Cisco ISE Licence Historical Usage

Similar Messages

• Cisco ISE Active Endpoint Usage Reset

  Hi,
  I have a Cisco ISE running version 1.1 and I was wondering if it may be possible to reset the license usage/active endpoint shown on the dashboard? This was noticed after a restore of ISE due to replacement of hardware and I noticed that the license usage count/active endpoints does not seems to go down.
  The following methods have been tried however without any success:
  1. Reboot ise server/service
  2. Disable all network devices making use of ise such that there are no clients/devices accessing it; example switch/wlc/etc...
  3. Deleted all endpoints usage in identies/identies group
  4. Disable profiling on ise
  As the ise has been installed with a base license; not too sure if it may be either a bad restore (all service/application are working though) / bad radius accounting which does not timed out on the ise / etc...
  Any help is appreciated on how to reset the active endpoint/license usage.
  Thanks.                  

  Here is a method for removing the stale records. Please give this a try:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1072950
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE usage quotas

  Hi All,
  I need to know if usage quotas are supported on cisco ISE, after doing some researches I found that it was supported on ACS 4.x and remoced from ACS 5.x. In bried, we need to be able to assign and track volume and time based quotas for users accessing either via switches, WLC or remotely
  Regards,

  Afaik there's no quota, but I think you could use a little trick (and I remark I'm guessing a little here)
  You can configure ACcess Settings > Max Session  User Settings
  And then you can configre System Administration > Max User Session Global Settings > Max User Session Timeout
  Max User Session Timeout Settings
  Unlimited Session Timeout
  No timeout.
  Max User Session Timeout
  Once the session timeout is reached, ACS sends a fake STOP  packet to close the respective session and update the session count.
  Note The user is not  enforced to logout in the device.
  So I guess if you want a "quota" of 3 hours you can configure "max user session timeout" of 1 hour and set "Max session user setting" of 3.
  But if you logout I guess the "quota" reverts to zero, so there's no "acummulative quota". I repeat I'm guessing here, sadly I don't have time right now to test it.
  Kind regards

• Increment Cisco ISE Base Licence

  Hi guys,
  I have an implementation where our client purchase two L-ISE-BSE-1K= and two L-ISE-ADV3Y-1K=. The ISE implementation is on version 1.2. I remember that on previous version if we tryed to increment the licence count with separete licences, we obtain a error uploading the licences base and advenced.
  Now in version 1.2, I can see that the advanced licences are incremental, taking in mint that the endpoint count of advanced licence is not greather than the base licenced. My doubt is, If I install firts one base licence of 1K,  Could I install after the other one licence of 1K and then have 2K endpoints wiht base licence? The base licence is incremental too?
  Thanks for your attention on this matter.

  Hi ,
   License for your Part No is perpetual , for Maintenance & technical support there is separate package , kindly take support from cisco presale team .  
  License Type
  Features Supported
  Deployment Type Supported
  License Prerequisite
  License Term(s)
  Base license
  AAA
  Guest provisioning
  Link encryption policies
  Wired
  Wireless
  VPN
  Perpetua
  Cisco Advanced Services Fixed - Price Part Number
  Product Description
  ASF-CORE-ISE-DSGN
  Cisco ISE Design Service Package
  ASF-CORE-ISE-POC
  Cisco ISE Design and Proof-of-Concept Service Package
  For Presales Assistance
  For Cisco presales support, please consult the help desk. The help desk is open 24 hours Monday through Friday, in all countries.
  ● Phone: 408 902-4872
  ● Email: [email protected]
  ● Live chat: http://tinyurl.com/sacise
  For More Information

• Cisco ISE Base Licence: L-ISE-BSE-100=

  Hi, my customer operates himself a VM for Cisco ISE, so he needs no smartnet service thats ok. Now he needs L-ISE-BSE-100= (Base Licence) 100 teers. Question: Can he gets during 5 year maintenance time updates and tecnical support for free??

