Cisco ISE feeding policy

Hi all,
I changed something in the profile for windows 8 on Cisco ISE.
then i configured Cisco ISE to dynamically update the feeding policies. but when the update is done. I receive the below message
Feed Version 1 policies downloaded.
Total number of feed polices to apply are 1.
Feed policies total 1 skipped.
Feed policies warning message : Workstation:Microsoft-Workstation:Windows8-Workstation has been changed by admin.
*** This message was generated by Cisco Identity Services Engine (ISE) ***
 how can I reset the change I did to get all feed policies updated?
Regards,
Maher

I have the same problem.
Apparently if you inadvertantly save a "Cisco Provided" profiler policy without making any changes it is changed from "Cisco Provided" to "Administrator Modified". If the profiler feed service then tries to update that policy it fails with the warning that the policy has been modified by the admin.
There does not appear to be any way to restore "Cisco Provided" profiler policies to their default state.
Does anyone have a solution for this?

Similar Messages

  • Cisco ISE auth policy based on Active Directory domain membership

    I am currently testing the Cisco ISE product and I am trying to find a way to assign an authorization policy based on domain membership.  Our company sorts standard users and project team member into different domains so it seemed like the ideal thing to sort with.  Unfortunately, I am no AD expert and there are a mind boggling number of conditions/expressions to choose from.  I figured I would be the first person to try this.  What have other done to solve this problem?
    I have tried using the memberOf attribute and matching to .*(domain).*  Basically looking to see if memberOf contains the domain name.  It works for machine authentication, but when I log it the system cannot find my account info for some reason and boots me to the guest vlan.
    Thank you.

    Are the two sets of users actually residing on two separate and independent domains? If so then that is probably where your problem is as ISE can only integrate with a single domain. If you have multiple domains then there must be a trust relationship between them. Another solution is to use LDAP integrations as there is not a limit with LDAP integrations.
    Thank you for rating!

  • Cisco ISE Profiling Policy

    If an endpoint matches multiple Profiling Policies and each one of the Profiling Policies creates a new and unique Identity Group which Identity group will the endpoint be profiled into. My understanding is that an endpoint can only be profiled into a unique Identity Group. Another way of wording the question is, are the Profiling policies matched top down or some other way? thanks in advance.

    No problem Graham. To answer your second question: The attributes that are collected first that triggers a profiling rule would be used first. For instance, let's say that you have a profiling rule with CF of 100 that is looking for a DHCP class identifier of XYZ and then a second profiling rule with CF of 100 that is looking for the MAC OUI of ABC. In this situation, the second rule would be hit first since the MAC information is collected before the DHCP info is. As a result, the device will be profiled and placed in the endpoint group associated with the second profiling rule until/unless additional attributes are collected that would match a different profiling rule with CF > 100.
    I hope this makes sense
    Thank you for rating helpful posts!

  • Pages in Cisco ISE 1.2 says Error code WAP00008.

    When i am trying to access Cisco ISE
    Pages Policy>Policy Elements>Dictonaries
    i get the following error on firefox(MAC)
    There was an error while parsing and rendering the content. (node.getAttribute is not a function)
    Error code WAP00008.
    Error on Chrome(MAC)
    There was an error while parsing and rendering the content. (Object # has no method 'getAttribute')
    Error code WAP00008.
    it works fine on IE(windows) and firefox
    but gives the same error on Chrome,
    Any one else facing the same issue ?

    This now seems to be across Firefox and Chrome on both Mac and Windows OS systems.. Cisco need to make sure there products can work with the updated browsers as customers cannot be expecetd to always roll back a browser version to fix a problem..... Does anyone know what the root cause might be for this issue ? Java plugins ? so customers can get a solution to allow administration of ISE across OS platforms and Browsers...

  • Cisco ISE - What does "Multiple Matched Rule Applies" mean?

    Hi,
    In Cisco ISE authroiztion policy configuration, what does the option "multiple matched rule applies" mean? I can understand the "first matched rule", but in "multiple matched rule" how is the "permissions picked if multiple rules match? Or, what is the logic involved in picking up the permissions, if multiple rules are matched in authorization policy.
    No where in cisco document I see any explaination for this.
    Would appreciate if any one can point me to  a document or explain me the login in selecting the persmissions if multiple rules are matched. Also, what would the use-case for this?
    Thanks and Regards,
    Mohan

