Cisco ISE in Apple Mac Environment

Similar Messages

• Cisco wireless and Apple Mac woes

  Hello all,
  I've been working with Cisco wireless and WLC's for a couple of years now but the recent onslaught of Apple Mac's is giving me heart burn.  I've seen this at numerous sites now and need to throw it to eht community for guidance.
  Basically we have had a number of instances where the Macs just fall off the wifi.  Sometimes it's when they wake from sleep and other times when roaming between AP's (1131s with same SSID's).  Our standard install is WPA2 and per ap local authentication.  PC's work fine and never an issue.
  We have completed a survey with a spectrum analyser and no RF interefence is present nor errors on the radio interface.
  Questions:
  - Is there a preferred Cisco config/setup for Mac's to work reliably?  I've heard loads of rumors but nothing concrete and nor can I find anything specific.
  - Should I be setting up WDS in case there is an authenticating issue.
  - For those who are Mac gurus and happen to be reading. What Mac options we should look at?
  This has all come to a head because the clients IT company who recommended the Macs (different from us doing the network infrastructure) are insisting that the problem is Cisco incompatibility and that we should rip out the Cisco kit and install airports (what tha!!!).
  Thanks in advance for any pointers.
  For those who like a config here it is .... Vanilla stuff really
  Building configuration...
  Current configuration : 2236 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP4
  no logging console
  enable secret xxxxxxxxxxxxxxxxx
  no aaa new-model
  dot11 syslog
  dot11 ssid Home
     vlan 1
     authentication open
     authentication key-management wpa
     guest-mode
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxx
  dot11 ssid avnet
     vlan 2
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxxxxxx
  username abcd password 1234
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers tkip
  encryption vlan 2 mode ciphers tkip
  ssid Home
  mbssid
  speed  basic-1.0 basic-2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
  channel 2412
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  hold-queue 80 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  no bridge-group 2 source-learning
  bridge-group 2 spanning-disabled
  interface BVI1
  ip address 192.168.10.54 255.255.255.0
  no ip route-cache
  ip default-gateway 192.168.10.1
  no ip http server
  no ip http secure-server
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end

  Yeah!! even i have come across multiple issue with MAC and Cisco.. these are the below settings which i normally do on the cisco gears and most of the times this solved the issue..
  on the IOS AP disable Aironet Extentions and set the poer local and ofdm to max
  no dot11 extension aironet
  power local cck max
  power local ofdm max
  end
  On the WLC, disable Aironet IE..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• Mac-Address Different format for Authorization on Cisco ISE

  Dear All,
  I have problem with my Cisco ISE,
  This is the design :
  ISE ---- Core Switch ---- 3Com Switch --- PC User
  My Case:
  Authorization is based on Mac-address and Active Directory,
  But user with PC that connect to 3Com swtich is Deny by ISE because the Format Mac-address is different with Cisco,
  Mac-address Cisco format :  XX:XX:XX:XX:XX:XX
  Mac-address 3Com format :  XXXX-XXXX-XXXX
  3Com Switch type is TRICOM 4210 26-PORT.
  Anyone have experience with this? and how change the mac-address format in 3Com so user can authorized by Cisco ISE.
  note:
  authorization based on Active Directory is not problem with 3Com Switch.
  Based on my experience, Different product is different format mac-address, so this case not only for 3Com Switch.
  Thanks,
  Arika Wahyono

  I do not think Cisco will add these vendors to the supported switch matrix because then it would be a support issue that cisco would have to deal with, much like most of the AD issues I experienced when I worked in TAC. Your best bet would be to run the evaluation license instance in a lab and have a 3com switch point against that.
  Other than that I do not recommend upgrading to 1.2 without validating that the new "multi-vendor" MAB support will work on your switch.
  PS- Keep in mind that my comments is just my opinion so you may need to open a TAC case for an official answer.
  Tarik Admani
  *Please rate helpful posts*

• MAC OS X unable to download Cisco ISE supplicant agent

  Hi,
  I have a problem with MAC OS X clients unable to download the Cisco ISE supplicant agent using Safari browser but able to login on the ISE guest portal. If the same client was to login to the ISE guest portal using Firefox; it has no issues downloading the ise supplicant and posture agent.
  I have tried to update the Java version on the client to the latest; however it does not resolve the issue. As I am new to MAC OS clients; I was wondering what may be the cause of the issue?
  I have summarized the issue as follows:
  1. MAC OS X 10.8 with safari 6 -- unable to download agent but can login successfully on the Cisco ISE guest portal
  2. MAC OS X 10.8 with Firefox -- able to login to Cisco ISE guest portal and download agents; no issues
  3. MAC OS X 10.7 with safari and firefox ---  unable to download agent but can login successfully on the Cisco ISE guest portal
  4. Windows XP & Windows 7 & Iphone/Ipad/Android -- able to login/download agent without any issues
  Any suggestions is appreciated.
  Thanks.