  Hi ,
   License for your Part No is perpetual , for Maintenance & technical support there is separate package , kindly take support from cisco presale team .  
  License Type
  Features Supported
  Deployment Type Supported
  License Prerequisite
  License Term(s)
  Base license
  AAA
  Guest provisioning
  Link encryption policies
  Wired
  Wireless
  VPN
  Perpetua
  Cisco Advanced Services Fixed - Price Part Number
  Product Description
  ASF-CORE-ISE-DSGN
  Cisco ISE Design Service Package
  ASF-CORE-ISE-POC
  Cisco ISE Design and Proof-of-Concept Service Package
  For Presales Assistance
  For Cisco presales support, please consult the help desk. The help desk is open 24 hours Monday through Friday, in all countries.
  ● Phone: 408 902-4872
  ● Email: [email protected]
  ● Live chat: http://tinyurl.com/sacise
  For More Information

• How Cisco ISE 1.2 Base licenses are consumed and tracks concurrent endpoint connected to network

  Hello
  I am interested to know how the cisco ISE 1.2 base licences are consumed. As the cisco ise 1.2 user guide "The Base License is consumed whenever an authentication notification is received by Cisco ISE."
  Based on the above statement i have following queries :-
  Radius being the UDP based request, its only during the time endpoint is authenticated and authorized the base license is consumed and then its is released. Then how does cisco ISE tracks the concurrent endpoints connected to the network.
  Thanks
  Kumar

  thanks for the reply Tarik.
  As I understand, you mean that a base license is consumed by every radius authentication request and then the license is free to be utilised again
  Also would this means if Radius accounting is turned off, then concurrent sessions will not be tracked.
  Thanks
  Kumar

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• Do I need Cisco ISE VM Part # L-ISE-VM-K9= for ESXi installation

  Hi there,
  Do I need the L-ISE-VM-K9 license to install Cisco ISE on an ESXi ?
  Actually, Cisco ISE can be downloaded with an Eval License for 90 days.
  I know, ISE license (e.g. Base License) is needed.
  Thanks a lot.
  Greetings,
  Norbert

