Cisco ISE - iPhone SSL

Hello,
I've setup successfully my Cisco WLC / ISE integration to authenticate users AD with 802.1x.
I've also created a CSR, purchased my SSL, imported, etc.. all is well, except from an apple product the SSL says "not verified" when they "accept" it.
It still works, but just for the sake being anal retentive, any idea why that is? I've imported the intermediates as well. I even created an external dns record to see if it was validating external dns via cell service.
Any help would be great.

Here is a list of trusted certificates for "i" devcies that are loaded ..
http://support.apple.com/kb/ht5012
Humm this adds to my question, entrust is on the list :/
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Similar Messages

Remote Access VPN posturing with Cisco ISE 1.1.1

Hi all,
we would like to start using our ISE for Remote VPN access.
We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
I know ISR's are support NADs but what about ASRs? There is no mention.
Any advise will be appreciated!
Mario

OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
essentially my requirements are
2-factor authentication VPN using a Certificate & RSA Token
Posturing of the VPN endpoint.
Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
Can anyone help?
Mario

Cisco prime 2.1 / 2.2 support for Cisco ise 1.3 ?

Hi, I just tried to connect cisco PI 2.1 to cisco ISE 1.3, but fails.
I read the release Notes, only ISE 1.2 ist supported.
But I was wondering that the ssl handshake fails (I have done a packet capture).
So PI 2.1 has not tried to connect to ise 1.3 via api, because of the connection fails at the ssl handshake stage.
Anyway, does anybody know if ISE 1.3 will be supported with PI 2.2 or a version of PI 2.1.x ?

Why doesn't the REST API communication in Prime 2.1 (2.1.0.0.87) support TLS? The platform itself seem to be able to handle TLS-DHE-RSA with AES-128-CBC-SHA. Why is it trying to use SSLv2 ?
These protocol is incompatible and very much outdated: http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0
Can this behavour be reconfigured in CLI or at least be allowed in ISE 1.3 to make a workaround until a working patch or upgrade is done? Could or should adding the Cisco Prime server as managed node in ISE circumvent the incompability?

MAC OS X unable to download Cisco ISE supplicant agent

Hi,
I have a problem with MAC OS X clients unable to download the Cisco ISE supplicant agent using Safari browser but able to login on the ISE guest portal. If the same client was to login to the ISE guest portal using Firefox; it has no issues downloading the ise supplicant and posture agent.
I have tried to update the Java version on the client to the latest; however it does not resolve the issue. As I am new to MAC OS clients; I was wondering what may be the cause of the issue?
I have summarized the issue as follows:
1. MAC OS X 10.8 with safari 6 -- unable to download agent but can login successfully on the Cisco ISE guest portal
2. MAC OS X 10.8 with Firefox -- able to login to Cisco ISE guest portal and download agents; no issues
3. MAC OS X 10.7 with safari and firefox --- unable to download agent but can login successfully on the Cisco ISE guest portal
4. Windows XP & Windows 7 & Iphone/Ipad/Android -- able to login/download agent without any issues
Any suggestions is appreciated.
Thanks.

For Agent Download Issues on Client Machine
• Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the
policy identity group, conditions, and type of agent(s) defined in the policy.
(Also ensure whether or not there is any agent profile configured under Policy >
Policy Elements > Results > Client Provisioning > Resources > Add > ISE
Posture Agent Profile, even a profile with all default values.)
• Try reauthenticating the client machine by bouncing the port on the access
switch.
Remember that the client provisioning agent installer download requires the following:
• The user must allow the ActiveX installer in the browser session the first time an agent is installed
on the client machine. (The client provisioning download page prompts for this.)
• The client machine must have Internet access.
Client Machine Operating Systems and Agent Support in Cisco ISE
Check the following link
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp95449

Cisco ISE authentication failed because client reject certificate

Hi Experts,
I am a newbie in ISE and having problem in my first step in authentication. Please help.
I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
Regards,
Ratna

Certificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

Cisco ISE windows workstation endpoint profiling

Hi all,
i am configuring cisco ISE to autenticate wireless clients using 802.1x . AP's are all lightweight managed by a cisco 5508 WLC . I would like to discriminate users accessing that wlan using mobile phones or tablet from users connecting using windows workstations. ISE profiles all mobile devices in the right way, iphones and ipad are profiled as apple devices and even MAC OSX devices are profiled correctly. The problem is that all windows workstation are profiled as unknown devices.In ISE i'm using windows workstation default profile configuration.
what can i check to make windows workstation profile working correctly?
Thanks in advance.
Regards

i noticed that default profile for microsoft workstations uses dhcp probe to profile devices, so i solved the issue adding in our core switch, to the vlan interface used to tag dot1x wireless lan, ise ip address as ip helper-address. I don't know if that is the best solution or there's something i can do on WLC to avoid adding ip helper-address on vlan interface but this worked for me.
Thanks to all for helping me.
Regards

Multiple domains authentication on Cisco ISE

Hi,
Does the current Cisco ISE supports for authenticating on multiple Active Directories ?
I can only set Cisco ISE to join on single active directory and LDAP
Does anyone have set Cisco ISE to support EAP-FAST with WPAD or PAC provisioning ?
Thanks
Pongsatorn

Hi,
We are into a situation where we need to authenticate users of two domains and these two domains are completely independent (no common DNS server). ISE is not able to resolve one of the domain using the DNS server settings and Adding a host entry for the domain name is not sufficient since Kerberos, GC and LDAP SRVs need to be resolvable as well.
From what I know ISE 1.3 should supports disjointed domains and there is no requirement for ISE to have 2 way trust relationship with domains.
Please share your experience if someone has faced similar situation before.
Regards,
Akhtar

Cisco ISE trying to posture a device that should not be able to be postured

Overview:
Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
Mobile device authorisation policy configured:
Problem:
A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
Troubleshooting:
I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
Have any of you guys experienced this before?

Hi,
I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
Tarik Admani
*Please rate helpful posts*

Cisco ISE 1.2 MDM Integration Question

I have a working Cisco ISE 1.2.1 install which I've performed the integration to our MobileIron server. The "integration test" reports that the integration is good, but whenever ISE verifies MDM compliance, registration, etc.. with MobileIron when a mobile device connects it always reports that all statuses are good even if they aren't.
My test phone is out of compliance on Mobileiron because of an unapproved app, but when the phone connects ISE believes the MDM compliance status is good. I'm not sure if it isn't really checking with MDM or if the Mobileiron server is reporting erroneous results.
I also saw in a video that the phone has to be registered with MobileIron through ISE. Is this correct? I don't plan to on-board devices with MobileIron through ISE, it will be done directly through MobieIron (not connected to the Wifi network).
I only want ISE to check the compliance status of the device against MobileIron and quarantine if it isn't compliant or MDM registered.
Any help would be appreciated

Saurav and others,
Unfortunately, on-boarding sets some attribute fields on the endpoints that will then allow them to participate in a policy. It is nice that we all have MDM integration working but we almost need another class of on-boarding for corporate devices that are already in the MDM of choice (where we prefer to manage them!)
There is a little documented feature in ISE.
It appears to me that;
the on-boarding turns on the following states for the endpoint;
BYODRegistration
No ( No becomes Yes)
DeviceRegistrationStatus
NotRegistered (becomes Registered)
( The device is actually registered in MobileIron - this means did ISE register with MI. )
No MI attributes will work without this magic. TAC engineers I have dealt with don't seem to understand this feature.
This is definitely an enhancement that is needed.

Cisco ISE 1.2 Patch 6 -- 8 Update failed

Hi all,
I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
Important notice : I though that this error could be an unlucky try but i've tested the update two time.
Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
The symptoms after this error are :
- Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
- The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
- GUI Unavailable
- MAB Auth is working
- Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
- Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
Thanks for your help.

This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
2014-05-28T10:26:30.023223+00:00 XXXXXXX logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
2014-05-28T10:26:30.311676+00:00 XXXXXXX logger: Loading PKCS11 ...
2014-05-28T10:26:30.978432+00:00 XXXXXXX logger: SLF4J: Class path contains multiple SLF4J bindings.
2014-05-28T10:26:30.978454+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
pl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978502+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978509+00:00 XXXXXXX logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
2014-05-28T10:26:31.638970+00:00 XXXXXXX logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

Cisco ISE 1.2.x with Posture Configuration - Windows Patches

Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
Thanks.

Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.

Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

Need help from ISE experts/gurus in this forum.
Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) . This leaves me no choice but to upgrade to version 1.2.0.899-2-85601.
Scenario:
- 4 nodes in the environment running ISE version 1.1.2.145 patch 3
- node 1 is Primary Admin and Secondary Monitoring - hostname is node1
- node 2 is Secondary Admin and Primary Monitoring - hostname is node2
- node 3 is Policy service node - hostname is node3
- node 4 is Policy service node - hostname is node4
Objective: Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
My understand is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601.
Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
I am trying to get a definite answer from Cisco TAC but it seems like they don't know either.
Question #1: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
Propose solution:
step #1: make ISE node1 to be both Primary Admin and Primary monitoring. ISE node2 is now Secondary Admin and Secondary Monitoring.
         Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring. At this point, apply ISE 1.1.2.145 patch 10
         to ISE node1 via the GUI,
step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3. Once that is completed, verify that node2 is working and accepting traffics,
step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4. Once that is completed, verify that node2 is working and accepting traffics,
Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
Propose solution:
step #1: Make ISE node1 the Primary Admin and Primary monitoring. At this point ISE node2 will become Secondary Admin and Secondary Monitoring
step #2: Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>". Once ISE node2 upgrade is completed, it will
          form a new ISE 1.2 cluster independent of the old cluster,
step #3: Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>". After the upgrade the ISE
          Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
step #4: Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>". After the upgrade the ISE
          Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
step #5: At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
step #6: Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
step #7: Perform the upgrade on the ISE node1 from command line "application upgrade <app-bundle> <repository>"
step #8: Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
step #9: Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
Question #3: How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
Propose solution:
step #1: make ISE node1 to be both Primary Admin and Primary monitoring. ISE node2 is now Secondary Admin and Secondary Monitoring.
         Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring. At this point, apply 1.2.0.899-2-85601
         to ISE node1 via the GUI,
step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3. Once that is completed, verify that node2 is working and accepting traffics,
step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4. Once that is completed, verify that node2 is working and accepting traffics,
does these steps make sense to you?
Thanks in advance.

David,
A few answers to your questions -
Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
Once the restore finished, I then restored the certificate and picked one of the PSNs
backup the cert,
Had the AD join user account handy
reset-db,
and run the upgrade script.
Once that is done I then restore the cert
Join the PSN to the new deployment
Join both nodes to AD through primary admin node
Monitor for a few days (seperate consoles to make sure everything runs smooth)
If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
Thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts*

Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

Hi All,
We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling
RADIUS Probe
SNMP Probe SNMP Trap HTTP Prob and DNS
2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
- Yellow mark issue -  Once authentication , posturing completed we are getting yellow mark on network drive but still we are able to connect to network
- Network Map Drive issue -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication )
That would be really great if any one can help me on the same.
Thanks & Regards
Pranav

Hi Pablo ,
Please find below solutions
Yellow mark issue - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
Regards
Pranav

Coa issue with Cisco ISE 1.2

Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa. I have enabled debug and i can see ISE trying to push out the url redirection to the port, however the url was not show when i issue a show authentication session interface gi 1/0/x command. The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after. Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
please see attachment for the debugging i had mention above. If anyone know or had this issue before please let me know how i can resolve this.

finally figured it out. redirection acl was mess up.

I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

I want to integrate SMS gateway to Cisco ISE 1.2 and my question is
SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor

I'm not sure I understand the question. Do you want to log in to the Sponsor Portal using AD credentials?
Create an Identity Source Sequence using AD as an Authentication Source. Go to Administration > Identity Management > Identity Source Sequences. Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings. Double-click Sponsor from the Left Menu and click Authentication Source. Choose the Identity Source Sequence. Click Save.
I hope this helps.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton

Cisco ISE - iPhone SSL

Similar Messages

Maybe you are looking for