Cisco ISE 1.2.x with Posture Configuration - Windows Patches

Similar Messages

• Virtual PC / XP Mode Error outs with Required configuration: - Windows must be configured in mode 800x600 minimum - Windows must be configured in mode 'true colors'.

  Hello,
  I am running Application using XP mode and Virtual PC on Windows 7. I have 8 GB RAM and more than 300 GB free disk space. When I launch application in XP, I receive following error 
  Required configuration: 
  - Windows must be configured in mode 800x600 minimum
  - Windows must be configured in mode 'true colors'.
  My screen resolution is  1024
  × 768
  and I do not see any other options to resolve this problem.
  Any guidance is greatly appreciated.
  Ganesh

  This is a thread that discusses your problem.
  https://social.technet.microsoft.com/Forums/windows/en-US/12a17fa5-ddab-4480-8973-1a13bfb2e8fd/need-more-than-16bit-color-depth-on-windows-xp-mode?forum=w7itprovirt
  Your app is probably calling for 32-bit color, and XP Mode with
  integration features doesn't support that.  There's 3 ways around it. 
  one, is to enable remote desktop in XP Mode and connect to the VM with
  remote desktop.
  2nd is to turn off the integration features and then you can set the XP
  Mode desktop to 1024x7687 and 32-bit color
  and 3rd, if you app supports 24-bit color, there's a registry hack to do
  it.  It's in the thread I posted above.
  Bob Comer

• ISE reauthenticaiton in wireless with posture

  Hi,
  There is an issue which the wireless reauthentication in our environment. The posture feature has been used and everyone install the Cisco NAC agent. I found that if someone disconnect the wireless SSID, then reconnect the wireless SSID by authenticate the identity & compliant, can't be transfered to the correct the right SSID again. Can anyone help resolve this problem?

  Please follow this link to configure your settings
  https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configuring-posture-services-with-the-Cisco-Identity-Services/ta-p/221702
  also check this for trouble shoot
  https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/ISE-Posture-Agent-Profile-Parameter-Details-NACAgentCFG-xml/ta-p/239024

• Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

  Hi,
  I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
  My authentication and authorization rules relating that case are as on following screenshots:
  So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
  Looking in ISE's Authentication section I can see following:
  Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
  So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

  Hi,
  -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
  -- Then try to add the ISE.
  -- Once it fails, collect the logs from Administration > Logging > 
  check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• Cisco ISE 1.2 - Problem with Device Onboarding of internal users using AD Credentials

  Dear experts,
  We have implemented ISE 1.2 with WLC 7.5 in our organization. We are using Device Onboarding by letting the users enter their AD Username and Passowrd on Guest portal which then redirects them to device registration portal where they simply register their device and they get internet access.
  The problem is that some users are unable to authenticate using this portal while some can successfully authenticate and register their devices. All users are of the same group in AD. Also, we have enabled this check on two places. One is when users connects to the SSID where the security WPA2-Enterprise uses 802.1x and asks for AD username password. The other is on the portal.
  All users are able to connect to the SSID using their AD credentials. However, 30% of the users are not being authenticated when they are redirected to the Guest portal for device registration. Also, it gives no error or event on either ISE or on the mobille device. When the users enters their credentials, the same guest portal page comes back blank with no errors or logs anywhere.
  Can someone guide me if there is some configuration mistake that I may have done or have someone faced this same issue and were/weren't able to resolve it.
  Thanks in advance.
  Jay

  Our problem got solved. It was related to a few user accounts in AD. Usually any authentication on AD User Account is carried out using the User ID. However, during Web Authentication, Login ID/Name is also checked by ISE and should be same as User ID.
  The problem you are facing might also related be to AD since we had the similar issue. try to check this on a laptop as the mobile portal gives no error if the user is unknown or invalid. Also, you can enable logs for web authentication which are off by default. It will give you a pretty good idea where the problem lies. And yeah, do not keep the web authentications log on for long, it can hang your ISE.
  Anyways, thanks for all the support.

