Cisco ISE CLI and GUI password expire

Similar Messages

• ISE and AD Password Expiration Notification and allow user to change

  We are almost ready to go live with ISE for our VPN users.
  One last thing that has been asked is, how can we make ISE prompt a user when their AD password is about to expire, and allow them the opportunity to change it at that time?
  I know the ASA has the ability if it is authenticating directly against AD, but that functionality goes away with IPN. So what settings are there to prompt users connecting via Anyconnect to the ASA VPN through ISE?
  We do not have ISE setup for internal users/systems yet, this is strictly a VPN only setup for now.
  Thanks,
  Dirk

  Since we are using radius protocol so password expiration notification will not occur. The user will be prompted when password would expire. With ldap over ssl, user will be notified that "your password will be expired in x number of days" but we can't pick that method as it shoud be ASA integrated directly with AD/LDAP.
  Since we have ISE in between acting as a radius server so we have to live with the option where user will not be notified but password can be changed by end-user.
  Procedure for Configuring RADIUS Password Management
  Requires tha tthe Radius server/ISE  be integrated with an Active Directory MS-AD server.
  1. Enable "password-management" in tunnel-group/Connection Profile.
  Note: "password-management password-expire-in-days X" will not work, use just "password-management"
  2. Ensure that MSCHAPv1/MSCHAPv2 is enabled on the RADIUS/ISE server.
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ISE Admin and EAP certificate renewal

  Hi board,
  maybe I'm asking a rather dumb question here, but anyway :)
  I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
  Here's the thing I do, when I initially install an ISE node
  1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
  2.) Sign CSR and bind certificate on ISE node - done
  Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
  CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
  So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
  How do you guys do this in your deployments?
  Thanks in advance and sorry again if this is a silly question.
  Johannes

  you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
  Certificate Renewal on Cisco Identity Services Engine Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

• Cisco ISE functionally and license

  HI. 
  I wanna configure the following on Cisco ISE 1.2.1.
  Self-registration portal for guests (SSID: guests)
  802.1x user certificate check (Cisco NAM supplicant) for employees (SSID: Corporate) (EAP-TLS)
  Self provisioning portal (to deploy BYOD certificate and give access for BYOD devices) for BYOD devices (SSID: Corporate) (PEAP, MSHAPv2)
  Can I configure these things with PLUS license or do I need Adv or Wireless? I am not sure if one of these requires profiling functionally.

  With plus license all the above items should work.
  Here is what plus license supports:
  Bring Your Own Device (BYOD)
  Profiling
  Endpoint Protection Service (EPS)
  TrustSec SGT
  For more info, refer ISE license section:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_license.html#41012
  Regards,
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

  Hello all,
  I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
  The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
  I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
  Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
  Thanks a lot for your help.
  The followings screenshots show the logs appearing in the ISE :  
  Kind regards, Emeric.

  This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
  In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
  When the user logs in you then see the user ID.
  For my benefit when rule are you talking about ?
  Thank you 

• Cisco ISE guests and Ironport

  Hi All,
  I'm currently writing a HLD for a Cisco ISE rollout in my organization, and I've come across sort-of-an-issue:
  I'm planning on getting the guests in through the ISE Guest portal, but I also want to push them through an authenticated proxy(for accounting purposes) instead of a transparent one... however, I can't seem to find a way to somehow integrate Ironport and ISE in order to achieve some sort of an SSO, to avoid users having to enter their credentials twice(guest portal and ironport)- has anyone got a working solution for this?
  Any constructive input appreciated!
  Thanks!

  Thanks for the swift responses and suggestions!
  I'll most certainly have a look at the proposals...
  However,  I still want the guest users to go through the S370, as it's not only  for accounting purposes, but I want them to authenticate, since it would  make tracing and pinning events to a person way easier - that's the  main reason why I'm trying to find a solution that might act like an  SSO. The business side stated that signing in twice(ISE guest portal, then proxy) is unacceptable. I know that there's no direct integration between ISE and Ironport at the moment, and I am going to put in a feature request for that, but for the time being, I am really keen on getting this to work somehow...
  BTW - I'm currently using a virtualised ISE, release 1.1.4., And I've got the 3395's on order...