  Just in case you you would like to see the specification of each licence.
  License Type
  Features Supported
  Deployment Type Supported
  License Prerequisite
  License Term(s)
  Base License
  AAA
  Guest Provisioning
  Link Encryption Policies
  Wired
  Wireless
  VPN
  Perpetual
  Advanced License
  Device Onboarding/Provisioning
  Device Profiling and Feed Service*
  Host Posture
  Security Group Access
  Integrated Vendor MDM Support*
  Wired
  Wireless
  VPN
  Base License
  3- and 5-Year Terms
  Wireless License
  Device Onboarding/Provisioning
  AAA
  Guest Provisioning
  Link Encryption Policies
  Device Profiling and Feed Service*
  Host Posture
  Security Group Access
  Integrated Vendor MDM Support*
  Wireless
  3- and 5-Year Terms
  Wireless Upgrade License
  Device Onboarding/Provisioning
  Authentication/Authorization
  Guest Provisioning
  Link Encryption Policies
  Device Profiling
  Host Posture
  Security Group Access
  Wired
  Wireless
  VPN
  Wireless License
  3- and 5-Year Terms
  Cisco ISE Functionality-Based License Options
  License Tiers (T)
  Number of Endpoints Supported
  Base License
  Advanced 3-Year License
  Advanced 5-Year License
  Wireless 3-Year License
  Wireless 5-Year License
  Wireless Upgrade 3-Year License
  Wireless Upgrade 5-Year License
  100
  100 Endpoints
  L-ISE-BSE-100=
  L-ISE-ADV3Y-100=
  L-ISE-ADV5Y-100=
  L-ISE-AD3Y-W-100=
  L-ISE-AD5Y-W-100=
  L-ISE-W-3UPG-100=
  L-ISE-W-UPG-100=
  250
  250 Endpoints
  L-ISE-BSE-250-
  L-ISE-ADV3Y-250=
  L-ISE-ADV5Y-250=
  L-ISE-AD3Y-W-250=
  L-ISE-AD5Y-W-250=
  L-ISE-W-3UPG-250=
  L-ISE-W-UPG-250=
  500
  500 Endpoints
  L-ISE-BSE-500=
  L-ISE-ADV3Y-500=
  L-ISE-ADV5Y-500=
  L-ISE-AD3Y-W-500=
  L-ISE-AD5Y-W-500=
  L-ISE-W-3UPG-500=
  L-ISE-W-UPG-500=
  1000
  1000 Endpoints
  L-ISE-BSE-1K=
  L-ISE-ADV3Y-1K=
  L-ISE-ADV5Y-1K=
  L-ISE-AD3Y-W-1K=
  L-ISE-AD5Y-W-1K=
  L-ISE-W-3UPG-1K=
  L-ISE-W-UPG-1K=
  1500
  1500 Endpoints
  L-ISE-BSE-1500=
  L-ISE-ADV3Y-1500=
  L-ISE-ADV5Y-1500=
  L-ISE-AD3Y-W-1500=
  L-ISE-AD5Y-W-1500=
  L-ISE-W-3UPG-1500=
  L-ISE-W-UPG-1500=
  2500
  2500 Endpoints
  L-ISE-BSE-2500=
  L-ISE-ADV3Y-2500=
  L-ISE-ADV5Y-2500=
  L-ISE-AD3Y-W-2500=
  L-ISE-AD5Y-W-2500=
  L-ISE-W-3UPG-2500=
  L-ISE-W-UPG-2500=
  3500
  3500 Endpoints
  L-ISE-BSE-3500=
  L-ISE-ADV3Y-3500=
  L-ISE-ADV5Y-3500=
  L-ISE-AD3Y-W-3500=
  L-ISE-AD5Y-W-3500=
  L-ISE-W-3UPG-3500=
  L-ISE-W-UPG-3500=
  5000
  5000 Endpoints
  L-ISE-BSE-5K=
  L-ISE-ADV3Y-5K=
  L-ISE-ADV5Y-5K=
  L-ISE-AD3Y-W-5K=
  L-ISE-AD5Y-W-5K=
  L-ISE-W-3UPG-5K=
  L-ISE-W-UPG-5K=
  10,000
  10K Endpoints
  L-ISE-BSE-10K=
  L-ISE-ADV3Y-10K=
  L-ISE-ADV5Y-10K=
  L-ISE-AD3Y-W-10K=
  L-ISE-AD5Y-W-10K=
  L-ISE-W-3UPG-10K=
  L-ISE-W-UPG-10K=
  25,000
  25K Endpoints
  L-ISE-BSE-25K=
  L-ISE-ADV3Y-25K=
  L-ISE-ADV5Y-25K=
  L-ISE-AD3Y-W-25K=
  L-ISE-AD5Y-W-25K=
  L-ISE-W-3UPG-25K=
  L-ISE-W-UPG-25K=
  50,000
  50K Endpoints
  L-ISE-BSE-50K=
  L-ISE-ADV3Y-50K=
  L-ISE-ADV5Y-50K=
  L-ISE-AD3Y-W-50K=
  L-ISE-AD5Y-W-50K=
  L-ISE-W-3UPG-50K=
  L-ISE-W-UPG-50K=
  100,000
  100K Endpoints
  L-ISE-BSE-100K=
  L-ISE-ADV3Y-100K=
  L-ISE-ADV5Y-100K=
  L-ISE-AD3Y-W-100K=
  L-ISE-AD5Y-W-100K=
  L-ISE-W-3UPG-100K=
  L-ISE-W-UPG-100K=
  Cisco ISE Functionality-Based License Options
  License Type
  License SKU
  Base License
  L-ISE-BSE-[T]=
  Advanced 3-Year License
  L-ISE-ADV3Y-[T]=
  Advanced 5-Year License
  L-ISE-ADV5Y-[T]=
  3-Year Wireless License
  L-ISE-AD3Y-W-[T]=
  5-Year Wireless License
  L-ISE-AD5Y-W-[T]=
  3-Year Wireless Upgrade License
  L-ISE-W-3UPG-[T]=
  5-Year Wireless Upgrade License
  L-ISE-W-UPG-[T]=
  Replace [T] with the appropriate license tier from Table 5 and 6.
  Jatin Katyal
  - Do rate helpful posts -