    I agree with tarik & also this might be helpful for you:
    An authorization policy can  consist of a single rule or a set of rules that are user-defined. These  rules act to create a specific policy. For example, a standard policy  can include the rule name using an If-Then convention that links a value  entered for identity groups with specific condition(s) or attributes to  produce a specific set of permissions that create a unique  authorization profile. There are two authorization policy options you  can set:
    •First Matched Rules Apply
    •Multiple Matched Rule Applies
    These two options direct Cisco ISE  to use either the first matched or the multiple matched rule type  listed in the standard policy table when it matches the user's set of  permissions. These are the two types of authorization policies that you  can configure:
    •Standard
    •Exception
    Standard policies are policies  created to remain in effect for long periods of time, to apply to a  larger group of users or devices or groups, and allow access to specific  or all network endpoints. Standard policies are intended to be stable  and apply to a large groups of users, devices, and groups that share a  common set of privileges.
    Standard policies can be used as  templates in which you modify the original values to serve the needs of a  specific identity group, using specific conditions or permissions to  create another type of standard policy to meet the needs of new  divisions, or groups of users, devices, or groups in your network.
    By contrast, exception policies  are appropriately named because this type of policy acts as an exception  to the standard policies. Exception polices are intended for  authorizing limited access that is based on a variety of factors  (short-term policy duration, specific types of network devices, network  endpoints or groups, or the need to meet special conditions or  permissions or an immediate requirement).
    Exception policies are created to  meet an immediate or short-term need such as authorizing a limited  number of users, devices, or groups to access network resources. An  exception policy lets you create a specific set of customized values for  an identity group, condition, or permission that are tailored for one  user or a subset of users. This allows you to create different or  customized policies to meet your corporate, group, or network needs.
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html

  • Did Cisco ISE have limitation for policy setting?

    Deat All,
    Did anyone know about Cisco ISE limitation about policy setting?
    Right now my setting for windows posture policy around 200 windows patch checking, did ISE have limitation such as maximum windows patching policy line?
    Thanks you
    Best Regards

    Here is the nswer for your first question.
    Cisco ISE profiler collects a significant amount of endpoint data from the network in a short period of time. It causes Java Virtual Machine (JVM) memory utilization to go up due to accumulated backlog when some of the slower Cisco ISE components process the data generated by the profiler, which results in performance degradation and stability issues.
    To ensure that the profiler does not increase the JVM memory utilization and prevent JVM to go out of memory and restart, limits are applied to the following internal components of the profiler:
    Endpoint Cache—Internal cache is limited in size that has to be purged periodically (based on least recently used strategy) when the size exceeds the limit.
    Forwarder—The main ingress queue of endpoint information collected by the profiler.
    Event Handler—An internal queue that disconnects a fast component, which feeds data to a slower processing component (typically related to a database query).
    For more information go through :
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#12624

  • ISE Feed Service can not update EndPoint Policy

    I've started to get "Failed to apply feed policy" messages. The OUI updates are working fine. Just the Updates to EndPointPolicy are failing. Looking at the log in ISE, it appears to be a permissions issue. Feedservice is the username for updates but I do not see that username account anywhere in ISE.
    Fault text(email msg): "Failed to apply feed policies : Unable to update EndpointPolicy. Unable to create/update EndpointPolicy. Unable to create identity group. Identity group "Android" already exists."
    I do not see any failures in the feedservice audit report.  I'm using ISE version 1.3.0.876
    Has anyone else had this issue before?

    Does this help?
    http://www.gearsoftware.com/support/forum/viewtopic.php?p=3452

  • Cisco ISE trying to posture a device that should not be able to be postured

    Overview:
    Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
    Mobile device authorisation policy configured:
    Problem:
    A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
    Troubleshooting:
    I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
    I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
    Have any of you guys experienced this before?

    Hi,
    I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
    I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ISE 1.2 MDM Integration Question

    I have a working Cisco ISE 1.2.1 install which I've performed the integration to our MobileIron server. The "integration test" reports that the integration is good, but whenever ISE verifies MDM compliance, registration, etc.. with MobileIron when a mobile device connects it always reports that all statuses are good even if they aren't.
    My test phone is out of compliance on Mobileiron because of an unapproved app, but when the phone connects ISE believes the MDM compliance status is good. I'm not sure if it isn't really checking with MDM or if the Mobileiron server is reporting erroneous results.
    I also saw in a video that the phone has to be registered with MobileIron through ISE. Is this correct? I don't plan to on-board devices with MobileIron through ISE, it will be done directly through MobieIron (not connected to the Wifi network).
    I only want ISE to check the compliance status of the device against MobileIron and quarantine if it isn't compliant or MDM registered.
    Any help would be appreciated