• HC - A scientific, graphing, supp complex nums CLI and GUI calculator

  I uploaded all three packages to AUR! Please use the PKGBUILDs there if you want to install this now. Thanks a lot goran'agar and foutrelis for help with the PKGBUILDs.
  AUR links:
  mapm : http://aur.archlinux.org/packages.php?ID=32319
  hc : http://aur.archlinux.org/packages.php?ID=32321
  hcg : http://aur.archlinux.org/packages.php?ID=32320
  UPDATE (28.2.2010) : I now also finally have a github account where you can find the newest version of hc (cli only) which obviously has all the newest things I implemented but on the other hand it may be unstable. Anyway, here's the link : http://github.com/houbysoft/hc
  Hello ArchLinux users,
  some time ago, I was a little unsatisfied with existing calculators (either it was too memory/CPU-consuming (it had to work well, among others, on a 128MB RAM computer), or it lacked the functions I needed (f.ex. nCr and nPr)), and so I decided to write my own command-line (now there also is a GUI version) calculator.
  Here is a little description:
  The goal of this program is to provide an open source calculator with a
  simple and easy-to-use interface, similar to a command prompt, but a lot of
  options and a multitude of functions.
  You can also type "help" in the command prompt if you need any help - or
  contact me here.
  There are two major versions of HC -- a CLI (command line interface) and a
  GUI (graphical user interface).
  To get you an idea, have some screenshots:
  CLI version
  GUI version
  I thought some of you might like it, so I posted it here. It is of course open source (GPL v3) and cross-platform (precompiled for Linux and Windows).
  The calculator's homepage is
  http://houbysoft.com/hc/
  If you're interested, you'll find a lot more details there.
  Please post some feedback/criticism etc.; also please report any bugs - I started this project ~2 months ago so it is not yet completely stable and complete.
  Thanks for reading, give it a try!
  Last edited by y27 (2010-03-01 01:24:13)

  goran'agar wrote:I'm not able to create any PKGBUILD for the application itself as the website executes a php script before allowing the download.
  Thanks a lot, I'll test it out soon.
  If you'd help me with the PKGBUILD for my app itself, the full links are:
  http://houbysoft.com/download/hc-VERSION-TYPE.tar.gz
  where VERSION is the version number, so for example 0.4.2, and TYPE is either linux or src.
  I'm not sure which format of URLs is needed so please ask me if you need something else.
  Also, for windows versions, the urls are:
  http://houbysoft.com/download/hc-VERSION-win.[b]zip[/b]
  (in case you care).
  tomd123 wrote:Feature requests: variable assignment and function declaration.
  BTW, have you considered using the python interpretor for your calculations? If the functions you need aren't already in it, you can easily add them.
  Functions and variables:
  I'll put it on my roadmap
  For the python interpreter : yes, I did, but dismissed it because:
  - it's not very convenient - you have to retype stuff to floats if you don't want only integer results
  - it's slow (again, this had to work and take a very small amount of CPU and memory on a 333MHz and 128 MB RAM system), and in algorithms where speed is crucial this would be even more of a concern
  - I know about psyco to speed it up, but AFAIK it doesn't work on 64bit processors
  - I wanted it to be small and minimalistic, installing a python distribution imo isn't
  - I like programming, writing a calculator is fun

• Cisco ise upgrading and licences

  I nedd to upgrade from version 1.1.2 patch 4 to 1.1.3
  the deployment is distributed so the split deployment technique needs to be used:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upg_dis_dep.html#wp1052969
  the guide is quite hard to follow as there are some licensing informations missing that can potentially cause service downs:
  in particular my questions reguarding the guide are:
  --- OUR licence is registered to the primary PAN node only----
  1) Deregistering primary PSN "D" node : what licence it will use? the inherited (10000 endpoints) or will it lose the licence completely and lock the network authentications?
  2) When node "B" will be deregistered and will become standalone what happens to its licence ? will it be lost? and what will happen to the node "D" when added back to the node "B" ?
  3) when I will switch back node "A" (after upgrade and registration to node "B") to its previous primary PAN state it is stated that the licence needs to be reloaded in it cause it was lost when adding it to node "B".... and in the meanwhile? no node will authenticate cause the primary node is without a licence?
  TY

