Cisco ISE Active Endpoint Usage Reset
Hi,
I have a Cisco ISE running version 1.1 and I was wondering if it may be possible to reset the license usage/active endpoint shown on the dashboard? This was noticed after a restore of ISE due to replacement of hardware and I noticed that the license usage count/active endpoints does not seems to go down.
The following methods have been tried however without any success:
1. Reboot ise server/service
2. Disable all network devices making use of ise such that there are no clients/devices accessing it; example switch/wlc/etc...
3. Deleted all endpoints usage in identies/identies group
4. Disable profiling on ise
As the ise has been installed with a base license; not too sure if it may be either a bad restore (all service/application are working though) / bad radius accounting which does not timed out on the ise / etc...
Any help is appreciated on how to reset the active endpoint/license usage.
Thanks.
Here is a method for removing the stale records. Please give this a try:
http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1072950
Thanks,
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
Cisco ISE Licence Historical Usage
I am a bit frustrated that I am unable to find any report/chart showing license utilization in ISE since 1.0 to 1.1.1.
The only info I found is ISE will send an alarm when the license pool is near fully utilized.
However, how can I check the historical utilization data for capacty planning for proof that license was not bought in excess manner
Anyone has idea on this?
Thank you!Ning,
I checked my ISE instance and there isnt a report that exists, however you can run a report of the active radius sessions at around their peak time and that should give some visibility as to how many endpoints are connected to the network.
You can also take a screenshot of the active endpoints dashlet on the home screen since that graph spans either the last 24 hours or 60 minutes.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Cisco ISE Active Directory Add Group
Hi,
I came across the Cisco ISE on integrating with Microsoft Active Directory; I would like to check what may be the use case of the add group function (External identity source-->active directory-->group-->add group)? Not too sure if it may be possible to group multiple active directory groups to the created group?
I have attached a print capture of the "add group" for reference.
Any suggestion is appreciated.I apologize for not following Ravi's post. However you can enter the group if searching for groups fails. It is case and format sensitive so using the method has to be precise....one example is looking in the authenticatiin report for a user under the "other attributes" if there is a group you want to apply as a policy you can copy and paste that group syntax under the add group which you posted.
Sent from Cisco Technical Support Android App -
HI everyone.
Is it possible to see all the users that have been logged and allowed by Cisco ISE, and that are currently active; and to force them to log off or end up their connection? (for example, users that have to authenticate in a Guest Portal)
How can we do it?.
Thanks!As long as all those WLAN IDs are set to authenticate users via ISE, they should show up in the page I indicated. I have done several implementations and this has always been the case (as it is documented to work).
If you're not seeing the same, you should probably open a TAC case to walk through the setup to investigate. -
Cisco ISE 1.1.4 Patch 7 (Internal Endpoint Mac Addresses Getting Disppeared)
Hi Folks,
I am having issue that mac addresses which we are trying to add under Internal Endpoint Group for MAB getting disappear automatically after few minutes. We tried multiple mac addresses but result same. We can see the mac address which we added earlier but new mac address getting disappear. Is there any limit to add mac address under Internal Endpoint. We have following licenses.
L-ISE-ADV-1K-M= Cisco ISE 1000 EndPoint Advanced + Base Migration License
ThanksTabish,
We'll update the latest patch and then look for the work around from any one of our Cisco experts -
Is it possible to monitor the web pages visited for a guest using cisco ISE?
Hi Gino,
Yes, you can use the Guest Activity option. The Guest Activity report provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.
This report is available at: Operations > Reports > Endpoints and Users > Guest Activity.
To use this report you must first:
•Enable the passed authentications logging category. Choose Administration > Logging > Logging Categories and select Passed authentications.
•Enable these options on the firewall used for guest traffic:
–Inspect HTTP traffic and send data to Cisco ISE Monitoring node. Cisco ISE only requires the the IP address and accessed URL for the Guest Activity report so, if possible, limit the data to include just this information.
–Send syslogs to Cisco ISE Monitoring node
Please check the below link for further information,
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_guest_pol.html#wp1056645 -
Hello
I am interested to know how the cisco ISE 1.2 base licences are consumed. As the cisco ise 1.2 user guide "The Base License is consumed whenever an authentication notification is received by Cisco ISE."
Based on the above statement i have following queries :-
Radius being the UDP based request, its only during the time endpoint is authenticated and authorized the base license is consumed and then its is released. Then how does cisco ISE tracks the concurrent endpoints connected to the network.
Thanks
Kumarthanks for the reply Tarik.
As I understand, you mean that a base license is consumed by every radius authentication request and then the license is free to be utilised again
Also would this means if Radius accounting is turned off, then concurrent sessions will not be tracked.
Thanks
Kumar -
Cisco ISE: How to match an endpoint belong to an identity group ?
Hello,
I am running Cisco ISE 1.1.4.218 in a standalone environment.
I am trying to setup Compound Condition for Authorization.
I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
I created 1 endpoint identity group and 2 children groups
- GroupParent
- ChildA
- ChildB
I put the MAC address of my machine in the group ChildA.
