Cisco ISE: Non-complaint Timer for Users

Similar Messages

• Cisco ISE: HotFix and Timers for 802.1x (EAP-TLS)

  Hi,
  I found the below Hot-Fix to be set;
  http://blogs.technet.com/b/jeff_stokes/archive/2013/01/24/20-minute-delay-deploying-windows-7-on-802-1x-fix-it-here.aspx
  Kindly let me know that what is the best time to be set on it. It tells 20 mintues. Also, i wanna know that what is the corresponding configuration needs on Switch and ISE to reflect it or doesn't need it.
  Thanks,
  Regards,
  Mubasher Sultan

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• Cisco ISE disabled all internal Network users

  Hi All,
  Somehow, this morning when we checked on the ISE, all the IP phone users along with the internal users are disabled. We have disabled the password policy to disable the accounts if password is not changed. Our version is 1.2 and no patches. Can anyone please advise on this.
  Wireless authentication for users against AD is ok.
  Thanks

  Requiring Guests to Change Password
  You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
  You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
  Before You Begin
  Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
  Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
  Step 2 Check the Guest portal to update and click Edit .
  Step 3 Click the Operations tab.
  Step 4 Check either or both options:
  Allow guest users to change password
  Require guest users to change password at expiration and first login
  Step 5 Click Save .
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_guest_pol.html#pgfId-1462385

• How to get users' login logout time for user IDs for a specific date?

  Dear All,
  There is a case I being requested to retrieve the Userid, User Name,
  User Group, User Dept, Date, Login Time, Logout Time in a specific date, for example, 21.05.2009.
  How should I retrieve the information? The user want to input specific date and user group then return the details that mentioned above.
  I try with SUIM->Users->By Logon Date and Password Change... but I can't specific the date that I want ...
  I try with SM19 (Security Audit Log), but unfortunately in my system this is not activated.
  I've seek for SAP's advise, and they say need to ask abaper to developr a report in order to get such details....
  Do you guys have any other methods?
  Do you guys know which tables will contain the details as mentioned above?
  Best Regards,
  Ken

  Unfortunately without the audit log, you're going have a hard time finding this information.  As mentioned, ST03N will give you some information.  If your systems daily workload aggregation goes back to the date you require then you'll be able to get a list of all users who logged on that day.  ST03N doesn't keep time stamps just response times.
  My only idea is VERY labor intensive.  If your DB admin can retrieve a save of the database from that day then table USR02 will hold a little more information for you.  It will contain last login times for that day.  If your system backup policy happened to have saved the contents of folder "/usr/sap/<SID>/<instance>/data" then you potentially have access to all the data you require.  The stat file will have recorded every transaction that took place during that day.  If that file is restored you could use program RSSTAT20 to query against it.
  Good luck and turn on the audit log as it makes your life much easier!

• Displaying Non-Work time for all resources via a Calendar?

  I am looking for a way to display a calendar or a view of all resources that will show the planned vacation time for each resource based on the "non-work time" set in each resource calendar.

  Hi,
  As workaround solution, through P6 professional you can create a report with choosing
  "Resources" as subject Area and selecting "Time Distributed Data" option and,
  At "Time Intervals Field" you can select "Limit" to be distributed.
  This will give you a tabular report showing resource limit over selected period with selected intervals.
  Regards,
  Marcos

• GRC AC RAR - long time for user analysis

  Hi all,
  we have scheduled a Risk Analysys at permission level with 2.000 users. Looking at report log we see that each user is processed in around 2 seconds. The system seems to be freezed at 41% to a specific user. Now it is working on this single user since 2 hours.
  Any suggestions to uderstand why it happens ?
  What can we look at ?
  Andrea

  First of all check the Directory where you are storing the RTA extracts to get populated in RAR analysis engine. Also check the Batch Job daemon from your browser by using the url:   http://<servername>:port/webdynpro/dispatcher/virsa/ccappcomp/BgJobStart?debug=1
  Next check can be at connector level. Try to generate the Rule Set for all the Rule Ids. If the Rule set generation also takes longer time than earlier cases then you may need to check the following notes and their suggestions:
  [Note 1121978 - Recommended settings to improve peformance risk analysis|https://websmp130.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=0001121978&nlang=E]
  [Note 986997 - Risk Analysis & Remediation tuning for optimal performance|https://websmp130.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=0000986997&nlang=E]
  Also based on the DB you are using you may need to check some other notes as well. For e.g.:
  1313116 - Performance issues when running Risk Analysis in RAR w/MaxDB
  Also to be in the safer side make sure that you are on the updated support pack level. Like SP 14 atleast for AC 5.2 or SP 8 for AC 5.3
  Regards,
  Dipanjan