  Giuliano,
  De-registered node will always use it's own license, i.e. it becomes standalone box without knowledge or information of anything around it. Either the evalutaion or whichever license you have supplied it with.
  License enforcement is performed by active admin node in cluster, according to its license.
  Have a look at:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCug04405
  I don't think license needs to be reloaded, but that may be just my memory not serving me. I'll double-check that one.
  M.

• Cisco ISE IPEP and Non Radius Authenticator

  Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
  Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
  I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
  Anyone have any exmaples or traffic flows if this is possible?
  Thanks,
  Michael Wynston

  Got my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
  Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
  Guess not
  Sent from Cisco Technical Support iPhone App

• Urgent help needed. Orcladmin and superuser password expired

  Hi all,
  We have been testing OCS with RTC quite successfully. Now we wanted to show this to a customer and tried to login today. Now with the same name and password as always we get now a "Your password has expired" message. We tried to login with orcladmin but we get the same message.
  I looked it up in the manual but have had no success so far. Anybody knows what to do now. Looks like we are completely locked out.

  Nitai,
  For details you need to look at the OID admin to change the password policy.
  but here are the quick steps on how to disable it
  from an ORACLE_HOME env set
  1. type oidadmin
  2. you will need to configure to point to your OID server if you have done already
  3. login as orcladmin + passwd you used for the other orcladmin //this user is different, again the OID docs will give detail
  4. expand the Oracle Internet Driectory Servers
  5. expand [email protected]
  6. exand the Password Policy Management
  7. highliight cn=PwdPolicyEntry
  8. on the right pane, Disable the "Enable OID Password Policy:" ; apply
  9 . do the same for the "Password Policy for Realm dc=....." //left pane ; apply
  10. exit out of oidadmin
  you should now be able to login via the sso login
  again for more detail on how to change the passwd policy please rvw the OID docs.

• Cisco ISE: HotFix and Timers for 802.1x (EAP-TLS)

  Hi,
  I found the below Hot-Fix to be set;
  http://blogs.technet.com/b/jeff_stokes/archive/2013/01/24/20-minute-delay-deploying-windows-7-on-802-1x-fix-it-here.aspx
  Kindly let me know that what is the best time to be set on it. It tells 20 mintues. Also, i wanna know that what is the corresponding configuration needs on Switch and ISE to reflect it or doesn't need it.
  Thanks,
  Regards,
  Mubasher Sultan

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• Copy of files in CLI and GUI... explain it to me...

  i often felt KDE copying/moving/deleting is slow, which is why i decided to measure it...
  So i did this little test.. cp a directory with lots of small files from ~/ to ~/some_subfolder
  this is the result:
  Copying with dolphin took 10 minutes.
  Copying with cp -R took 3 minutes.
  maybe anyone here has an explanation for this?
  Last edited by Rasi (2008-04-11 13:46:13)

  IMHO the overhead is because of abstraction layer(s): KDE file handling offers you the opportunity also to copy from/to FTP or SMB or whatever. if the progress bar also shows you the name of the file just copied, it is another little overhead (you said there was lot of files)
  haven't seen the KDE sources, this is just a guess: a classical speed vs. comfort tradeoff

• Inline Posture between Cisco ISE and Wireless LAN Controller

  Hi,
  I was looking into Cisco ISE solution for deploying NAC.
  I have a question about the network topology.
  In  the user guide documents of cisco ISE, it is written that for Wireless  LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
  However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
  https://supportforums.cisco.com/docs/DOC-18121
  I  want to know if Inline Posture is a requirement, if not a  requirement, what are the benefits of having it between Cisco ISE Server  and WLC.
  Thanks & Regards
  Sinan

  Hello,
  Please go through below mentioned links which might be helpful for you.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
  http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
  Best Regards,

