Cisco ISE deployment with HP Swithes

Is there any compatibility matrix of cisco ISE with HP access swithes or there is any features restriction on HP access layer. The HP switches do support 802.1x.
Thanks
Qasim

Qasim,
The only compatibility with network access devices is all related to Cisco gear. It would be best to stick with a full supported solution for the sake of support. In my opinion this will be a nightmare to manage if an issue was to occur.
Thanks,
Tarik Admani
*Please rate helpful posts*

Similar Messages

  • Cisco ISE Deployment suggestion required

    Require Assistance on Cisco ISE Deployment for below scenario
    -- We have Three Cisco ISE Appliances and Client has taken Advance Subscription License for 500 users
    -- Client has DC & DR and needs to deploy the Cisco ISE in one Main Office which connects to DC & DR on MPLS Links
    -- Client suggestion was to deploy one ISE node ( Admin + M&T + Policy Server ) in DC and its Standby Secondary in DR
         and only deploy Policy Server in Main Office.
         Idea behind the design is that ,
         1) If DC fails , Cisco ISE related logs will get generated on DR and any Cisco ISE related request will be taken care by Local Policy Server in Main Office .
          2) If Local Policy Server Fails , then ISE node in DC will act as Secondary backup and DR will act Teritary Backup
          below is view
                                         DC
                            Primary Node with Role
                       [Admin , M&T , Policy Server]
                                                                                                                 Main Remote Offic
                                                                                                                  Cisco ISE Node ( Only Policy Server) -----------> Network Devices
                                   DR
                           Secondary   Node with Role
                       [Admin , M&T , Policy Server]
    Please let me know is it possible

    Yes, The scenario is quite achievable also please  review the below link for assistance on deployment of ISE.
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_50_ise_deployment_tg.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf

  • Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?

    Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
    Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
    I can get a PC on its own to authenticate via dot1x/tls
    I can get a Cisco IP Phone on its own to authenticate via MAB.
    When the two are on the same switchport, the phone will authenticate but not the PC.  ISE logs EAP timeouts.
    The switchport has the LowImpact port ACL of
    ip access-group ACL-DEFAULT in
    The IP Phone gets a dACL that allows it ok.
    I assume MAB phone and dot1x PC is supported?  Any ideas?
    Thanks in advance.

    The ISE log detailed steps are as follows:
    Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12300  Prepared EAP-Request proposing PEAP with challenge
    12625  Valid EAP-Key-Name attribute received
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12501  Extracted EAP-Response/NAK requesting to use EAP-TLS instead
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    12625  Valid EAP-Key-Name attribute received
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    5411  No response received during 120 seconds on last EAP message sent to the client

  • Manually Patch Cisco ISE Deployment

    Is there a documented process for manually installing patch bundles in ISE? We had a bad experience last spring with deploying Patch 8 through the "fire and forget" patch installation through the GUI. We have held off far too long on patching our 20 node deployment and I will be asked whether the process failure was due to Patch 8, or whether the patching process itself failed. Please let me know if there is a procedure on how one would go about manually patching a deployment via the CLI.
    Thank you

    install a patch from a primary administration node that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the primary node, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the primary node, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment. Secondary Cisco ISE nodes are restarted consecutively after the patch is installed on those nodes. While installing a patch on secondary nodes, you can continue to perform tasks on the primary administration node.
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#pgfId-2476373

  • Cisco ISE integration with third-party firewalls

    Can Cisco ISE be integrated with a third-party firewall (such as Checkpoint), to provide authentication/authorization services to remote VPN user devices (based on device MAC address)?
    The remote user would establish a VPN connection to a third-party firewall, based on a username/password authentication, but the user would only be allowed to send/receive traffic to the internal network if the MAC address of the device being used was authorized by Cisco ISE.
    Thank you in advance.