  For Agent Download Issues on Client Machine
  • Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the
  policy identity group, conditions, and type of agent(s) defined in the policy.
  (Also ensure whether or not there is any agent profile configured under Policy >
  Policy Elements > Results > Client Provisioning > Resources > Add > ISE
  Posture Agent Profile, even a profile with all default values.)
  • Try reauthenticating the client machine by bouncing the port on the access
  switch.
  Remember that the client provisioning agent installer download requires the following:
  • The user must allow the ActiveX installer in the browser session the first time an agent is installed
  on the client machine. (The client provisioning download page prompts for this.)
  • The client machine must have Internet access.
  Client Machine Operating Systems and Agent Support in Cisco ISE
  Check the following link
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp95449

• Cisco ISE 1.1.4 Patch 7 (Internal Endpoint Mac Addresses Getting Disppeared)

  Hi Folks,
  I am having issue that mac addresses which we are trying to add under Internal Endpoint Group for MAB getting disappear automatically after few minutes. We tried multiple mac addresses but result same. We can see the mac address which we added earlier but new mac address getting disappear. Is there any limit to add mac address under Internal Endpoint. We have following licenses.
  L-ISE-ADV-1K-M=  Cisco ISE 1000 EndPoint Advanced + Base Migration License
  Thanks

  Tabish,
  We'll update the latest patch and then look for the work around from any one of our Cisco experts

• Need Step by step installation guide for Cisco ISE in distributed environment.

               Hi Friends,
  If anyone is having  step by step installation guide for Cisco ISE in distributed environment please shere!
  I have user guide from Cisco, but does someone have created at the time of actual installation.
  Thanks,
  Sachin

  There is a trustsec 2.1 how to guide on cisco's website. There is also a TrustSec 2.0 ISE Guide floating around that has step by step instructions for setting up ISE 1.0.4. Which is still pretty accurate for the 1.1.1 guide. But if you go through the below site it should give you all the info you need.
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

• Cisco ISE & NAC Agent in a Vmware View VDI Environment

  Hi,
  Anyone deployed Cisco ISE NAC agent on a vmware view virtual desktop environment (VDI)?

  There are no known issues regarding VMWare view that would cause this.
  For AV see -> http://www.novell.com/support/kb/doc.php?id=7007545
  I find ProcMon for Sysinternals useful to see if other prcesses such as
  AV are hitting those files unexpectedly. A few times I have seen AV
  Exclusions not quite working as expected until tweaked.
  The ZMD-Messages.log may show if the agent is doing something....
  On 9/30/2014 9:36 PM, harrymsg wrote:
  >
  > We have been running 11.2.4 in our View VDI environment and overall been
  > very successful. We just rolled Win 7 and are seeing approx. 10% of the
  > VMs with the zenworkswindowsservice.exe running steadily around 50% for
  > hours. Any thoughts? One thing I just set to try was excluding that
  > from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.
  >
  >
  Going to Brainshare 2014?
  http://www.brainshare.com
  Use Registration Code "nvlcwilson" for $300 off!
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Apple (MAC) and Cisco Flex Connection deployments

  Good Morning,
  I have some questions regarding flex connect deployments with environments that are purely Apple (MAC).   The area is about 10,000 sq feet top floor office space in NYC.
  We havea bout 5 access points (unfortunatley vetically mounted) covering this space. The issue wea re having sort of seems like a roaming issue. We lost an AP that was servicing 80% of the cleints which caused all sorts of troubles with clients. They would not connect tot he other APs and would throw "timeout" errors.
  Is there some log I could check to see what might have been going on?
  Is there any recommended deployment guide for Apple (mainly mac book pros etc) environments?
  Any real world suggestions?                

  Good Morning,
  I have some questions regarding flex connect deployments with environments that are purely Apple (MAC).   The area is about 10,000 sq feet top floor office space in NYC.
  We havea bout 5 access points (unfortunatley vetically mounted) covering this space. The issue wea re having sort of seems like a roaming issue. We lost an AP that was servicing 80% of the cleints which caused all sorts of troubles with clients. They would not connect tot he other APs and would throw "timeout" errors.
  Is there some log I could check to see what might have been going on?
  Is there any recommended deployment guide for Apple (mainly mac book pros etc) environments?
  Any real world suggestions?                