• Cisco ISE or NAC Guest with web security (IronPort) integration

  All,
  We have a scenario where guests will be authenticated against the ISE or NAC Guest server, and customer will place an IronPort to provide web security, however, we can not find referentes whether IronPort can or cannot integrate with Guest Server, so that guests are not requested to be authenticated twice, one by the Guest Server, a one by the proxy. The idea is to keep it transparent for the guests with a single authentication.
  Has anyone there implemented such scenario?
  Thank you!

  I see. So, lets say we disable proxy authentication for the guest segment, can I still provide content filter for the segment, even though there is no proxy authentication? I assume customer will lose the reportinga and tracking granularity, but the scenario will work withou proxy authentication. This may be some sort of "man in the middle" only, but with content filter. Does it make sense?
  Thank you!

• Deploying application: problem with deploying configuration window

  Hi all,
  I am using Jdev 11.1.1.0 and I am trying to deploy an application with customization classes.
  I have followed the step of the manual (35.2 creating an Application Server Connection), then I have created the deployment profile (inserting my customization class in a jar file) and the deployment descriptor.
  When I try to deploy my application, appears a popup with a window that has the title "Deployment Configuration" with only the "MDS" tab with two List Of Values that I can not compile/fill
  I have this error:
  MAR archive 'metadata1.mar' did not have any metadata content, not added to EAR (even if in application properties --> Deployment --> myEarFile --> application assembly --> I have checked the file MAR; if I check the file MAR I can compile an input text with the label PATH in EAR and I don't know what put in it).
  Wrote Enterprise Application Module to C:\Users\acosta\Documents\Applicazioni java\DeployProva3\deploy\application1.ear
  No metadata repositories found on target server. Using values found in adf-config.xml.
  What is the problem?
  Thanks
  Edited by: user10799119 on 5-ago-2009 0.42
  Edited by: user10799119 on 5-ago-2009 0.51

  Edwin Biemond has a couple of very useful blogs about MDS and Deployment here .
  Timo

• Anybody having trouble with QT with the last Windows patch?

  All QT is not working and won't even launch on vista.
  I hope Apple contacts Microsoft and get this straightened out.

  I just put QT on a vista machine that had not had it before. Worked OK at first then when launched again shut down with a Data Execution Prevention error. Tried turning off DEP for QT but vista would not let me do it. Will run if started by "Run as Administrator". However if you set Run as Administrator" under Compatibility then it wont run - says it must have windows 2000 or later

• Cisco ip phones authenticate 802.1x with cisco ise

  Dears,
  I want to  configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
  I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
  Thanks. 

  802.1x configuration for IP Phones
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217

• Cisco ISE with AD Problem: "Could not read groups data: Global catalog not found"

  Hi all,
  When I make the ActiveDirectory integration with Cisco ISE, I have complete with this integration. but when I try to read the Groups from Active Directory, ISE shows the message "Could not read groups data: Global catalog not found".
  My Domain has multiple sites and subnets, each contains GC for local logon. I have set ISE to the correct site and subnet. Forward and Reverse DNS are working with no error.
  Does anyone get this problem, please help.
  I have check into the ISE CLI Reference Guide 1.1.x
  You are about to configure Active Directory settings.
  Are you sure you want to proceed? y/n [n]: y
  Parameter Name: dns.servers
  Parameter Value: 10.77.122.135
  Active Directory internal setting modification should only be performed if approved by ISE
  support. Please confirm this change has been approved y/n [n]: y
  What shoud I set in the Parameter Name ? dns.servers or my dns hostname ?
  Please suggest for this too.
  Thanks and Regards,
  Pongsatorn M.

  Hi Pongsatorn,
  Thanks for the reply!
  I've attached the results of the ISE detailed AD test. As you can see, there is a fair number of domain controllers in the AD forest.
  It seems everything works correctly until it gets to testing the AD connectivity on port 3268. Then I get this:
    Testing Active Directory connectivity:
      Global Catalog: pdascdc02.xyz.com
        gc:       3268/tcp - refused
    Testing Active Directory connectivity:
      Global Catalog: pdascdc02.xyz.com
        gc:       3268/tcp - refused
  For some reason, the request to the controllers on port 3268 is being refused.
  Any thoughts you might have are greatly appreciated.
  Cheers,
  Greg