In my condition, I tried the following:
IdentityGroup:Name, Equals, ChildA
IdentityGroup:Name, Equals, GroupParent:ChildA
IdentityGroup:Name, Match, .*(ChildA).*
I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
IdentityGroupName, Equals, GroupParent
IdentityGroupName, Match, .*(GroupParent).*
But no one of these options worked.
I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
Can anyone help me ?
Best regards,
DavidYou could try the following to match only the parent group
IdentityGroup:Name EQUALS GroupParent
You could try the following to match only child group A
IdentityGroup:Name EQUALS GroupParent#ChildA
You could try the following to match all child groups of GroupParent
IdentityGroup:Name STARTS_WITH GroupParent
Please rate if this helps -
Hi,
Since we implemented Cisco ISE we receive the following failure on several Notebooks:
Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
Why is this happening?
Thanks,
MarcThe possible causes of this error message are:
1.] If the end user entered an incorrect username.
2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
In your cases, the 3rd option seems to be the most closest one.
Jatin Katyal
- Do rate helpful posts - -
Hi!!
We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
Thanks and regards!!Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365 -
Cisco ISE 1.3 Active Directory issue
Hi Folks
I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration > Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load. Any advice?hi
i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
guillaume -
Cisco ISE - Posturing of a Linux Endpoint - Is it possible?
We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
Any thoughts? Thanks in advance.Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
Thank you for rating helpful posts! -
Hi All,
I need to know if usage quotas are supported on cisco ISE, after doing some researches I found that it was supported on ACS 4.x and remoced from ACS 5.x. In bried, we need to be able to assign and track volume and time based quotas for users accessing either via switches, WLC or remotely
Regards,Afaik there's no quota, but I think you could use a little trick (and I remark I'm guessing a little here)
You can configure ACcess Settings > Max Session User Settings
And then you can configre System Administration > Max User Session Global Settings > Max User Session Timeout
Max User Session Timeout Settings
Unlimited Session Timeout
No timeout.
Max User Session Timeout
Once the session timeout is reached, ACS sends a fake STOP packet to close the respective session and update the session count.
Note The user is not enforced to logout in the device.
So I guess if you want a "quota" of 3 hours you can configure "max user session timeout" of 1 hour and set "Max session user setting" of 3.
But if you logout I guess the "quota" reverts to zero, so there's no "acummulative quota". I repeat I'm guessing here, sadly I don't have time right now to test it.
Kind regards -
Cisco ISE with Active Directory
Dears,
i have 1 switch connected to Cisco ISE 1.3 and 6 PCs and active Directory
my responsibility is to make a policy on the Cisco ISE denying any one if this 6 PCs to access
the network unless it's joined to the Domain ( AD)
i don't know how to do that and i'm new in Cisco ISE
if someone can help me about the procedure or a link helpful for my task or any hint info to search about !!
i did integration between the Cisco ISE and AD but still i don't know where and how to but the policy on the ISE saying if one of this devices not on the domain kick him out of the network .
thanks,machine + user authentication
-
Reauthentication Problem in Endpoints Using Cisco ISE 1.1
Hi,
Can anyone suggest me if laptop/desktop goes on sleep mode or keep connected with interace configured for 802.1X for more than 12 hours it does not work or not connect to Exchange server, Cisco ISE console, office communicator...
for re authentication i need to restart PC/ Laptop or unplug and replug lan cable from it!
but before restartiong i am able to ping all DNS, DHCP, OCS, everything....
below is the interface configuration
sh running-config interface gigabitEthernet 3/0/19
Building configuration...
Current configuration : 909 bytes
interface GigabitEthernet3/0/19
description Access Ports
switchport access vlan 309
switchport mode access
ip access-group ACL-ALLOW in
no logging event link-status
power inline never
srr-queue bandwidth share 1 60 30 10
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 10
no cdp enable
spanning-tree bpduguard enable
spanning-tree guard loop
service-policy input access_in
ip dhcp snooping limit rate 20
endHi Sachin,
Thanks for your prompt response. Here is the port configuration. My users are connected behind Cisco IP Phone & We are using CWA for wired guest as well.
interface GigabitEthernet0/1
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
interface GigabitEthernet0/1
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Thanks
Maybe you are looking for
-
No conversion after run of trx "OM0F"
Hi all, I've just created some MRP areas as follow: - Conversion of planning file entries by OM0F; - Activation of mrp areas; - Definition definition of MRP areas; - Association of one of MRP area in a material master record, view: MRP1; - Run MD02 u
-
2nd replacement iPhone 4S and battery is even worse!!!
So this is the second replacement iPhone 4S I received from an apple genius. The battery life is even worse on this one. Down 1% every 2-5 minutes?! Fully charged at 109% and during usage, it went down to 90% in 45 minutes. All of the settings that h
-
the download option in general is not working, not able to browse the folder for downloading. .using windows 7
-
Migrating PC files to new Mac after losing connection
I'm using Migration Assistant to move my files from my old PC to my new MacBook Air. I set everything up, connected the two computers with an Ethernet cable, and started the transfer. About two hours (out of a predicted 9) into the transfer, I lost m
-
Broadband + Anytime: free or not free for three mo...
I recently tried to upgrade online to BTs 'Broadband + Anytime', currently £16 per month (+ rental) and free for the first three months. When I get to the online 'Order Summary' page, it lists an item described as 'Phone' at a cost of £3 per month (i