Cisco ISE Active Endpoint Usage Reset

Similar Messages

• Cisco ISE Licence Historical Usage

  I am a bit frustrated that I am unable to find any report/chart showing license utilization in ISE since 1.0 to 1.1.1.
  The only info I found is ISE will send an alarm when the license pool is near fully utilized.
  However, how can I check the historical utilization data for capacty planning for proof that license was not bought in excess manner
  Anyone has idea on this?
  Thank you!

  Ning,
  I checked my ISE instance and there isnt a report that exists, however you can run a report of the active radius sessions at around their peak time and that should give some visibility as to how many endpoints are connected to the network.
  You can also take a screenshot of the active endpoints dashlet on the home screen since that graph spans either the last 24 hours or 60 minutes.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE Active Directory Add Group

  Hi,
  I came across the Cisco ISE on integrating with Microsoft Active Directory; I would like to check what may be the use case of the add group function (External identity source-->active directory-->group-->add group)? Not too sure if it may be possible to group multiple active directory groups to the created group?
  I have attached a print capture of the "add group" for reference.
  Any suggestion is appreciated.

  I apologize for not following Ravi's post. However you can enter the group if searching for groups fails. It is case and format sensitive so using the method has to be precise....one example is looking in the authenticatiin report for a user under the "other attributes" if there is a group you want to apply as a policy you can copy and paste that group syntax under the add group which you posted.
  Sent from Cisco Technical Support Android App

• CISCO ISE Active Users

  HI everyone.
  Is it possible to see all the users that have been logged and allowed by Cisco ISE, and that are currently active; and to force them to log off or end up their connection? (for example, users that have to authenticate in a Guest Portal)
  How can we do it?. 
  Thanks!

  As long as all those WLAN IDs are set to authenticate users via ISE, they should show up in the page I indicated. I have done several implementations and this has always been the case (as it is documented to work).
  If you're not seeing the same, you should probably open a TAC case to walk through the setup to investigate.

• Cisco ISE 1.1.4 Patch 7 (Internal Endpoint Mac Addresses Getting Disppeared)

  Hi Folks,
  I am having issue that mac addresses which we are trying to add under Internal Endpoint Group for MAB getting disappear automatically after few minutes. We tried multiple mac addresses but result same. We can see the mac address which we added earlier but new mac address getting disappear. Is there any limit to add mac address under Internal Endpoint. We have following licenses.
  L-ISE-ADV-1K-M=  Cisco ISE 1000 EndPoint Advanced + Base Migration License
  Thanks

  Tabish,
  We'll update the latest patch and then look for the work around from any one of our Cisco experts

• Guest Activity on Cisco ISE

  Is it possible to monitor the web pages visited for a guest using cisco ISE?                  

  Hi Gino,
  Yes, you can use the Guest Activity option. The Guest Activity report provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.
  This report is available at: Operations > Reports > Endpoints and Users > Guest Activity.
  To use this report you must first:
  •Enable the passed authentications logging category. Choose Administration > Logging > Logging Categories and select Passed authentications.
  •Enable these options on the firewall used for guest traffic:
  –Inspect HTTP traffic and send data to Cisco ISE Monitoring node. Cisco ISE only requires the the IP address and accessed URL for the Guest Activity report so, if possible, limit the data to include just this information.
  –Send syslogs to Cisco ISE Monitoring node
  Please check the below link for further information,
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_guest_pol.html#wp1056645

• How Cisco ISE 1.2 Base licenses are consumed and tracks concurrent endpoint connected to network

  Hello
  I am interested to know how the cisco ISE 1.2 base licences are consumed. As the cisco ise 1.2 user guide "The Base License is consumed whenever an authentication notification is received by Cisco ISE."
  Based on the above statement i have following queries :-
  Radius being the UDP based request, its only during the time endpoint is authenticated and authorized the base license is consumed and then its is released. Then how does cisco ISE tracks the concurrent endpoints connected to the network.
  Thanks
  Kumar

  thanks for the reply Tarik.
  As I understand, you mean that a base license is consumed by every radius authentication request and then the license is free to be utilised again
  Also would this means if Radius accounting is turned off, then concurrent sessions will not be tracked.
  Thanks
  Kumar

• Cisco ISE: How to match an endpoint belong to an identity group ?