• Cisco ISE - General Info. & capabilities

  Hello All,
  I've read quiet a bit of ISE features, but would like to know the following:
  1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
  2. Can it provide details of how much data was transferred from a particular server to a specific client?
  3. For a 1500 user env. (1000 desktops and 500 wireless devices) which model of ISE would be appropriate?
  4. How would having ISE be different from already deployed authentication services like Active Directory or built-in application authentication for solutions like Oracle ERP systems?
  5. I see ISE as being marketed primarily for wireles devices (BYOD), but how would it help for wired devices (or does it become and unecessary authentication level apart from AD, switch based 802.1x, etc)
  Thank you.
  Regards,
  Adnan

  Cisco ISE is a consolidated policy-based access control system that  incorporates a superset of features available in existing Cisco policy  platforms. Cisco ISE performs the following functions:
  •Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance
  •Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both
  •Enforces  endpoint compliance by providing comprehensive client provisioning  measures and assessing device posture for all endpoints that access the  network, including 802.1X environments
  •Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network
  •Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed
  •Employs  advanced enforcement capabilities including security group access (SGA)  through the use of security group tags (SGTs) and security group access  control lists (SGACLs)
  •Supports scalability to support a number of deployment scenarios from small office to large enterprise environments
  The following key functions of Cisco ISE enable you to manage your entire access network.
  Provide Identity-Based Network Access
  The Cisco ISE solution provides context-aware identity management in the following areas:
  •Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
  •Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
  •Cisco  ISE assigns services based on the assigned user role, group, and  associated policy (job role, location, device type, and so on).
  •Cisco  ISE grants authenticated users with access to specific segments of the  network, or specific applications and services, or both, based on  authentication results.
  ISE 3315 can support 1500 users with appropriate license.

• Cisco ISE patching find out

  Hi all,
  Would like to find out on patching process on inline posture node.
  My topology is one ISE appliance node type is Admin/Policy Service Node; while another unit is inline posture node.
  Both appliance have the identical software versiona and patch, namely 1.1.3.124, patch 2
  I would like to update it to patch version 4.
  My question:
  01. If i apply the patch on the Admin/Polic Service Node using GUI patch maangement, will this also apply the patch to Inline Posture node?
  02. Or should i use console into Inline Posture node and using CLI way to update the patch? Anything i should mention in this process, example: stop application etc?
  Please advice, million thanks
  Noel

  Resolved Issues in Cisco ISE Version 1.1.0.665—Cumulative Patch 4
  Lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.0.665 cumulative patch 4.
  You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.1.0.665 (with or without patch 1, 2, and 3 applied), otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.1.0.665."
  To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.1. for instructions on how to apply the patch to your system.
  If you experience problems installing the patch, please contact Cisco Technical Assistance Center.
  Cisco ISE Patch   Version 1.1.0.665—Patch 4 Resolved Caveats
  Caveat
  Description
  CSCui22841
  Apache Struts2 command execution   vulnerability
  Cisco ISE includes a version of Apache   Struts that is affected by the vulnerabilities identified by the following   Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix   addresses the potential impact on this product.
  Managing Software Patches
  You can install patches on ISE servers in your deployment from the primary administration node. ISE patches are usually cumulative; however, any restrictions on the patch installation will be described in the README file that will be included with the patch. Cisco ISE allows you to perform patch installation and rollback from either the command-line interface (CLI) or GUI.
  Standalone Deployment
  When you install or roll back a patch from a standalone or primary administration node, ISE restarts the
  Application. You might have to wait for a few minutes before you can log back in.
  Distributed Deployment
  When you install or roll back a patch from the primary administration node that is part of a distributed deployment, Cisco ISE installs the patch on the primary and all the secondary nodes in the deployment. If the patch installation is successful on the primary node, Cisco ISE then proceeds to the secondary nodes. If it fails on the primary node, the installation is aborted. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment.
  Installing a Software Patch.
  Please check the below link for step by step installation.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.pdf

• Cisco ISE authentication failed because client reject certificate

  Hi Experts,
  I am a newbie in ISE and having problem in my first step in authentication. Please help.
  I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
  Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
  Regards,
  Ratna