• Cisco ISE: How to match an endpoint belong to an identity group ?

  Hello,
  I am running Cisco ISE 1.1.4.218 in a standalone environment.
  I am trying to setup Compound Condition for Authorization.
  I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
  I created 1 endpoint identity group and 2 children groups
  - GroupParent
       - ChildA
       - ChildB
  I put the MAC address of my machine in the group ChildA.
  In my condition, I tried the following:
  IdentityGroup:Name, Equals, ChildA
  IdentityGroup:Name, Equals, GroupParent:ChildA
  IdentityGroup:Name, Match, .*(ChildA).*
  I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
  IdentityGroupName, Equals, GroupParent
  IdentityGroupName, Match, .*(GroupParent).*
  But no one of these options worked.
  I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
  Can anyone help me ?
  Best regards,
  David

  You could try the following to match only the parent group
  IdentityGroup:Name EQUALS GroupParent
  You could try the following to match only child group A
  IdentityGroup:Name EQUALS GroupParent#ChildA
  You could try the following to match all child groups of GroupParent
  IdentityGroup:Name STARTS_WITH GroupParent
  Please rate if this helps

• Cisco ISE for 802.1x (EAP-TLS)

  I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
  I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
  I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
  I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
  I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
  I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are  overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
  My email: [email protected]
  Cheers,
  Krishil Reddy

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• Cisco ISE - CWA AD Authentication

  Hello,
  I'm using a Cisco ISE on 1.3 and have a CWA portal setup for AD Auth. When a user connects to a particular SSID (from a WLC) that is setup for mac filtering, it redirects to a CWA via the Auth Policy. the CWA is disabled, they login, the device registers, etc.. and all is well. The next policy checks to see if the device is registered, and if so, bypasses the Auth. Which also works. However, any AD account can authenticate against the CWA, not the particular AD account I want. I don't know where to put the Auth Policy or what it looks like. Any help would be appreciated. I've tried a few combinations to no avail.
  Below are my current Auth Policies, as I mention above. They work, but the CWA validates any AD credential, not the group I want. Should a NetworkAccess:UseCase=GuestFlow go between the 2 policies perhaps?

  Hi Marc, what I meant by "desired_permissions" is what your environment/situation calls for. With that being said, returning back only "access_accept" with your "authorization profile" would work but at the same time it will give the authorized users/devices full access. So unless you have an ACL to Firewall off the guest users, you would need to return some additional attributes when trying to restrict/limit guest users/devices. 
  For instance, I like to use Policy Sets and dedicate a policy set per SSID and then either a general Policy Set for Wired or one Policy Set for Corporate Wired and one for Guest Wired. If  you don't use policy sets, then you should create one "authorization rule for Guest_Wired and one for Guest_Wireless. 
  For the Guest_Wired, you will need to return "access_accept" and then a "DACL Name" that you can create locally in ISE.
  For the Guest_Wireless, you will need to return "access_accept" and then a "Airspace ACL Name" That ACL is not a DACL (WLCs do not support DACLs). Instead, that is an ACL that you configure locally on the WLC, thus, the name must match on both ends and it is case sensitive! 
  Both the DACL and the "Airspace ACL" would contain rules that fit your environment/security requirements. Typically though you would have:
  1. Permit DNS- Needed for DNS resolution
  2. Permit access to ISE - Needed for the guest pages to properly load) 
  3. Deny any private/RFC 1918 addresses - Blocks guests from accessing internal hosts
  4. Permit everything else - Needed for general internet browsing
  I hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE with Flex Connect ios 7.4

  Hello my name is Ivan
  I have a question:
  Is possible to do a deployment with cisco ise (trust sec 2.0)  and flex connect and web authentication to a cluster of cisco wlc (ios 7.4)?
  There are a features or requeriments to configure this?
  Regards
  Ivan

