter.DojoIframeSendFilter.doFilter(DojoIframeSendFilter.java:58)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.WebCleanCacheFilter.doFilter(WebCleanCacheFilter.java:35)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.rbacfilter.AccessCheckFilter.doFilter(AccessCheckFilter.java:71)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.UserInfoFilter.doFilter(UserInfoFilter.java:110)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:113)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.LoginCheckFilter.doFilter(LoginCheckFilter.java:188)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:121)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
    at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:316)
    at org.apache.catalina.valves.LocalAddrValve.invoke(LocalAddrValve.java:43)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:394)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.valves.MethodsValve.invoke(MethodsValve.java:52)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Unknown Source)
    2013-11-11 08:44:00,226 INFO  2013-11-11 08:44:00,226  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- editPreload() triggered. Selected hostname is BB1NACEASTP01
    2013-11-11 08:44:00,226 INFO  2013-11-11 08:44:00,226  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- ParameterNames in load()= BB1NACEASTP01
    2013-11-11 08:44:00,226 INFO  2013-11-11 08:44:00,226  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- editPreload(): userName= adminhostname= BB1NACEASTP01
    2013-11-11 08:44:01,017 INFO  2013-11-11 08:44:01,017  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- ParameterNames in load()= BB1NACEASTP01
    2013-11-11 08:44:01,017 INFO  2013-11-11 08:44:01,017  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- Inside load() API : hostNameBB1NACEASTP01 userName : admin
    2013-11-11 08:44:01,017 INFO  2013-11-11 08:44:01,017  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- Inside fetchFile() API : hostName: BB1NACEASTP01 userName : admin
    2013-11-11 08:44:01,018 INFO  2013-11-11 08:44:01,018  [http-443-3][] cpm.admin.infra.action.SupportBundleAction- ParameterNames in sbfCreationPercentage()= BB1NACEASTP01
    2013-11-11 08:44:01,021 INFO  2013-11-11 08:44:01,021  [http-443-3][] cpm.admin.infra.action.SupportBundleAction- Got hostAlias= BB1NACEASTP01
    2013-11-11 08:44:01,021 INFO  2013-11-11 08:44:01,021  [http-443-3][] cpm.admin.infra.action.SupportBundleAction- Ping node: BB1NACEASTP01 for connectivity
    2013-11-11 08:44:01,181 INFO  2013-11-11 08:44:01,181  [http-443-3][] cpm.admin.infra.action.SupportBundleAction- Received pingNode response : Node is reachable

  • Cisco ISE - line posture node and switch connection.

    I am studying how Cisco ISE - Inline Posture Node working under the Bridge Mode. I learned that I need to configure the vlan mapping between the untrusted and trusted interfaces of IPN device ( http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_ipep_deploy.html - Figure 10-6).
    Does that mean I can setup a 802.1Q trunk link between the switch port and trusted/untrusted interface on IPN? Is there any vlan mapping entry limitation? Thanks.

    Please review the below link which might also be  helpful:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml

  • Remote Access VPN posturing with Cisco ISE 1.1.1

    Hi all,
    we would like to start using our ISE for Remote VPN access.
    We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
    That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
    I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
    We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
    I know ISR's are support NADs but what about ASRs? There is no mention.
    Any advise will be appreciated!
    Mario

    OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
    thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
    essentially my requirements are
    2-factor authentication VPN using a Certificate & RSA Token
    Posturing of the VPN endpoint.
    Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
    Can anyone help?
    Mario

  • Cisco ISE 1.2 Patch 6 -- 8 Update failed

    Hi all,
    I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
    Important notice : I though that this error could be an unlucky try but i've tested the update two time.
    Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
    The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
    On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
    The symptoms after this error are :
    - Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
    - The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
    - GUI Unavailable
    - MAB Auth is working
    - Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
    - Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
    The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
    My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
    Thanks for your help.

    This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
    2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
    2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
    2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
    2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
    pl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
    8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
    2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
    2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

  • Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

    Need help from ISE experts/gurus in this forum.
    Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
    Scenario: 
    - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
    - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
    - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
    - node 3 is Policy service node - hostname is node3
    - node 4 is Policy service node - hostname is node4
    Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
    My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
    to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
    upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
    Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
    I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
    I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
    Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
    Propose solution: 
    step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
             Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
    step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
             to ISE node1 via the GUI,
    step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
    step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
    step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
    Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
    Propose solution:
    step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
    step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
              form a new ISE 1.2 cluster independent of the old cluster,
    step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
              Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
    step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
              Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
    step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
    step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
    step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
    step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
    step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
    Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
    Propose solution: 
    step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
             Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
    step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
             to ISE node1 via the GUI,
    step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
    step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
    step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
    does these steps make sense to you?
    Thanks in advance.