• Cisco ISE in Apple Mac Environment

  Hi,
  One of our clients need to implement BYOD in their network. They are using Mac servers and clients. The requirement is to authenticate (wireless) users against the Mac directory server, in order to provide access to resources. I am trying to figure out whether Cisco ISE can perform LDAP authentication with Mac server. As per this document, Mac server is not a supported external identity source/LDAP server. Currently they are providing access to users by adding MAC addresses to WLC manually, which is not practical now due to increase in number of end devices, and limitation in MAC addresses supported by WLC (2048).
  Is it possible to implement this? Has anyone came across similar scenario?
  Thanks,
  John

  The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other attributes that are associated with the user for use in authorization policies. You must configure the external identity source that contains your user information in Cisco ISE. External identity sources also include certificate information for the Cisco ISE server and certificate authentication profiles.
  Both internal and external identity sources can be used as the authentication source for sponsor authentication and also for authentication of remote guest users.
  Table 5-1 lists the identity sources and the protocols that they support.
  Table 5-1 Protocol Versus Database Support 
   Protocol (Authentication Type)
   Internal Database
   Active Directory
   LDAP1
   RADIUS Token Server or RSA
   EAP-GTC2 , PAP3 (plain text password)
   Yes
   Yes
   Yes
   Yes
   MS-CHAP4 password hash: MSCHAPv1/v25  EAP-MSCHAPv26  LEAP7
   Yes
   Yes
   No
   No
   EAP-MD58  CHAP9
   Yes
   No
   No
   No
   EAP-TLS10  PEAP-TLS11  (certificate retrieval) Note For TLS authentications (EAP-TLS and PEAP-TLS), identity sources are not required, but are optional and can be added for authorization policy conditions.
   No
   Yes
   Yes
   No
   1 LDAP = Lightweight Directory Access Protocol. 2 EAP-GTC = Extensible Authentication Protocol-Generic Token Card 3 PAP = Password Authentication Protocol 4 MS-CHAP = Microsoft Challenge Handshake Authentication Protocol 5 MS-CHAPv1/v2 = Microsoft Challenge Handshake Authentication Protocol Version 1/Version 2 6 EAP-MSCHAPv2 = Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol Version 2 7 LEAP = Lightweight Extensible Authentication Protocol 8 EAP-MD5 = Extensible Authentication Protocol-Message Digest 5 9 CHAP = Challenge-Handshake Authentication Protocol 10 EAP-TLS = Extensible Authentication Protocol-Transport Layer Security 11 PEAP-TLS = Protected Extensible Authentication Protocol-Transport Layer Security
  and for the WLC Check the Link : www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo

• Cisco ISE NTP MD5 hash is 20-Bytes?

  When attempting to configure an NTP authentication-key in the Cisco ISE CLI I noticed that it will not accept an md5 hash of 32 characters (16 bytes). Instead it is expecting a 40 character (20 bytes) hash. That is in line with a SHA-1 hash, not an MD5 hash even though there is no SHA-1 keyword, only an MD5 keyword.
  What's the deal?
  Cisco ISE Version: 1.1.2.145 (Update 3)
  ise/user(config)# ntp authentication-key 75 ?
    md5  MD5 authentication
  ise/user(config)# ntp authentication-key 75 md5 hash ?
    <WORD>  Hashed key for authentication (Max Size - 40)
  ise/user(config)# ntp authentication-key 75 md5 hash 12345678901234567890123456789012
  % ERROR: Bad hashed key.
  ise/user(config)# ntp authentication-key 75 md5 plain test
  ise/user(config)# do show run | i md5
  ntp authentication-key 75 md5 hash 97dc37c94236ec1b4c56871c2e482cbd6f56bd33
  That's not an MD5 hash as it's 40 characters long (20 bytes).

  Hmm, that is an interesting observation. I am guessing that it is a typo and should be "sha-1" because 40 characters is definitely not MD5 :)
  I would suggest you open a case with Cisco TAC and report this. If you get a bug ID or a different answer please let us know. 
  Thank you for rating helpful posts!