  Certificate-Based User Authentication via Supplicant Failing
  Symptoms or
  Issue
  User authentication is failing on the client machine, and the user is receiving a
  “RADIUS Access-Reject” form of message.
  Conditions (This issue occurs with authentication protocols that require certificate validation.)
  Possible Authentications report failure reasons:
  • “Authentication failed: 11514 Unexpectedly received empty TLS message;
  treating as a rejection by the client”
  • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
  the client rejected the Cisco ISE local-certificate”
  Click the magnifying glass icon from Authentications to display the following output
  in the Authentication Report:
  • 12305 Prepared EAP-Request with another PEAP challenge
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is reusing an existing session
  • 12304 Extracted EAP-Response containing PEAP challenge-response
  • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
  client
  • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
  client
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is re-using an existing session
  • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
  • 12815 Extracted TLS Alert message
  • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
  Cisco ISE local-certificate
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  Note This is an indication that the client does not have or does not trust the Cisco
  ISE certificates.
  Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
  The client machine is configured to validate the server certificate, but is not
  configured to trust the Cisco ISE certificate.
  Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

• CIsco ISE - HP Openview monitoring.

  Hi guys,
  I have a doubt about monitoring Cisco ISE services in the network.
  We can send some alarms notifications to a multiple e-mails, but my doubt is if I can monitoring ISE services with a network monitoring software like HP Open View.
  I didn't find any documentation about it yet.
  Someone knows if I can do this?

  Hi Tarik, How are you?
  The doubt is.... my customer have ise in vmware and he need monitoring availability for cisco ISE. The question is: How can I do that? I did found any document informing if I can send snmp traps or something like that to a Monitoring Server.
  About "link down" and "link Up" he can monitoring the ESX Vmware appliance right?
   There are something that I can do with Cisco ISE. I need to pass a answer to my client if  the Cisco ISE can support this kind of configuration. 
  Thanks for your help.

• Do I need Cisco ISE VM Part # L-ISE-VM-K9= for ESXi installation

  Hi there,
  Do I need the L-ISE-VM-K9 license to install Cisco ISE on an ESXi ?
  Actually, Cisco ISE can be downloaded with an Eval License for 90 days.
  I know, ISE license (e.g. Base License) is needed.
  Thanks a lot.
  Greetings,
  Norbert