    David,
    A few answers to your questions -
    Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
    https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
    You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
    Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
    I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
    I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
    I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
    Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
    Once the restore finished, I then restored the certificate and picked one of the PSNs
    backup the cert,
    Had the AD join user account handy
    reset-db,
    and run the upgrade script.
    Once that is done I then restore the cert
    Join the PSN to the new deployment
    Join both nodes to AD through primary admin node
    Monitor for a few days (seperate consoles to make sure everything runs smooth)
    If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
    Thanks and I hope that helps,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ise 1.2 install certificates for ise cluster question

    hello all i have an ise cluster of 4 devices. 1 primary admin/secondary monitor, 1 secondary admin/primary admin and 2 policy nodes
    i need to install public CA certs on them. can I generate 1 CSR on one of the nodes, that includes a SAN with the DNS names of all the nodes?
    Therefore get only 1 cert from the CA, and export and import the same cert into all the other nodes?
    or do i have to generate 1 CSR for each node and purchase 4 certs? Wild card certs is not an option. tHANKS,

    ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.
    The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html
    Cisco ISE checks for a matching subject name as follows:
    1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.
    2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
    3. If no match is found, the certificate is rejected.
    Regards,
    Jatin Katyal
    *Do rate helpful posts*

  • Cisco ISE: How to identify/inactive old users?

    Hello,
    I want to get all users / mac-adresses which haven't connected to out network since 180 days.
    How can I query that?
    The report "Dormant Users" dont seems to be the right way: it displays current associated users which are inactive...
    How can I purge Cisco ISE : cleaning it from useless, old, inactive mac-addresses?
    Thank you very much for any answer

    The only thing I could find was purging data in the MNT node.  The default is 90 days.  This doesnt apply because the profiles are store on the policy node.  I dont think you can in an automated form.  
    You could change the MNT to purge after 210 days and then run a report to see which macs have not authc in the passed 180 days.  That will require excel and some scripting.

  • Cisco ISE 1.2.1 solution BYOD

    Hi there. 
    I wanna setup Cisco ISE 1.2.1 solution for my wireless users.The solution will have 2 SSID.
    SSID: Guest 
    This will be used with guest portal and self registration portal for guests. dedicated VLAN or dAcl will be applied
    SSID:Employee 
    This will be used for all corporate devices with corporate machine certificates (EAP-TLS) corporate dAcl will be applied (permit ip any any)
    This will also be used for BYOD devices. All devices that dosent have corporate machine certificate needs to authenticate by PEAP and MSCHAPv2. The device will go trough self provisiong process and gets BYOD certificate from dedicated BYOD CA server by SCEP. dAcl will be applied that only gives access to the internet. 
    I wanna hear about your experiences about this kind of setup. Pros and cons. What do you think? 

    1. PEAP is definitely a protocol that is protected and secure. The difference from EAP-TLS is that it only requires a server-side certificate which is used to create the secure (TLS) tunnel. After the tunnel is build then credentials are passed via the inner method which is usually MS-CHAPv2:http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
    2. Once authentication happens then wireless traffic encryption would be handled by the encryption method chosen on the WLC which is usually AES:
    http://en.wikipedia.org/wiki/Advanced_Encryption_Standard3. I don't have a configuration example that I can share since there are many different variables that can alter the configurations. For instance, certificate templates being used, AD structure, certificates used for PEAP, etc. Below are some sample documentations that I found on Cisco's site. They reference ACS but they should still give you a good idea on what is needed:http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113670-eap-authentication-00.html
    https://supportforums.cisco.com/discussion/11567346/ise-and-eap-tlsI have also heard good things about Lab Minutes videos even though I have not watched them myself:http://www.labminutes.com/video/sec/ISE4. Yes, you can have ISE nodes communicate and sync over MPLS. You just need to make sure that you have enough bandwidth and that your round trip delay is less than 150ms5. I am not sure if it is possible NOT to show the guest credentials when registering for a guest account. I know they can be send via e-mail or sms but not aware of a way to prevent them from showing up on the screen.Thank you for rating helpful posts!