• Remote Access VPN posturing with Cisco ISE 1.1.1

  Hi all,
  we would like to start using our ISE for Remote VPN access.
  We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
  That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
  I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
  We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
  I know ISR's are support NADs but what about ASRs? There is no mention.
  Any advise will be appreciated!
  Mario

  OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
  thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
  essentially my requirements are
  2-factor authentication VPN using a Certificate & RSA Token
  Posturing of the VPN endpoint.
  Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
  Can anyone help?
  Mario

• Multiple domains authentication on Cisco ISE

  Hi,
  Does the current Cisco ISE supports for authenticating on multiple Active Directories ?
  I can only set Cisco ISE to join on single active directory and LDAP
  Does anyone have set Cisco ISE to support EAP-FAST with WPAD or PAC provisioning ?
  Thanks
  Pongsatorn

  Hi,
  We are into a situation where we need to authenticate users of two domains and these two domains are completely independent (no common DNS server). ISE is not able to resolve one of the domain using the DNS server settings and Adding a host entry for the domain name is not sufficient since Kerberos, GC and LDAP SRVs need to be resolvable as well.
  From what I know ISE 1.3 should supports disjointed domains and there is no requirement for ISE to have 2 way trust relationship with domains.
  Please share your experience if someone has faced similar situation before.
  Regards,
  Akhtar

• Cisco ISE trying to posture a device that should not be able to be postured

  Overview:
  Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
  Mobile device authorisation policy configured:
  Problem:
  A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
  Troubleshooting:
  I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
  I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
  Have any of you guys experienced this before?

  Hi,
  I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
  I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE 1.2 MDM Integration Question

  I have a working Cisco ISE 1.2.1 install which I've performed the integration to our MobileIron server. The "integration test" reports that the integration is good, but whenever ISE verifies MDM compliance, registration, etc.. with MobileIron when a mobile device connects it always reports that all statuses are good even if they aren't.
  My test phone is out of compliance on Mobileiron because of an unapproved app, but when the phone connects ISE believes the MDM compliance status is good. I'm not sure if it isn't really checking with MDM or if the Mobileiron server is reporting erroneous results.
  I also saw in a video that the phone has to be registered with MobileIron through ISE. Is this correct? I don't plan to on-board devices with MobileIron through ISE, it will be done directly through MobieIron (not connected to the Wifi network).
  I only want ISE to check the compliance status of the device against MobileIron and quarantine if it isn't compliant or MDM registered.
  Any help would be appreciated

  Saurav and others,
  Unfortunately, on-boarding sets some attribute fields on the endpoints that will then allow them to participate in a policy. It is nice that we all have MDM integration working but we almost need another class of on-boarding for corporate devices that are already in the MDM of choice (where we prefer to manage them!) 
  There is a little documented feature in ISE. 
  It appears to me that;
  the on-boarding turns on the following states for the endpoint;
  BYODRegistration
  No   ( No becomes Yes)
  DeviceRegistrationStatus
  NotRegistered   (becomes Registered)
  ( The device is actually registered in MobileIron - this means did ISE register with MI. )
  No MI attributes will work without this magic. TAC engineers I have dealt with don't seem to understand this feature.
   This is definitely an enhancement that is needed.   

• Cisco ISE 1.2 Patch 6 -- 8 Update failed

  Hi all,
  I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
  Important notice : I though that this error could be an unlucky try but i've tested the update two time.
  Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
  The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
  On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
  The symptoms after this error are :
  - Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
  - The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
  - GUI Unavailable
  - MAB Auth is working
  - Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
  - Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
  The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
  My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
  Thanks for your help.

  This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
  2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
  2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
  2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
  2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
  pl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
  8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
  2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
  2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

• Cisco ISE 1.2.x with Posture Configuration - Windows Patches

  Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
  With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
  pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
  Thanks.

  Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*