  Just in case you you would like to see the specification of each licence.
  License Type
  Features Supported
  Deployment Type Supported
  License Prerequisite
  License Term(s)
  Base License
  AAA
  Guest Provisioning
  Link Encryption Policies
  Wired
  Wireless
  VPN
  Perpetual
  Advanced License
  Device Onboarding/Provisioning
  Device Profiling and Feed Service*
  Host Posture
  Security Group Access
  Integrated Vendor MDM Support*
  Wired
  Wireless
  VPN
  Base License
  3- and 5-Year Terms
  Wireless License
  Device Onboarding/Provisioning
  AAA
  Guest Provisioning
  Link Encryption Policies
  Device Profiling and Feed Service*
  Host Posture
  Security Group Access
  Integrated Vendor MDM Support*
  Wireless
  3- and 5-Year Terms
  Wireless Upgrade License
  Device Onboarding/Provisioning
  Authentication/Authorization
  Guest Provisioning
  Link Encryption Policies
  Device Profiling
  Host Posture
  Security Group Access
  Wired
  Wireless
  VPN
  Wireless License
  3- and 5-Year Terms
  Cisco ISE Functionality-Based License Options
  License Tiers (T)
  Number of Endpoints Supported
  Base License
  Advanced 3-Year License
  Advanced 5-Year License
  Wireless 3-Year License
  Wireless 5-Year License
  Wireless Upgrade 3-Year License
  Wireless Upgrade 5-Year License
  100
  100 Endpoints
  L-ISE-BSE-100=
  L-ISE-ADV3Y-100=
  L-ISE-ADV5Y-100=
  L-ISE-AD3Y-W-100=
  L-ISE-AD5Y-W-100=
  L-ISE-W-3UPG-100=
  L-ISE-W-UPG-100=
  250
  250 Endpoints
  L-ISE-BSE-250-
  L-ISE-ADV3Y-250=
  L-ISE-ADV5Y-250=
  L-ISE-AD3Y-W-250=
  L-ISE-AD5Y-W-250=
  L-ISE-W-3UPG-250=
  L-ISE-W-UPG-250=
  500
  500 Endpoints
  L-ISE-BSE-500=
  L-ISE-ADV3Y-500=
  L-ISE-ADV5Y-500=
  L-ISE-AD3Y-W-500=
  L-ISE-AD5Y-W-500=
  L-ISE-W-3UPG-500=
  L-ISE-W-UPG-500=
  1000
  1000 Endpoints
  L-ISE-BSE-1K=
  L-ISE-ADV3Y-1K=
  L-ISE-ADV5Y-1K=
  L-ISE-AD3Y-W-1K=
  L-ISE-AD5Y-W-1K=
  L-ISE-W-3UPG-1K=
  L-ISE-W-UPG-1K=
  1500
  1500 Endpoints
  L-ISE-BSE-1500=
  L-ISE-ADV3Y-1500=
  L-ISE-ADV5Y-1500=
  L-ISE-AD3Y-W-1500=
  L-ISE-AD5Y-W-1500=
  L-ISE-W-3UPG-1500=
  L-ISE-W-UPG-1500=
  2500
  2500 Endpoints
  L-ISE-BSE-2500=
  L-ISE-ADV3Y-2500=
  L-ISE-ADV5Y-2500=
  L-ISE-AD3Y-W-2500=
  L-ISE-AD5Y-W-2500=
  L-ISE-W-3UPG-2500=
  L-ISE-W-UPG-2500=
  3500
  3500 Endpoints
  L-ISE-BSE-3500=
  L-ISE-ADV3Y-3500=
  L-ISE-ADV5Y-3500=
  L-ISE-AD3Y-W-3500=
  L-ISE-AD5Y-W-3500=
  L-ISE-W-3UPG-3500=
  L-ISE-W-UPG-3500=
  5000
  5000 Endpoints
  L-ISE-BSE-5K=
  L-ISE-ADV3Y-5K=
  L-ISE-ADV5Y-5K=
  L-ISE-AD3Y-W-5K=
  L-ISE-AD5Y-W-5K=
  L-ISE-W-3UPG-5K=
  L-ISE-W-UPG-5K=
  10,000
  10K Endpoints
  L-ISE-BSE-10K=
  L-ISE-ADV3Y-10K=
  L-ISE-ADV5Y-10K=
  L-ISE-AD3Y-W-10K=
  L-ISE-AD5Y-W-10K=
  L-ISE-W-3UPG-10K=
  L-ISE-W-UPG-10K=
  25,000
  25K Endpoints
  L-ISE-BSE-25K=
  L-ISE-ADV3Y-25K=
  L-ISE-ADV5Y-25K=
  L-ISE-AD3Y-W-25K=
  L-ISE-AD5Y-W-25K=
  L-ISE-W-3UPG-25K=
  L-ISE-W-UPG-25K=
  50,000
  50K Endpoints
  L-ISE-BSE-50K=
  L-ISE-ADV3Y-50K=
  L-ISE-ADV5Y-50K=
  L-ISE-AD3Y-W-50K=
  L-ISE-AD5Y-W-50K=
  L-ISE-W-3UPG-50K=
  L-ISE-W-UPG-50K=
  100,000
  100K Endpoints
  L-ISE-BSE-100K=
  L-ISE-ADV3Y-100K=
  L-ISE-ADV5Y-100K=
  L-ISE-AD3Y-W-100K=
  L-ISE-AD5Y-W-100K=
  L-ISE-W-3UPG-100K=
  L-ISE-W-UPG-100K=
  Cisco ISE Functionality-Based License Options
  License Type
  License SKU
  Base License
  L-ISE-BSE-[T]=
  Advanced 3-Year License
  L-ISE-ADV3Y-[T]=
  Advanced 5-Year License
  L-ISE-ADV5Y-[T]=
  3-Year Wireless License
  L-ISE-AD3Y-W-[T]=
  5-Year Wireless License
  L-ISE-AD5Y-W-[T]=
  3-Year Wireless Upgrade License
  L-ISE-W-3UPG-[T]=
  5-Year Wireless Upgrade License
  L-ISE-W-UPG-[T]=
  Replace [T] with the appropriate license tier from Table 5 and 6.
  Jatin Katyal
  - Do rate helpful posts -