• Non-working time for particular resources

  I have reviewed the suggested answers and they don't seem to fit my case.   Project 2013 Pro.
  I have a particular resource who takes three days off. These days occur in the middle of an 8 day task, fixed duration, on which he is only working 20%. He has his own calendar to deliver this information and I have checked that the days off display in Resource
  Sheet/Resource Information  for that person.  The fact that he takes off three days is not shown by the bar in Gantt view. (standard time off is set to 'behind task bars'). 
  If I temporarily change his commitment to 100%, the calculated hours in the task form are 40, showing that the software is recognising his time off, since otherwise it would be 8x8=64. The gap in his work time still doesn't show.  
  Is there a way to show the gap so that I know (well, remember) he is not around for those three days?
  Cheers
  Alan 

  TeamPlanner view shows the resource's nonworking time as it is seen below: 

• Since updating to iOS5 my iphone 4 has a persistent voicemail password prompt, although I have never set a password.  It comes at non-sensical times for no apparent reason.

  Since updating to iOS 5.0, my iphone 4 has a persistent voicemail password prompt although I have never set a password.  How to shut it off?

  set a password

• Cisco ISE users self-registration Time Zone

  Hello, everyone!
  I'm configuring ISE Guest portal and I wonder why I need to choose time zone while in self-registration? Where is it used? And how can I disable this parameter from the self-registration page?

  Time profiles provide a way to give different levels of time access to different guest accounts. Sponsors must assign a time profile to a guest when creating an account, but they cannot make changes to the time profiles. However, you can customize them and specify which time profiles can be used by particular sponsor groups. Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
  Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
  DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
  DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
  DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.

• Cisco ISE posture check for VPN

  Hello community,
  first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 
  Thank you!

  The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
  The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
  http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

• Saving to SharePoint works only half the time for Windows 7 Users--all the time for Windows XP users

  We have a SharePoint 2010 Environment with hardware load balancing, 2 WFEs, 2 Apps Servers and 1 SQL Server. This was built in October 2013. Office Integration and Saving back to SharePoint works all of the time for users on XP. It works sporadically for
  users on Windows 7. When Windows 7 users do the following:
  Opening an Office Document from computer and saving it to SharePoint
  Within a Document Library, using Save As from an opened document
  When selecting in a Document Library from the Document Tab> “New” and then the desired content type
  Send> Save to SharePoint from within Office Document
  They may either be brought to the SharePoint library (correct) or to My Documents (incorrect).
  In the case of number 1 (Opening an Office Document from computer and saving it to SharePoint)--using Save and Send will sometimes open the SharePoint library and sometimes open My Documents.
  Our URL is https://CompanyName.domainname.com/Sites/SiteCollectionName
  The intermediary "Sites" is actually a blank path.
  When My Documents is opened I've noted with Fiddler (a web debugger) that we get a 404 on sites:
  Could this be the issue?

  Some things to double check:
  Ensure that you have sticky sessions enabled on your load balancer
  Check that your WebDav calls are making it to the server
  Ensure that you have a root site collection in all your web apps
  Just out of curiosity, what is the http request look like for the 404 error?
  Chris Givens CEO, Architecting Connected Systems
  Blog Twitter

• Central confirmation is taking huge time for perticular user in SRM

  Hi Gurus.
  I am facing an issue in Production system. For Some users Central confirmation is taking huge time for user ,
  around 10 users reported issue as of now and taking 10 times more than usual. Any suggestions will be great help. If any users facing this issue.

  Hi Prabhakar,
  As Konstantin rightly mentioned, kindly check those BADI's implementations especially BBP_WF_LIST. In addition to that, please check whether you are getting any dump as below
  TSV_TNEW_PAGE_ALLOC_FAILED
  Best Regards,
  Bharathi

• Cisco ISE some Radius issues

  Dear guys,
       I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
  No Accounting Start. (I have configured accouting on Switch 2960).
  Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
  I would greatly appreciate any help you can give me in working this problem.
  Have a nice day,
  Thanks and Regrads,