    Rui,
    I do not think the vpn client sends the ip address in a called-station-id, that might be the public ip address that the client is initiating the request from. If you have an existing radius server or can run a packet capture you should be able to verify that.
    If the client does send the mac address in the radius packet then you can create a custom condition that can be used to check the mac address along with the username to allow it access to the session. However in VPN deployments there is no concept of profiling since 802.1x deployments usually include the client's mac address.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ISE integration with AD fails

    Cisco ISE Ver: 1.1.2.145
    Windows : Win 2003 Server
    I am attempting to integrate ISE with AD, but ISE won't join AD and joining attempts fails, though I am able to add same domain as external LDAP identity store ?
    1.user used to join the domain has admin permission on AD
    2. ISE resolved the domain correctly
    3.There is a firewall inbetween ISE (192.168.100.10) & AD (172.16.100.1), but all the traffic are permited.
    4. No NATing taking place, Firewall is forwarding all trafic between ISE & AD
    Can't really understand why AD connection fails
    From ISE Interface - Detailed Test Connection
    Adinfo (CentrifyDC 4.5.0-357)
    Host Diagnostics
      Uname: Linux Iseadn 2.6.18-274.17.1.el5PAE #1 SMP Wed Jan 4 22:49:48 EST 2012 I686
      OS: Linux
      Version: 2.6.18-274.17.1.el5PAE
      Number Of CPUs: 1
    IP Diagnostics
      Local Host Name: Iseadn
      Local IP Address: 192.168.100.10
      FQDN Host Name:iseadn.gnet.cp
    Domain Diagnostics
      Domain: Gnet.cp
      Subnet Site: Default-first-site-name
        DNS Query For: _ldap._tcp.gnet.cp
        Found SRV Records:
          Gnet.cp:389
      Testing Active Directory Connectivity:
        Domain Controller: Gnet.cp
          Ldap:      389/tcp - Good
          Ldap:      389/udp - Good
          Smb:       445/tcp - Good
          Kdc:        88/tcp - Good
          Kpasswd:   464/tcp - Good
          Ntp:       123/udp - Good
      Domain Controller: Gnet.cp:389
        Domain Controller Type: Windows 2003
        Domain Name:            GNET.CP
        IsGlobalCatalogReady:   TRUE
        DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
        ForestFunctionality:           0 = (DS_BEHAVIOR_WIN2000)
        DomainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
      Forest Name: GNET.CP
        DNS Query For: _gc._tcp.GNET.CP
      Testing Active Directory Connectivity:
      Forest Name: GNET.CP
    Kerberos Error: Rc=-1765328377 SASL Bind To Ldap/[email protected] - GSSAPI Mechanism With Kerberos Error  : Server Not Found In Kerberos Database
    Computer Account Diagnostics
      Not Joined To Any Domain
    System Diagnostic
      Not Joined To Any Domain
    Centrify DirectControl Status
      Not Joined To Any Domain
    Licensed Features: Enabled
    SELinux Status:                 Disabled
    Amavis1.1.0
    Ccs1.0.0
    Clamav1.1.0
    Dcc1.1.0
    Dnsmasq1.1.1
    Evolution1.1.0
    Ipsec1.4.0
    Iscsid1.0.0
    Milter1.0.0
    Mozilla1.1.0
    Mplayer1.1.0
    Nagios1.1.0
    Oddjob1.0.1
    Pcscd1.0.0
    Postgrey1.1.0
    Prelude1.0.0
    Pyzor1.1.0
    Qemu1.1.2
    Razor1.1.0
    Ricci1.0.0
    Smartmon1.1.0
    Spamassassin1.9.0
    Virt1.0.0
    Zosremote1.0.0
    From Ad-agent log

    Hi Jallaluddin
    I work for Centrify Support and saw your posting. Here our analysis on checking the adlogs.txt.zip:
    Server not found in Kerberos database" (reference base/adbind.cpp:495 rc: -1765328377)
    That error is likely coming from the KDC - meaning there is some problem with server side SPNs
    We need the following:
    1) A network trace.
    2) adcheck output.
    3) adinfo --support output
    4) Run dcdiag or netdiag on the server side.
    Also we partner with Cisco and so would it possible to work with your partners and I am pretty sure they have seen this before with DC issues etc. Can you please work with them and see?. TIA
    Best Regards
    Raghu Srinivasan

