Cisco ISE Admin and EAP certificate renewal

Similar Messages

• No longer using Linksys router. Should I uninstall Cisco LEAP, PEAP, and EAP?

  Should I uninstall the Cisco LEAP, PEAP, and EAP programs if I am no longer using a Linksys router?  I am replacing with an Asus router.
  thanks,
  KG

  Hi! It's best to uninstall them all if you are not going to use them for the sake of freeing some memory on your computer. Should you change your mind and get a new Linksys router one of these days, I am sure it will come with its own installation software anyway.

• Cisco ise 1.2 install certificates for ise cluster question

  hello all i have an ise cluster of 4 devices. 1 primary admin/secondary monitor, 1 secondary admin/primary admin and 2 policy nodes
  i need to install public CA certs on them. can I generate 1 CSR on one of the nodes, that includes a SAN with the DNS names of all the nodes?
  Therefore get only 1 cert from the CA, and export and import the same cert into all the other nodes?
  or do i have to generate 1 CSR for each node and purchase 4 certs? Wild card certs is not an option. tHANKS,

  ISE allows you to install a certificate with multiple Subject Alternative Name (SAN) fields. A browser reaching the ISE using any of the listed SAN names will accept the certificate without any error as long as it trusts the CA that signed the certificate.
  The CSR for such a certificate cannot be generated from the ISE GUI. http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/113675-ise-binds-multi-names-00.html
  Cisco ISE checks for a matching subject name as follows:
  1. Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node's FQDN.
  2. If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
  3. If no match is found, the certificate is rejected.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Cisco ISE functionally and license

  HI. 
  I wanna configure the following on Cisco ISE 1.2.1.
  Self-registration portal for guests (SSID: guests)
  802.1x user certificate check (Cisco NAM supplicant) for employees (SSID: Corporate) (EAP-TLS)
  Self provisioning portal (to deploy BYOD certificate and give access for BYOD devices) for BYOD devices (SSID: Corporate) (PEAP, MSHAPv2)
  Can I configure these things with PLUS license or do I need Adv or Wireless? I am not sure if one of these requires profiling functionally.

  With plus license all the above items should work.
  Here is what plus license supports:
  Bring Your Own Device (BYOD)
  Profiling
  Endpoint Protection Service (EPS)
  TrustSec SGT
  For more info, refer ISE license section:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_license.html#41012
  Regards,
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

  Dear Folks,
  Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
  OS = Win 7 SP1 (32/64 Bit) and Win 8
  Thanks,
  Regards,
  Mubasher Sultan

  Hi Mubasher
  KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
  KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
  KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
  KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
  KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
  KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
  KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
  For more information please go through this link:
  http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
  Best Regards:
  Muhammad Munir

• Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

  Hello all,
  I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
  The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
  I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
  Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
  Thanks a lot for your help.
  The followings screenshots show the logs appearing in the ISE :  
  Kind regards, Emeric.

  This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
  In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
  When the user logs in you then see the user ID.
  For my benefit when rule are you talking about ?
  Thank you 

• Cisco ISE CLI and GUI password expire

  I had Cisco ISE version 1.1  i face a problem with the CLI and GUI password, as it expire and i can't login, i do the password reset using the ISE DVD,
  i navigate to the ISE CLI, and do the following commands:
  conf t
       password-policy
            no password-expiration-enable
  and reset the GUI admin password, using the command:
       # application reset-passwd ise admin
  from the ISE GUI i had remove the option for diable admin account after 45 days.
  but after 60 days the password expire again.
  so kindly advise what to check for this expire issue.

  Hi Mostafa,
  Yes, the last reply was more towards GUI password-mgmt because in maority of cases it happens with UI admin account. I need to know if you've restarted the ISE after disabling the expiration from the CLI because what I read few weeks ago in an internal defect that password policy configurations are not preserved on cli after restart so just to check could you please check the current settings on CLI w/ the help of show run | in password-policy.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE guests and Ironport

  Hi All,
  I'm currently writing a HLD for a Cisco ISE rollout in my organization, and I've come across sort-of-an-issue:
  I'm planning on getting the guests in through the ISE Guest portal, but I also want to push them through an authenticated proxy(for accounting purposes) instead of a transparent one... however, I can't seem to find a way to somehow integrate Ironport and ISE in order to achieve some sort of an SSO, to avoid users having to enter their credentials twice(guest portal and ironport)- has anyone got a working solution for this?
  Any constructive input appreciated!
  Thanks!

  Thanks for the swift responses and suggestions!
  I'll most certainly have a look at the proposals...
  However,  I still want the guest users to go through the S370, as it's not only  for accounting purposes, but I want them to authenticate, since it would  make tracing and pinning events to a person way easier - that's the  main reason why I'm trying to find a solution that might act like an  SSO. The business side stated that signing in twice(ISE guest portal, then proxy) is unacceptable. I know that there's no direct integration between ISE and Ironport at the moment, and I am going to put in a feature request for that, but for the time being, I am really keen on getting this to work somehow...
  BTW - I'm currently using a virtualised ISE, release 1.1.4., And I've got the 3395's on order...

