Cisco ISE and Authentication Failed VLAN

Similar Messages

• Cisco ISE and authentication for 802.1x printer

  Hello
  What is the best practice to authenticate a 802.1x printer in Cisco ISE?
  The printer can store a certificate for authentication and support EAP-TLS.
  Thanks for answer.
  Marco

  EAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports. 
  I hope this puts you in the right direction!
  Thank you for rating helpful posts!

• Cisco ISE Guest Authentication Failed : 86020: Unknown exception

  Hi,
  I would like to check what may be causing the error message 86020:unknown exception for ise when guest user authenticates via wireless using CWA? I have also attached a screen capture of the error and after the authenitcation logs change to autheorization only succeed after a repeated trying. Based on user feedback for failed login, When guest user gets conected to wirless and login in to guest  portal with credential after putting credential  then its again redirect  to same login page wihout successful login prompt; not too sure if there may be any settings that may be looked into and the reason for the unknown exception error?
  Any suggestion/recommendation is appreciated.

  Hi Tarik,
  Not too sure if i understand on the static hostname for redirection; there are 2 PSNs for the deployment however they are acting as active/secondary for the wireless (This is done from the wlan on the wlc to set the primary/secondary radius server). From the guest redirection; it is always hitting the primary radius server defined on the wlan/wlc. The ise is running version 1.1.4 with patch 8 applied.
  Not  too sure if there may be any settings that may be looked into for the guest authentication/redirection and the reason for the unknown exception error?
  Thanks.

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

  Hello
  We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
  Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
  Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

  Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
  Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
  http://technet.microsoft.com/en-us/library/cc772007.aspx
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE and WLC Access-List Design/Scalability

  Hi,
  I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
  User group 1 -- Apply ACL 1 --On Vlan 1 
  User group 2 -- Apply ACL 2 -- On Vlan 1
  User group 3 -- Apply ACL 3 -- On Vlan 1
  The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
  Any suggestion is appreciated.
  Thanks.

  Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
  The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
  Overall, I see three ways to overcome your current issue:
  1. Shrink the ACLs by making them less specific
  2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
  3. Use SGT/SGA
  Hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE 1.3 failed to authenticate wireless endpoint

  Dear all,
  I recently have a big problem of my ISE after upgraded from version 1.2 to 1.3, the original plan is follow for wireless laptop authenticate to our network.
  There are 2 SSID, REG and INT, when the user and laptop first time use the WIFI, they need to request a user certificate from CA, and they need to login to the REG SSID with AD username and password. The Wireless controller 2504 will pass the packet to ISE, the use will use 802.1x authen method with PEAP to request for cert. if the authentication successful, the user need to open a web browser and the NSP page of ISE will shown up for user to register, and the CA will generate the user cert to user. Then the SSID will switch to INT and using EAP/TLS to authenticate the user cert with the CA.
  That was fine when working in ISE 1.2. However, after upgrade to 1.3 because of the proxy setting in 1.3 allow to input username and password which our proxy server required and cannot be changed. Under 1.3 the authentication failed even in the first step of authentication policy of ISE, the policy will check if the laptop using 802.1x and login by AD account, then it will pass to authorization policy. But when I check the log, there is always have the error message 5411 Supplicant stopped responding to ISE , 12930 Supplicant stopped responding to ISE after sending it the first PEAP message , 5440 Endpoint abandoned EAP session and started new
  I have search long time in the Internet but without any help, appreciate if any expert can help me. I have also upload the debug message from our ISE for reference.
  Thank you
  Best Regards,
  Terry Chow

  Hi Terry,
  Just wondering if you got an answer to your problem?
  I am deploying a new solution with ISE 1.3 and I was having a similar problem with my wireless users when I tried to enable it last night
  Cheers,
  John

• IP address in ISE live authentication after vlan change

  Hi all,
  on ISE live authentication dashboard we can see IP address of the client (known from FRAMED-IP-ADDRESS).
  But what about vlan change and the situation when client gets new IP address after relocation to different vlan.
  Live logs shows only the first IP address - client mapping (from the guest vlan), after authorization new vlan and dACL is assigned but logs don't include new IP address.
  session ID is the same all the time.
  so maybe ip helper or other trick?
  regards

  thx for reply.
  I added "aaa accounting update newinfo" and I'll see tommorow how it works with anyconnect and 802.1x.
  Meanwhile I think I must clarify what I meant
  Not all logs have IP address present in live authentication (this is MAB for test only)
  the situation with 802.1x and anyconnect is a bit better cause there are IP addresses but only from the first dhcp address assignment (authentication open with default ACL). Then if the policy changes vlan and the client gets new IP address from different scope we have wrong information in this log.
  but getting back to our MAB...
  details of this entry looks like:
  so this is probably the reason that no IP address is visible it was too soon for MAB to get this info and send it as framed IP address (according to this config command "radius-server attribute 8 include-in-access-req")
  nevertheless clicking the accounting details (from the 2nd screenshot)
  we see that this information is present
  so my first question is on which stage this column is fulfilled? only when "FRAMED-IP-ADDRESS" is send in radius-request? or from accounting?
  maybe ISE should dynamically modify this record after each accounting newinfo message?
  regards

• Cisco ISE and forest trusts vs domain trusts

  Hi All,
  Is there any issues with forest trusts with Cisco ISE ?
  I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
  They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
  I can search and get lists of AD groups ok for the remote domain. 
  Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
  I have done "leave" and "join" domain again.
  In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
  Cheers
  Peter. 