  • Cisco ISE integration with SMS passcode Device

    HI Experts,
    i have a scenario where the requirement is to integrate the ISE device with SMSpasscode device which will trigger the OTP to the mobile devices 
    Currently i have my authentication configured to work with the AD 
    When my VPN users connects  its authenticates against AD and the users get the access . 
    Now as per the new requirement once the user is authenticate against AD ,  the user should be prompted for the OTP password send to the users  using SMS passcode device 
    Anyone had worked on similar requirement please help me to resolve the issue .
    Thanks in advance 
    Angus

    Hi all
    I am working exactly for a month on this topic with no success.
    I need to integrate VASCO OTP solution. But VASCO do not support any external authentication backend for virtual/SMS token. Only passcode or local authentication.
    I need to implement an external authentication against LDAP somewhere...
    Gunnar, do CISCO clearly says it is not able to participate to such setup?
    So, my need would be to be able to insert in the flow an authentication in ISE against the LDAP.
    The flow is:
    WebApplication send login+password (LDAP) to ISE
    ISE checks the credentials and if it is OK forward the request to VASCO
    VASCO does not check for password but generate the OTP and send it via SMS
    VASCO replies with a access-challenge
    ISE forward the challenge to Web Application
    WebApplication send login+OTP response to ISE
    ISE forward to VASCO
    VASCO checks for OTP and replies to ISE with accept
    ISE forward to Web Application
    User is logged in...
    All the flow is working if the user enters a passcode
    I would like to implement a Identity source sequences where the user is checked again all the entries not the first match
    First LDAP then VASCO...

  • Cisco ISE Integrate with Airwatch

    Dears,
    I need a configuration guide or video how to integrate Cisco ISE with Airwatch. Please provide me this informations
    Thanks

    If you have a CCO ID, you may be able to see it here:
    ISE integration with AirWatch MDM
    If you cannot, you should be able to osk your Cisco AM for this.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE deployment with subdomains

    Hi Experts,
    we have AD Architecture that parent domain and three subdomain as per the region, and ISE Administration/Monitoring Node will be in one subdomain and each region will have its ISE node with policy persona.
    looking for guidnace on how the ISE design will be, more precisly whic domain the PSN node will join, to their regional sub-domain?
    if yes its supported to have each PSN in their different sub-domain?
    Thanks         

    You  can palace PSN in regional sub-domain but you need to make sure that  all the regional sub-domain are are able to communicate with each other  with out any DNS and NAT issues.

  • Cisco ISE Deployment

    Dears,
    We have 2  ISE server. I configured wired, wireless,vpn, guest user authentication from ISE server. All of them are normal working. Both of ISE server have same Image.(ver 1.2) I deployed ISE servers as HA.  I register second ISE server at primary ISE server.  I attached the configuration files. 
    I want one ISE device is primary( Administration, Monitoring and Policy are active in primary ISE) and the other ISE server  is backup or standby. (Administration, Monitoring and Policy are standby). When the Primary ISE server is  going to down then all AAA process is going  through the secondary ISE server( it is like redundancy on  ASA) 
    Is it possible to configure? If yes how I do this configuration? 
    Thank for your helping.

    ISE 1.2 does not have an Automatic Failover for the Admin Nodes.  If the primary node goes down, you have to manually promote the secondary node.
    Until you promote the secondary, the deployment has very serious limitations:
    So, you see, there is no true HA with Automatic Failover for ISE 1.2.You have to have both ISE servers on anyway and the Monitoring Persona is the only one that does support Automatic Failover, so it really does make sense to deploy your nodes as noted here:
    Node1:  Admin (Primary), Monitoring (Secondary), Policy Service
    Node2:  Admin (Secondary), Monitoring (Primary), Policy Service
    The notes I referenced can be found in the ISE 1.2 User Guide.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Cisco ISE Authorization with Device OS