  By "cluster of cisco wlc" are you referring to the HA features for the 5508?  HA or not should be irrelevant to the configuration of ISE w/ 7.4 WLC on flex connect.
  Configuring CWA (central web auth) via L2/Mac-Filter and RADIUS NAC will require that you have a FlexConnect group built with the desired AP within the group.  You will need to build FlexConnect ACLs and apply them to the FlexConnect group that correspond with the various NAC states the client will be in during the CWA process. 
  You will probably need 1 or 2 Web Policy ACLs
  1. allow traffic to/from dns and ISE PSN
  2. allow traffic to/from dns, ise and other resources (for instance for posturing/remediation)
  Please note that you cannot "dynamically" assign ACLs to FlexConnect APs/Groups as part of the transition from central webauth reqd to RUN.  The WebPolicies ACLs are the only ones that can override (think of them like pre-auth acls).  Once you finally send back the access-accept for the client you can not apply dynamic acls to the particular wlan/vlan.
  For instance if you needed differentiated access on a single network between guest and vendors, you couldn't send an access-accept back with an ACL for vendors vs an ACL for guests - in a FlexConnect environment.  They would have to be placed on separate networks with their respective access.
  It's possible this type of configuration (much desired) will be allowed in 7.5 whenever it rears its head.

• Cisco ISE - Guest Access With Google Chrome

  We've implemented the self provisioning guest portal/Guest SSID and it seems to work great for internet explorer, if a user uses Google Chrome to go through the setup the password is generated, they login and accept the terms and conditions, but then they get hung up on the WLC URL and then have to start self provisioning again.
  Any ideas?

  Please check the below browser requirements :
  Supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals
  These Cisco ISE portals support the following operating system and  browser combinations. These portals require that you have cookies  enabled in your web browser.
  Table 8     Supported Operating Systems and Browsers
  Supported Operating System Browser Versions
  Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
  •Native browser
  Apple iOS 6, 5.1, 5.0.1, 5.0
  •Safari 5, 6
  Apple Mac OS X 10.5, 10.6, 10.7, 10.8
  •Mozilla Firefox 3.6, 4, 5, 9
  •Safari 4, 5, 6
  •Google Chrome 11
  Microsoft Windows 82
  •Microsoft IE 10
  Microsoft Windows 73
  •Microsoft IE 9
  •Mozilla Firefox 3.6, 5, 9
  •Google Chrome 11
  Microsoft Windows Vista, Microsoft Windows XP
  •Microsoft IE 6, 7, 8
  •Mozilla Firefox 3.6, 9
  •Google Chrome 5
  Red Hat Enterprise Linux (RHEL) 5
  •Mozilla Firefox 3.6, 4, 5, 9
  •Google Chrome 11
  Ubuntu
  •Mozilla Firefox 3.6, 9

• Cisco ISE windows workstation endpoint profiling

  Hi all,
  i am configuring cisco ISE to autenticate wireless clients using 802.1x . AP's are all lightweight managed by a cisco 5508 WLC . I would like to discriminate users accessing that wlan using mobile phones or tablet from users connecting using windows workstations. ISE profiles all mobile devices in the right way, iphones and ipad are profiled as apple devices and even MAC OSX devices are profiled correctly. The problem is that all windows workstation are profiled as unknown devices.In ISE i'm using windows workstation default profile configuration.
  what can i check to make windows workstation profile working correctly?
  Thanks in advance.
  Regards

  i noticed that default profile for microsoft workstations uses dhcp probe to profile devices, so i solved the issue adding in our core switch, to the vlan interface used to tag dot1x wireless lan,  ise ip address as ip helper-address. I don't know if that is the best solution or there's something i can do on WLC to avoid adding ip helper-address on vlan interface but this worked for me.
  Thanks to all for helping me.
  Regards

• We have developed a desktop application using Flash software and published the same for MAC environment. When we double click on the index.app file, the application is working perfectly in Mac 10.6.7 at our office. But if the same index.app file is double

  We have developed a desktop application using Flash software and published the same for MAC environment. When we double click on the index.app file, the application is working perfectly in Mac 10.6.7 at our office. But if the same index.app file is double clicked in Mac 10.6.7 at out clients location, its not opening. For your information the client is able to open this same application by double clicking on index.swf file. The main problem is that client is not able to open the application using index.app file at their office whereas we are able to do so at our office. Can anyone give some suggestions to sort this problem?

  The most common reason is different versions of Flash, or different versions of web browsers used.  Some users may elect to not have Flash installed at all because of the processor overhead of Flash.  If you are going to make an application for a client, check what operating system and browser versions they are using first.  Then determine if a stand alone application is required, or if they have the necessary plugins to run specific browser enhanced code.
  P.S. MAC is an acronym for Media Access Control.  Mac is the shorthand for Macintosh, the operating system and computers made by Apple Inc.