    Saurav and others,
    Unfortunately, on-boarding sets some attribute fields on the endpoints that will then allow them to participate in a policy. It is nice that we all have MDM integration working but we almost need another class of on-boarding for corporate devices that are already in the MDM of choice (where we prefer to manage them!) 
    There is a little documented feature in ISE. 
    It appears to me that;
    the on-boarding turns on the following states for the endpoint;
    BYODRegistration
    No   ( No becomes Yes)
    DeviceRegistrationStatus
    NotRegistered   (becomes Registered)
    ( The device is actually registered in MobileIron - this means did ISE register with MI. )
    No MI attributes will work without this magic. TAC engineers I have dealt with don't seem to understand this feature.
     This is definitely an enhancement that is needed.   

  • Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

    Need help from ISE experts/gurus in this forum.
    Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
    Scenario: 
    - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
    - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
    - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
    - node 3 is Policy service node - hostname is node3
    - node 4 is Policy service node - hostname is node4
    Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
    My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
    to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
    upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
    Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
    I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
    I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
    Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
    Propose solution: 
    step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
             Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
    step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
             to ISE node1 via the GUI,
    step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
    step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
    step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
    Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
    Propose solution:
    step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
    step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
              form a new ISE 1.2 cluster independent of the old cluster,
    step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
              Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
    step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
              Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
    step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
    step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
    step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
    step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
    step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
    Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
    Propose solution: 
    step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
             Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
    step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
             to ISE node1 via the GUI,
    step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
    step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
    step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
    does these steps make sense to you?
    Thanks in advance.

    David,
    A few answers to your questions -
    Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
    https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
    You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
    Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
    I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
    I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
    I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
    Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
    Once the restore finished, I then restored the certificate and picked one of the PSNs
    backup the cert,
    Had the AD join user account handy
    reset-db,
    and run the upgrade script.
    Once that is done I then restore the cert
    Join the PSN to the new deployment
    Join both nodes to AD through primary admin node
    Monitor for a few days (seperate consoles to make sure everything runs smooth)
    If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
    Thanks and I hope that helps,
    Tarik Admani
    *Please rate helpful posts*

  • [Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

    Hi everyone,
    After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
    Let me show you what I have,
    interface GigabitEthernet1/0/3
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     trust device cisco-phone
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
     service-policy output AutoQos-4.0-Output-Policy
    ############################################# switch model - 3850 ##################################################
    SW1#sh mac address-table interface GigabitEthernet1/0/3
              Mac Address Table
    Vlan    Mac Address       Type        Ports
    SW1#sh dot1x interface Gi1/0/3
    Dot1x Info for GigabitEthernet1/0/3
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Switch Ports Model              SW Version        SW Image              Mode
    *    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL
    ############################################# Different switch model - 2960 ##################################################
    interface GigabitEthernet1/0/1
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     srr-queue bandwidth share 1 30 35 5
     priority-queue out
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     mls qos trust device cisco-phone
     mls qos trust cos
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
     SW1#$cation sessions interface GigabitEthernet1/0/1
                Interface:  GigabitEthernet1/0/1
              MAC Address:  xxxx.xxxx.4a38
               IP Address:  172.18.1.170
                User-Name:  xx-xx-xx-xx-4A-38
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A18129D000060E39DAE8A8A
          Acct Session ID:  0x0000725D
                   Handle:  0x0F00028C
    Runnable methods list:
           Method   State
           mab      Authc Success
           Switch Ports Model              SW Version            SW Image                                                                                             
         1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M      
     SW2#sh dot1x interface Gi1/0/1
    Dot1x Info for GigabitEthernet1/0/1
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Am I doing something wrong?
    BR,

    I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :) 
    Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it. 
    Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it. 
    Thank you for rating helpful posts!

  • Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

    Hi All,
    We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
    1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling 
    RADIUS Probe 
    SNMP Probe                                                                                                                                                                                                                                                  SNMP Trap                                                                                                                                                                                                                                                     HTTP Prob and DNS
    2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
     - Yellow mark issue  -  Once authentication , posturing completed we are getting yellow mark on network  drive but still we are able to connect to network
    - Network Map Drive issue  -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
    For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication ) 
    That would be really great if any one can help me on the same.
    Thanks & Regards
    Pranav

    Hi Pablo ,
    Please find below solutions 
    Yellow mark issue  -  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
    Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
    Regards
    Pranav