    Hi,
    We want to permit access only to devices with Windows OS. I tried to make a authorization rule with the condition "Session:Device-OS EQUALS Windows" but it doesn't work. If I try to connect with a Windows 7 client, the access is denied and the log shows "15039 Rejected per authorization profile". What could be the problem?
    We are using ISE with Version 1.1.3
    thank you,
    Marc

    There is no issue with the ISE version 1.1.3, you are is the latest. May  be the probes are not properly configured.
    Please review the below link for assistance
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_30_ise_profiling.pdf

  • Cisco WAAD Deployment with Allot Netenforcer

    Hi,
    While deploying Cisco waas in inline mode with allot,I am facing interface issues.
    Set up is like  router-->cisco waas-->allot-->l2 switch.
    Can you pleas hep.
    Regards
    Ravi

    Hi Ravi,
    I've had interface issues with inline cards whenever there's a speed difference, ie. 100m vs 1gb, etc, with the LAN/WAN endpoints. I'm not sure what type of interfaces your Netenforcer uses, but the following link may be helpful.
    http://conft.com/en/US/docs/app_ntwk_services/waas/wae/module/inline/installation/guide/17880fru.html#wp39911
    You may need a crossover cable somewhere inline.
    Hope this helps.

  • Cisco ISE Deployment issue

    Hi dears,
    I deployed the ISE primary and secondary mode. Then I did deregister the secondary ISE at Primary ISE. Now i want to register the same second ISE as secondary mode on Primary ISE. but this error occur:
    Unable to register SecondaryISE. Node is not a Standalone node.
    I connect the secondary ISE and see deployement personas
    Administration: Secondary
    Monitoring: Secondary
    Then  I did promote to primary command after that ISE is log out but the problem is not solve.
    version 1.20.8xx of both ISE's
    How i solve this issue?
    Thanks

    try by promoting the secondary ISE which you  have  de-registered to standlone and try registering it on primary now

  • Cisco ISE - User with expired password is forced to logoff before they can change password.

    I came across a situation today where a user was logged into a laptop with an expired password and could not change it by simply locking the computer and logging in with the correct credentials. (They had previously changed it on their main computer) The port restricted any communication since the user was failing authentication.
    So, the I had the user logout and immediately the computer authenticated, and the user was able to login with the correct credentials.   I dont want my users to have to logout completely in this situation.  Below is the port config and the ISE error messages.
     switchport access vlan 423
     switchport mode access
     switchport block unicast
     switchport voice vlan 425
     ip arp inspection limit rate 10
     ip access-group ACL-LOW-IMPACT-MODE in
     authentication event fail action next-method
     authentication event server dead action authorize voice
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication timer inactivity server
     authentication violation restrict
     mab
     snmp trap mac-notification change added
     dot1x pae authenticator
     dot1x timeout tx-period 3600
     spanning-tree portfast
     spanning-tree bpduguard enable
     ip dhcp snooping limit rate 100

    Completely forgot about odac version. I have ODT with ODAC 102.02 installed.
    I want to download new drivers from here:
    Oracle10g Release 2 ODAC and Oracle Developer Tools for Visual Studio .NET
    http://download.oracle.com/otn/other/ole-oo4o/ODTwithODAC1020221.exe
    And old drivers from here (just for testing)
    Oracle Developer Tools for Visual Studio .NET 10.1.0.4.0
    http://download.oracle.com/otn/other/ODT10104.exe
    Does anybody know something about these releases? Do they have the same behavior?
    Thanks.

  • F5 and Cisco ISE Deployment Guide

    Its out! For those of you have been asking and looking for this document as much as I have, it looks like Craig Hyps has delivered! Thank Craig!
    http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP_DF.pdf

    Cool, thanks for the link! That's exacly what I was looking for. Since 1.2 LB configurations not necessarily also work in 1.3, which I expirienced.

Maybe you are looking for