  • Cisco ISE with multiple Network interface

    Hello,
    I am deploying Cisco ISE 1.2 in a distributed deployment and the requirement is to use external Radius proxy feature. ISE PSNs are designed to have 2 L3 NIC's, Eth0 for administration and Eth1 as client side facing NIC for Radius requests. I am interested to know would Cisco ISE in version 1.2 use Eth1 interface to send RADIUS  authentication request to external RADIUS Proxy server.
    Could not find above information in Cisco SNS-3400 Series Appliance Ports Reference.
    http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html
    Thanks
    Kumar

    Thanks Ahmad for the reply.
    Cisco ISE uses standard RADIUS authentication and authorization port to send request to Exteranl RADIUS proxy. As per the interface/port refrence guide of version 1.2 this is listed that is causing a confusion :-
    Eth0
    Eth1
    Eth2
    Eth3
    Policy   Service node
    Session
    •UDP:1645, 1812 (RADIUS Authentication)
    •UDP:1646, 1813 (RADIUS Accounting)
    •UDP: 1700 (RADIUS change of authorization Send)
    •UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)
    External   Identity Stores
    and Resources
    •TCP: 389, 3268, UDP: 389 (LDAP)
    •TCP: 445 (SMB)
    •TCP: 88, UDP: 88 (KDC)
    •TCP: 464 (KPASS)
    •UDP: 123 (NTP)
    •TCP: 53, UDP: 53 (DNS)
    (Admin user interface authentication and endpoint authentication)
    In external Identity Stores and Resources it says Eth0 is used for (Admin user interface authentication and endpoint authentication), where under sessions it lists that all ports can be used for RADIUS Authentication and Authorization.
    I am not sure what I am missing to understand between the two if you can highlight that.
    Thanks
    Kumar

  • Cisco ISE AD (Windows Server 2013) Authentication Problem

    Background:
    Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
    Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
    Problem:
    Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
    Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
    xxdc01.xx.com (10.21.3.1)
    Pinged:0 Mins Ago
    State:down
    xxdc02.xx.com (10.21.3.2)
    Pinged:0 Mins Ago
    State:down
    xxdc01.xx.com
    Last Success:Thu Jan  1 10:00:00 1970
    Last Failure:Mon Mar 11 11:18:04 2013
    Successes:0
    Failures:11006
    xxdc02.xx.com
    Last Success:Mon Mar 11 09:43:31 2013
    Last Failure:Mon Mar 11 11:18:04 2013
    Successes:25
    Failures:11006
    Domain Controller: xxdc02.xx.com:389
        Domain Controller Type: Unknown DC Functional Level: 5
        Domain Name:            xx.COM
        IsGlobalCatalogReady:   TRUE
        DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
        ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
    Action Taken:
    Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
    2)     Tested wireless authentication using EAP-FAST but same problem occurs.
    3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
    12304  Extracted EAP-Response containing PEAP challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - AD1
    24430  Authenticating user against Active Directory
    24444  Active Directory operation has failed because of an unspecified error in the ISE
    4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
    5)     Tested wireless on different laptos and mobile phones with same error
    6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
    7)     Restarted ISE services
    8)     Rejoin domain on Cisco ISE
    9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
    10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
    Other possibilities/action:
    1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
    2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
    Anyone out there experienced something similar of have any ideas on why this is happening?
    Thanks.
    Update:
    1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
    2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
    This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

    Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
    Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

  • Cisco ISE 1.1.2.145 Admin Authentication using LDAP

    I have configured the LDAP and able to retrive our LDAP directory structure. Now, I am trying to point the 'Admin Access' authentication to "External Identity" Source which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for any reason the LDAP configuration doesn't work. I learnt that ISE can automatically revert to local auth provided the External Idenitity sources are unreachable. How can I test the LDAP authentication with out breaking our Admin Access? I thought of opening two parallel sessions, one with Super Admin Local Account and the other with Domain account. But I noticed that ISE communication is smart enough to logoff/login any other sessions in different browsers so basically I can't open two parallel sessions from same machine to do the tests. Suggestions? or Am I missing something here?
    Many thanks in advance.

    Hi Srinivas,
    Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :
    During operation, Cisco ISE is designed to "fall  back" and attempt to perform authentication from the internal identity  database, if communication with the external identity store has not been  established or if it fails. In addition, whenever an administrator for  whom you have set up external authentication launches a browser and  initiates a login session, the administrator still has the option to  request authentication via the Cisco ISE local database by choosing  "Internal" from the Identity Store drop-down selector in the login dialog.
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543
    Please refer to the attached screenshot from my lab ISE:
    I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.
    Hope this helps.
    Thanks,
    Aastha

  • ISE does not register nodes - (blank pop-up window)

    Hello everyone !
    There CiscoISE 1.1.4.218 (all 8 patches) consisting of 6 nodes (2 admin, 2 monitors, 2 policy) on virtual machines.
    When testing failover between policy node, one of policy nodes has been removed from scheme of deployment. The  result of attempting to register this node is the blank warning pop-up  window, progress of registration stops without registration of policy  node (screenshot in attachment). The same
    thing  happens when I try to register a secondary monitoring nodes (that was  removed earlier, like in the case with police node). I  also attach a portion of log file taken from admin node (CLI) in the  moment of attempts registration of police / monitoring nodes.
    In the DNS is ok (defined in both side), all certificates are valid.
    Maybe somebody has already found a similar mistake ?
    Sincerely,
    Andrey