  Hello,
  I am running Cisco ISE 1.1.4.218 in a standalone environment.
  I am trying to setup Compound Condition for Authorization.
  I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
  I created 1 endpoint identity group and 2 children groups
  - GroupParent
       - ChildA
       - ChildB
  I put the MAC address of my machine in the group ChildA.
  In my condition, I tried the following:
  IdentityGroup:Name, Equals, ChildA
  IdentityGroup:Name, Equals, GroupParent:ChildA
  IdentityGroup:Name, Match, .*(ChildA).*
  I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
  IdentityGroupName, Equals, GroupParent
  IdentityGroupName, Match, .*(GroupParent).*
  But no one of these options worked.
  I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
  Can anyone help me ?
  Best regards,
  David

  You could try the following to match only the parent group
  IdentityGroup:Name EQUALS GroupParent
  You could try the following to match only child group A
  IdentityGroup:Name EQUALS GroupParent#ChildA
  You could try the following to match all child groups of GroupParent
  IdentityGroup:Name STARTS_WITH GroupParent
  Please rate if this helps

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

  Hi!!
  We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
  I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
  Thanks and regards!!

  Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

• Cisco ISE 1.3 Active Directory issue

  Hi Folks
  I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration >  Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load.  Any advice?

  hi
  i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
  i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
  it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
  guillaume

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• Cisco ISE usage quotas

  Hi All,
  I need to know if usage quotas are supported on cisco ISE, after doing some researches I found that it was supported on ACS 4.x and remoced from ACS 5.x. In bried, we need to be able to assign and track volume and time based quotas for users accessing either via switches, WLC or remotely
  Regards,

  Afaik there's no quota, but I think you could use a little trick (and I remark I'm guessing a little here)
  You can configure ACcess Settings > Max Session  User Settings
  And then you can configre System Administration > Max User Session Global Settings > Max User Session Timeout
  Max User Session Timeout Settings
  Unlimited Session Timeout
  No timeout.
  Max User Session Timeout
  Once the session timeout is reached, ACS sends a fake STOP  packet to close the respective session and update the session count.
  Note The user is not  enforced to logout in the device.
  So I guess if you want a "quota" of 3 hours you can configure "max user session timeout" of 1 hour and set "Max session user setting" of 3.
  But if you logout I guess the "quota" reverts to zero, so there's no "acummulative quota". I repeat I'm guessing here, sadly I don't have time right now to test it.
  Kind regards

• Cisco ISE with Active Directory

  Dears,
  i have 1 switch connected to Cisco ISE 1.3 and 6 PCs and active Directory
   my responsibility is to make a policy on the Cisco ISE denying any one if this 6 PCs to access 
  the network unless it's joined to the Domain ( AD)
  i don't know how to do that and i'm new in Cisco ISE 
  if someone can help me about the procedure or a link helpful for my task or any hint info to search about  !!
  i did integration between the Cisco ISE and AD but still i don't know where and how to but the policy on the ISE saying if one of this devices not on the domain kick him out of the network .
  thanks,

  machine + user authentication

• Reauthentication Problem in Endpoints Using Cisco ISE 1.1

  Hi,
  Can anyone suggest me if laptop/desktop goes on sleep mode or keep connected with interace configured for 802.1X for more than 12 hours it does not work or not connect to Exchange server, Cisco ISE console, office communicator...
  for re authentication i need to restart PC/ Laptop or unplug and replug lan cable from it!
  but before restartiong i am able to ping all DNS, DHCP, OCS, everything....
  below is the interface configuration
  sh running-config interface gigabitEthernet 3/0/19
  Building configuration...
  Current configuration : 909 bytes
  interface GigabitEthernet3/0/19
  description Access Ports
  switchport access vlan 309
  switchport mode access
  ip access-group ACL-ALLOW in
  no logging event link-status
  power inline never
  srr-queue bandwidth share 1 60 30 10
  srr-queue bandwidth shape 10 0 0 0
  priority-queue out
  authentication control-direction in
  authentication event fail action next-method
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  mls qos trust dscp
  dot1x pae authenticator
  dot1x timeout tx-period 10
  no cdp enable
  spanning-tree bpduguard enable
  spanning-tree guard loop
  service-policy input access_in
  ip dhcp snooping limit rate 20
  end

  Hi Sachin,
  Thanks for your prompt response. Here is the port configuration. My users are connected behind Cisco IP Phone & We are using CWA for wired guest as well.
  interface GigabitEthernet0/1
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  interface GigabitEthernet0/1
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Thanks