  Sorry for late reply.
  Here is my switch config.
  Current configuration : 8630 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Switch
  boot-start-marker
  boot-end-marker
  no logging console
  enable password ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client A.B.C.D server-key keystrings
  aaa session-id common
  system mtu routing 1500
  vtp mode transparent
  ip dhcp snooping
  ip device tracking
  crypto pki trustpoint TP-self-signed-447922560
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-447922560
   revocation-check none
   rsakeypair TP-self-signed-447922560
  crypto pki certificate chain TP-self-signed-447922560
   certificate self-signed 01
    xxxxx
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 139,153,401-402,999,1501-1502
  interface FastEthernet0/11
   switchport access vlan 139
   switchport mode access
   authentication host-mode multi-auth
   authentication open
   authentication port-control auto
   authentication periodic
   authentication timer inactivity 180
   authentication violation restrict
   mab
  interface FastEthernet0/12
   switchport access vlan 139
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 139
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
  interface GigabitEthernet0/1
   switchport mode trunk
  interface GigabitEthernet0/2
  interface Vlan1
   no ip address
  interface Vlan139
   ip address E.F.G.H 255.255.255.0
  ip default-gateway I.J.K.L
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   permit ip any any
  ip access-list extended ACL-DEFAULT
   remark Allow DHCP
   permit udp any eq bootpc any eq bootps
   remark Allow DNS
   permit udp any any eq domain
   permit icmp any any
   permit tcp any host A.B.C.D eq 8443
   permit tcp any host A.B.C.D eq 443
   permit tcp any host A.B.C.D eq www
   permit tcp any host A.B.C.D eq 8905
   permit tcp any host A.B.C.D eq 8909
   permit udp any host A.B.C.D eq 8905
   permit udp any host A.B.C.D eq 8909
   deny   ip any any
  ip access-list extended ACL-WEBAUTH-REDIRECT
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any
  ip radius source-interface Vlan139
  snmp-server community keystrings RW
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host A.B.C.D version 2c keystrings  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  line vty 5 15
  end
  My switch version is
  WS-2960   12.2(55)SE5 C2960-LANBASEK9-M
  I would greatly appreciate any help you can give me in working this problem.

• Cisco ISE 1.3 failed to authenticate wireless endpoint

  Dear all,
  I recently have a big problem of my ISE after upgraded from version 1.2 to 1.3, the original plan is follow for wireless laptop authenticate to our network.
  There are 2 SSID, REG and INT, when the user and laptop first time use the WIFI, they need to request a user certificate from CA, and they need to login to the REG SSID with AD username and password. The Wireless controller 2504 will pass the packet to ISE, the use will use 802.1x authen method with PEAP to request for cert. if the authentication successful, the user need to open a web browser and the NSP page of ISE will shown up for user to register, and the CA will generate the user cert to user. Then the SSID will switch to INT and using EAP/TLS to authenticate the user cert with the CA.
  That was fine when working in ISE 1.2. However, after upgrade to 1.3 because of the proxy setting in 1.3 allow to input username and password which our proxy server required and cannot be changed. Under 1.3 the authentication failed even in the first step of authentication policy of ISE, the policy will check if the laptop using 802.1x and login by AD account, then it will pass to authorization policy. But when I check the log, there is always have the error message 5411 Supplicant stopped responding to ISE , 12930 Supplicant stopped responding to ISE after sending it the first PEAP message , 5440 Endpoint abandoned EAP session and started new
  I have search long time in the Internet but without any help, appreciate if any expert can help me. I have also upload the debug message from our ISE for reference.
  Thank you
  Best Regards,
  Terry Chow

  Hi Terry,
  Just wondering if you got an answer to your problem?
  I am deploying a new solution with ISE 1.3 and I was having a similar problem with my wireless users when I tried to enable it last night
  Cheers,
  John

• Integration Safeword with Cisco ISE

  Hi,
  we have a Domain Integrated Safeword application, which was installed on our Domain Controller. Safeword requests were send over the Radius Port to the NPS server, and from there over Port 5040 to the Safeword application. This works without any problems.
  Now we would like to integrate the Cisco ISE to the Safeword. Because there is a checkbox "Safeword Server" at the Radius Token Identity Source, I thought that it is possible to communicate direct with the Safeword application, but it is not working.
  Anyone who already implemented this??
  T&R
  Frank

  Symptoms or Issue
  •Unsuccessful RADIUS or AAA functions in Cisco ISE
  •The NAD is unable to ping the Policy Service ISE node
  Conditions
  This scenario is applicable in a system in which Cisco ISE is configured to perform user authentication via an external RADIUS server on the network.
  Possible Causes
  The following are possible causes for losing connectivity with the RADIUS server:
  •Network connectivity issue or issues
  •Bad server IP address
  •Bad server port
  Resolution
  If you are unable to ping the Policy Service ISE node from the NAD, try any or all of these possible solutions:
  •Verify the NAD IP address
  •Try using Traceroute and other appropriate "sniffer"-type tools to isolate the source of disconnection. (In a production environment, be cautious of overusing debug functions, because they commonly consume large amounts of available bandwidth and CPU, which can impact normal network operation.)
  Check the Cisco ISE "TCP Dump" report for the given Policy Service ISE node to see if there are any indications.