    Please check the following Prerequisites
    The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.  Otherwise, node registration will fail. You must enter the IP addresses  and FQDNs of the ISE nodes that are part of your distributed deployment  in the DNS server.
    •The  primary Administration ISE node and the standalone node that you are  about to register as a secondary node should be running the same version  of Cisco ISE.
    •Node  registration fails if you provide the default credentials (username:  admin, password: cisco) while registering a secondary node. Before you  register a standalone node, you must log into its administrative user  interface and change the default password (cisco).
    •You  can alternatively create an administrator account on the node that is  to be registered and use those credentials for registering that node.  Every ISE administrator account is assigned one or more administrative  roles. To register and configure a secondary node, you must have one of  the following roles assigned: Super Admin, System Admin, or RBAC Admin.  See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
    •If  you plan to register a secondary Administration ISE node for high  availability, we recommend that you register the secondary  Administration ISE node with the primary first before you register other  Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence,  you do not have to restart the secondary ISE nodes after you promote the  secondary Administration ISE node as your primary.
    •If  you plan to register multiple Policy Service ISE nodes running Session  services and you require mutual failover among those nodes, you must  place the Policy Service ISE nodes in a node group. You must create the  node group first before you register the nodes because you need to  select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
    •Ensure  that the Certificate Trust List (CTL) of the primary node is populated  with the appropriate Certificate Authority (CA) certificates that can be  used to validate the HTTPS certificate of the standalone node (that you  are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
    •After  registering your secondary node to the primary node, if you change the  HTTPS certificate on the registered secondary node, you must obtain  appropriate CA certificates that can be used to validate the secondary  node's HTTPS certificate and import it to the CTL of the primary node.  See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

  • Another kind of error, upgrading Cisco ISE 1.1.4patch3 to 1.2

    I'm failing to upgrade our distributed ISE environment of 3 nodes.
    Using ise-upgradebundle-1.1.x-to-1.2.0.899.i386.gz, MD5 sum is verified.
    All nodes are running 1.1.4 patch 3 and the cluster is in sync.
    Trying to upgrade secondary admin node first and get this error:
    Save the current ADE-OS running configuration? (yes/no) [yes] ?
    Generating configuration...
    Saved the ADE-OS running configuration to startup successfully
    Initiating Application Upgrade...
    % Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
    STEP 1: Stopping ISE application...
    STEP 2: De-registering node from current deployment.
    % Error: De-registering node from current deployment failed.
    Starting application after rollback...
    % Warning: Do the following steps to revert node to its pre-upgrade state.
    -Ensure that node is still present in current deployment from Primary UI, if not present register this node back again.
    error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1

    Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
    http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_011.html
    States that
    Before You Begin
    If  you do not have a secondary Administration node in the deployment,  configure one Policy Service node to be the secondary Administration  node before beginning the upgrade process.
    Upgrade the secondary Administration node  from the CLI.
    The  upgrade process automatically deregisters Node Secondary Admin Node from the deployment  and upgrades it to Release 1.2. Node Secondary Admin Node becomes the primary node of the  new deployment when it restarts. Because each deployment requires at  least one Monitoring node, the upgrade process enables the Monitoring  persona on Node B even if it was not enabled on this node in the old  deployment. If the Policy Service persona was enabled on Node B in the  old deployment, this configuration is retained after upgrading  to t

Maybe you are looking for

  • How do I install Windows on my Macbook pro?

    Is it a program that I need to buy or it's only a download? I Need the windows version on my Macbook to work on a program.

  • How to set up tv as display

    I recently purchased a mini dvi to s-video/RCA cable and hooked up my macbook to my sharp lcd tv using a RCA video cable. At first I had nothing but static but after messing around with the display settings i got the tv to display the right half of m

  • How to call unix script/command in ODI

    Hello Gurus, Please let me know how to call unix script/command in ODI? Thanks Shridhar

  • Bookmarks in report

    Bookmark in oracle reports. Hi , I have a bunch of reports, which the user is generating to PDF files. I have put the code srw.set_bookmark(:Category); in the format trigger of the category field. Now when the user opens the PDF file the file display

  • Ldap integration on mySAp ERP 2004

    Hi, 1°)I'm installed SAP ERP 2004 for use ESS webdynpro. I'm configure LDAP connection since SAP Portal, and now, all my client ( on LDAP system ) are connected on  SAP PORTAL. That's very good. 2°)I'm implemente a "replication "fonction in SAP Porta