• 802.1x/EAP-TTLS and EAP Certificate Policies

  Hello,
  I am having a hard time with 802.1x authentication against a radius server I manage. Every time I try to connect, I get a pop up about certificate verification - the certificate cannot be verified because there are no explicit trust settings. This system is to be used to authenticate people on a wireless network we are setting up. The machines and people being authenticated are not managed - I do not have the ability to force a configuration on their computer.
  After researching this it looks like OS X has certificate policies that are consulted depending on the certificate operation requested. For 802.1x, I think the EAP certificate policy and the x.509 basic policy are consulted. These policies are outlined here.
  The problem is that when I get the certificate popup and hit 'View Certificate', I don't see anything that would explain why it is not being verified. Both the server certificate and the CA root certificate are listed as valid. There are no messages about insufficient extended key usage values or hostname mismatches or anything. How can I tell what is actually wrong?

  I was hoping this could be accomplished without having to change the trust settings from whatever the default is. The people who will ultimately be using this are students and staff at a University - a moderate number of which are bothered by any appearance of lower security.
  The root cert is in X509Anchors. The certificate CN is the IP address and the RADIUS server does not have a PTR record in the DNS server.
  If I point Firefox at a website set up on the same machine with the same certificate, there are no complaints. If I use Safari, there is an error about the names not matching but the name listed on the cert according to Safari is the same name I typed in the address field and the same name listed in the ServerName configuration of the web server.
  Just kind of a weird problem.

• Cisco Expressway C and E Certificates

  Hi
  I need some help on expressway C and E certificates. I need to know which certificates are reuired on both the systems.
  What is the complete procedure to generate the license from internal Microsoft CA server and upload these certificates to Expressway C and E?
  Regards
  Rohit Mahajan

  Here is the document Jamie is referring to:
  Expressway Certificate Creation and Use Deployment Guide

• Cisco ISE: HotFix and Timers for 802.1x (EAP-TLS)

  Hi,
  I found the below Hot-Fix to be set;
  http://blogs.technet.com/b/jeff_stokes/archive/2013/01/24/20-minute-delay-deploying-windows-7-on-802-1x-fix-it-here.aspx
  Kindly let me know that what is the best time to be set on it. It tells 20 mintues. Also, i wanna know that what is the corresponding configuration needs on Switch and ISE to reflect it or doesn't need it.
  Thanks,
  Regards,
  Mubasher Sultan

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• Cisco ise upgrading and licences

  I nedd to upgrade from version 1.1.2 patch 4 to 1.1.3
  the deployment is distributed so the split deployment technique needs to be used:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upg_dis_dep.html#wp1052969
  the guide is quite hard to follow as there are some licensing informations missing that can potentially cause service downs:
  in particular my questions reguarding the guide are:
  --- OUR licence is registered to the primary PAN node only----
  1) Deregistering primary PSN "D" node : what licence it will use? the inherited (10000 endpoints) or will it lose the licence completely and lock the network authentications?
  2) When node "B" will be deregistered and will become standalone what happens to its licence ? will it be lost? and what will happen to the node "D" when added back to the node "B" ?
  3) when I will switch back node "A" (after upgrade and registration to node "B") to its previous primary PAN state it is stated that the licence needs to be reloaded in it cause it was lost when adding it to node "B".... and in the meanwhile? no node will authenticate cause the primary node is without a licence?
  TY

  Giuliano,
  De-registered node will always use it's own license, i.e. it becomes standalone box without knowledge or information of anything around it. Either the evalutaion or whichever license you have supplied it with.
  License enforcement is performed by active admin node in cluster, according to its license.
  Have a look at:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCug04405
  I don't think license needs to be reloaded, but that may be just my memory not serving me. I'll double-check that one.
  M.

• Cisco ISE IPEP and Non Radius Authenticator

  Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
  Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
  I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
  Anyone have any exmaples or traffic flows if this is possible?
  Thanks,
  Michael Wynston

  Got my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
  Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
  Guess not
  Sent from Cisco Technical Support iPhone App

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• Inline Posture between Cisco ISE and Wireless LAN Controller

  Hi,
  I was looking into Cisco ISE solution for deploying NAC.
  I have a question about the network topology.
  In  the user guide documents of cisco ISE, it is written that for Wireless  LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
  However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
  https://supportforums.cisco.com/docs/DOC-18121
  I  want to know if Inline Posture is a requirement, if not a  requirement, what are the benefits of having it between Cisco ISE Server  and WLC.
  Thanks & Regards
  Sinan

  Hello,
  Please go through below mentioned links which might be helpful for you.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
  http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
  Best Regards,