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no.170

• ISE EAP Authentication fails

  I've integrated a new ISE deployment, After a while I start getting the following error below, for wired users, it randomly fails on different users  
  The NAD I use is WS-C3650-48PD with the following 03.03.03SE cat3k_caa-universalk9 version, 
  All was working properly for one month, all of a sudden it has started to report such error   
  I tried to optimize the timers , but it's still the same
  Also when I do clear authentication on the same user who has failed the authentication passed
  Please advice
  Event
  5400 Authentication failed
  Failure Reason
  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
  Resolution
  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
  Root cause
  Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

  IOS-XE has been very problematic. The version of code that you are running is not that old but I would recommend that you upgrade it. I have heard very positive feedback for v.3.7.0 but it is fairly new so if you want to be safe I would suggest running the 3.3.5.
  Thank you for rating helpful posts!

• Uploading Youtube Vid. URL to Cisco Show and Share failed

  Uploading Youtube Vid. URL to Cisco SnS failed. I get error msg. : Connection to video server failed

  Chris,
  The YouTube videos are typically Flash content.
  The key here is that you need to download the Flash content
  yourself and then Upload to the Show and Share.
  Use the DIRECT URL of the Flash Content on YouTube to download
  the FLV to you Personal device.  After file successfully download, simply
  upload the file to Show and Share.
  For example:
  Cisco Show and Share Flash Demo
  http://www.youtube.com/watch?v=ZzquCVvS0qQ
  * this link is the actual Dashboard URL not the video link
  http://v4.lscache8.c.youtube.com/videoplayback?ip=0.0.0.0&sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3AU0dWRlRRVF9FSkNNNl9MS1hB&fexp=904405%2C901902&algorithm=throttle-factor&itag=34&ipbits=0&burst=40&sver=3&expire=1271466000&key=yt1&signature=1E65C92607546EA03DE0D1082884574D3F58AD0F.93FF9FDB00B10B44BBB52F31AADF3EB50FCEB7CC&factor=1.25&id=673aae095bd2d2a4&
  * Actual URL of Video Content
  ========================================================
  FOR THOSE THAT ARE USING OSX & SAFARI:
  ======================================
  If you need to download FLASH Content for TESTING in your DMS Solution, You
  can download Flash Videos from YouTube.
  Note: The Video Quality is NOT HD or even SD...  it is ID (Internet Definition)
        Also, the downloaded file will be a .flv Flash File.
  1. Open a Video on YouTube, Google Video etc.
  2. Press "Alt+Cmd(Apple-Key)+A" - A window opens named "Activity".
  3. Select the ".flv" file (looking on filesize helps) and press "Cmd(Apple-Key)+C" to copy.
     Paste with "Cmd(Apple-Key)+V" the URL to your Adress Bar and press Enter.
  4. If you need a different video format such as MPEG, WMV, or SWF; you will need to convert
     the downloaded ".flv" file with VisualHub or VLC
  If this answers your question, Please take time to mark this
  discussion answered & rate the response. 
  Thank You!
  T.

• Inline Posture between Cisco ISE and Wireless LAN Controller

  Hi,
  I was looking into Cisco ISE solution for deploying NAC.
  I have a question about the network topology.
  In  the user guide documents of cisco ISE, it is written that for Wireless  LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
  However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
  https://supportforums.cisco.com/docs/DOC-18121
  I  want to know if Inline Posture is a requirement, if not a  requirement, what are the benefits of having it between Cisco ISE Server  and WLC.
  Thanks & Regards
  Sinan

  Hello,
  Please go through below mentioned links which might be helpful for you.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
  http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
  Best Regards,

• Cisco ISE and Fast User Switching

  Greetings,
  In our deployment, we are interested in utilizing the "Fast User Switching" that is contained within the Windows Functionality.   After searching for quite a while, I see that the native Windows supplicant is not compatible with Fast User Switching.   It does not appear that Anyconnect is either.   Can you please inform me as to what suppluicant I would need to research in order to allow for the User Switchign Functionality?
  We are currently using ISE 1.2 Patch 4.
  Thank You for any assistance.
  David

  The  NAC Agent for Cisco ISE does not support Windows Fast User Switching  when using the native supplicant. This is because there is no clear  disconnect of the older user. When a new user is sent, the Agent is hung  on the old user process and session ID, and hence a new posture cannot  take place. As per the Microsoft Security policies, it is recommended to  disable Fast User Switching.
  Source:
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_pos_pol.html

• Cisco ISE and Switch 3560-X

  Good Morning,
  I am conducting an implementation of Cisco ISE version 1.2.1.198 with all its features on a switch 3560-X and in the ISE compatibility chart the minimum version for this switch would be the IOS v 15.0.2-SE2 (ED).
  My doubt is whether i need the feature ipbase or just the lanbase would be sufficient to meet all the features of 802.1x for the Cisco ISE.
  I appreciate the attention and Thanks,

  Please see the "Cisco Secure Access and Cisco TrustSec Release 5.0 System Bulletin".
  It notes that the 3560-X requires IP base license for all the 802.1X features.