  • Cisco ISE 1.2 and AD Group

    Hello,
    I have Cisco ISE installed on my EXSi server for my test pilot. I have added several AD groups to ISE as well.
    I have created an Authorization policy condition, which is WIRELESS_DOT1X_USERS (see screenshot)
    Basically, I just duplicated the default Wireless_802.1X and added Network Access:EapAuthentication, Equals, EAP-TLS.
    My problem is, I was unable to join the wireless network if I added my AD group to the Authorization policy (see screenshot). The user that I have is a member of WLAN-USERS. If I removed the AD group from the Authorization policy, the use is able to join the wireless network.
    I attached the ISE logs screenshot as well. I checked the ISE, AD/NPS, WLC, laptop time and date, and they are all in synched.
    I also have the WLC added as NPS client on my network.
    I checked the AD log and what I found was the WLCs local management user trying to authenticate. It is supposed to be my wireless user credential not the WLC.
    This is the log that I got from the AD/NPS
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID:                              NULL SID
    Account Name:                              admin
    Account Domain:                              AAENG
    Fully Qualified Account Name:          AAENG\admin
    Client Machine:
    Security ID:                              NULL SID
    Account Name:                              -
    Fully Qualified Account Name:          -
    OS-Version:                              -
    Called Station Identifier:                    -
    Calling Station Identifier:                    -
    NAS:
    NAS IPv4 Address:                    172.28.255.42
    NAS IPv6 Address:                    -
    NAS Identifier:                              RK3W5508-01
    NAS Port-Type:                              -
    NAS Port:                              -
    RADIUS Client:
    Client Friendly Name:                    RK3W5508-01
    Client IP Address:                              172.28.255.42
    Authentication Details:
    Connection Request Policy Name:          Use Windows authentication for all users
    Network Policy Name:                    -
    Authentication Provider:                    Windows
    Authentication Server:                    WIN-RSTMIMB7F45.aaeng.local
    Authentication Type:                    PAP
    EAP Type:                              -
    Account Session Identifier:                    -
    Logging Results:                              Accounting information was written to the local log file.
    Reason Code:                              16
    Reason:                                        Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

    Thank you Tarik,
    I got my AD group working. What I did, I checked the user's certificate that is installed on the laptop then modified the ISE certificate authentication profile to "Subject Alternative Name". I had the ISE set to common name when I was having an issue.
    I forgot to mentioned that I have to servers in my ISE test pilot. I have AD with NPS, and CA. These servers are Windows 2008 R2.
    I am a little confuse about the attribute in certificate template you have mentioned. Is that located at Certificate Authority/server-name/Certificate Templates/Users? I am not sure where to look for that attribute on the CA server.

  • Cisco ISE 1.2 - BYOD Guest Access Error with Certificate

    Hi all !
    I'm running on Cisco ISE 1.2. I'm trying to setup BYOD (dual SSID).
    Here's a walkthrough of what's happening:
    1. I connect to open SSID, enter username/password and register MAC 
    2. I download WinSPwizard, get trust root CA but WinSPwizard error
    This is spwprofilelog 
    [Wed Oct 01 11:27:17 2014] Installed [pvgas-DC-CA, hash: d0 ad c2 1e 19 b0 8b 61  8a 2d 81 88 da 8a a2 ca
    da d3 ab e8
    ] as rootCA
    [Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
    [Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
    [Wed Oct 01 11:27:17 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
    [Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
    [Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
    [Wed Oct 01 11:27:21 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
    [Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
    [Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
    [Wed Oct 01 11:27:25 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
    [Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
    [Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
    [Wed Oct 01 11:27:29 2014] Failed to get certificate from server - Error: [2]
    [Wed Oct 01 11:27:29 2014]  Failed to generate scep request. Error code:
    [Wed Oct 01 11:27:29 2014] ApplyCert - End...
    [Wed Oct 01 11:27:29 2014] Failed to configure the device.
    [Wed Oct 01 11:27:29 2014] ApplyProfile - End...
    [Wed Oct 01 11:27:32 2014] Cleaning up profile xml:  success 
    This is SCEP RA profiles
    Other Cert
    ACL On WLC
    and policy
    Please help me fix error.
    Thanks.

    you could create an ISE local user with a GUEST membership and provided you have your ISE password policy set so that it doesn't expire accounts, etc it would be a "permanent" guest account. we do something similiar. sponsors make temporary accounts while long-term or test guest accounts are created in the ise local identity store as guests and are processed the same way. you just have to ensure that the internal user store is part of your guest identity source sequence.

  • Cisco ip phones authenticate 802.1x with cisco ise 1.3

    Dear all,
    I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
    How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
    Thanks

    following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

Maybe you are looking for