Cisco ISE profiling - Split Corporate/Guest access

Similar Messages

• Cisco ISE 1.2 - BYOD Guest Access Error with Certificate

  Hi all !
  I'm running on Cisco ISE 1.2. I'm trying to setup BYOD (dual SSID).
  Here's a walkthrough of what's happening:
  1. I connect to open SSID, enter username/password and register MAC 
  2. I download WinSPwizard, get trust root CA but WinSPwizard error
  This is spwprofilelog 
  [Wed Oct 01 11:27:17 2014] Installed [pvgas-DC-CA, hash: d0 ad c2 1e 19 b0 8b 61  8a 2d 81 88 da 8a a2 ca
  da d3 ab e8
  ] as rootCA
  [Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
  [Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
  [Wed Oct 01 11:27:17 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
  [Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
  [Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
  [Wed Oct 01 11:27:21 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
  [Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
  [Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
  [Wed Oct 01 11:27:25 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
  [Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
  [Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
  [Wed Oct 01 11:27:29 2014] Failed to get certificate from server - Error: [2]
  [Wed Oct 01 11:27:29 2014]  Failed to generate scep request. Error code:
  [Wed Oct 01 11:27:29 2014] ApplyCert - End...
  [Wed Oct 01 11:27:29 2014] Failed to configure the device.
  [Wed Oct 01 11:27:29 2014] ApplyProfile - End...
  [Wed Oct 01 11:27:32 2014] Cleaning up profile xml:  success 
  This is SCEP RA profiles
  Other Cert
  ACL On WLC
  and policy
  Please help me fix error.
  Thanks.

  you could create an ISE local user with a GUEST membership and provided you have your ISE password policy set so that it doesn't expire accounts, etc it would be a "permanent" guest account. we do something similiar. sponsors make temporary accounts while long-term or test guest accounts are created in the ise local identity store as guests and are processed the same way. you just have to ensure that the internal user store is part of your guest identity source sequence.

• Cisco ise profiling -lldp med information

  Hi All
  We got few IP phones which uses lldp MED information to sent its system descriptions, type etc to the switch. These lldp med information can be seen in the Cisco switch, but when ISE does profiling using the snmpquery probe for these endpoints only limited lldp information is shown (lldp cache capability etc)
  Do we have to update any lldp -MIB in ise or has anyone come across this issue?
  Thanks
  G

  The list of all lldp-MIB by ISE is here
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mib.html#84224

• CIsco ISE 1.2 Identity GUEST

  HI there. 
  I already have guest solution on my ISE installation. With Sponsor and guest portal enabled. All guest users are created by sponsores with expiration time of 1 day. This one works fine. (All guest users are on Wireless)
  I want to create one "special" guest account that dosent have any expiration time. But I am not sure how to separate that user from the other guest users, how can I build guest authz. policy that can differentiate between guest users? 
  Thanks, 

  you could create an ISE local user with a GUEST membership and provided you have your ISE password policy set so that it doesn't expire accounts, etc it would be a "permanent" guest account. we do something similiar. sponsors make temporary accounts while long-term or test guest accounts are created in the ise local identity store as guests and are processed the same way. you just have to ensure that the internal user store is part of your guest identity source sequence.

• Warning page on Cisco Wireless Lan Controller for guest access

  Hi,
  We have an Cisco wireless LAN controller 4400 in our organization, and lots of guest using our Wi-Fi network.
  I would like to configure a warning and terms and condition page when guest using first time our network.
  Can you please let me know is that possible without adding external web server and how to configure.
  Many Thanks in Advance
  Amit Sharma

  Hi Amit,
  Hope you are doing great!!
  the below link will help you in getting the issue resolved!!
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00809bdb5f.shtml
  Please dont forget to rate the usefull posts!!
  Regards
  Surendra

• Cisco ISE Profiling Policy

  If an endpoint matches multiple Profiling Policies and each one of the Profiling Policies creates a new and unique Identity Group which Identity group will the endpoint be profiled into. My understanding is that an endpoint can only be profiled into a unique Identity Group. Another way of wording the question is, are the Profiling policies matched top down or some other way? thanks in advance.

  No problem Graham. To answer your second question: The attributes that are collected first that triggers a profiling rule would be used first. For instance, let's say that you have a profiling rule with CF of 100 that is looking for a DHCP class identifier of XYZ and then a second profiling rule with CF of 100 that is looking for the MAC OUI of ABC. In this situation, the second rule would be hit first since the MAC information is collected before the DHCP info is. As a result, the device will be profiled and placed in the endpoint group associated with the second profiling rule until/unless additional attributes are collected that would match a different profiling rule with CF > 100.
  I hope this makes sense
  Thank you for rating helpful posts!

• Remote Access VPN posturing with Cisco ISE 1.1.1

  Hi all,
  we would like to start using our ISE for Remote VPN access.
  We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
  That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
  I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
  We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
  I know ISR's are support NADs but what about ASRs? There is no mention.
  Any advise will be appreciated!
  Mario

  OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
  thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
  essentially my requirements are
  2-factor authentication VPN using a Certificate & RSA Token
  Posturing of the VPN endpoint.
  Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
  Can anyone help?
  Mario

• Problem to get Web admin access on cisco ISE

  Hi,
  We are currently having problems to access via Web admin UI to cisco ISE. after we put the password, we get this message on screen:
  authentication failed due to zero RBAC group.
  The ISE version that we are using is: 1.1.2.145 path 3
  Do you have any idea about that?
  Thank you for your attention on this matter.
  Regards.

  In Cisco ISE, RBAC policies are simple access  control policies that use RBAC concepts to manage admin access. These  RBAC policies are formulated to grant permissions to a set of  administrators that belong to one or more admin group(s) that restrict  or enable access to perform various administrative functions using the  user interface menus and admin group data elements. I think there is problem with your RBAC policy configuration. Please follow the below link for help.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1282656
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1283009

• Cisco ISE - General Info. & capabilities

  Hello All,
  I've read quiet a bit of ISE features, but would like to know the following:
  1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
  2. Can it provide details of how much data was transferred from a particular server to a specific client?
  3. For a 1500 user env. (1000 desktops and 500 wireless devices) which model of ISE would be appropriate?
  4. How would having ISE be different from already deployed authentication services like Active Directory or built-in application authentication for solutions like Oracle ERP systems?
  5. I see ISE as being marketed primarily for wireles devices (BYOD), but how would it help for wired devices (or does it become and unecessary authentication level apart from AD, switch based 802.1x, etc)
  Thank you.
  Regards,
  Adnan

  Cisco ISE is a consolidated policy-based access control system that  incorporates a superset of features available in existing Cisco policy  platforms. Cisco ISE performs the following functions:
  •Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance
  •Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both
  •Enforces  endpoint compliance by providing comprehensive client provisioning  measures and assessing device posture for all endpoints that access the  network, including 802.1X environments
  •Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network
  •Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed
  •Employs  advanced enforcement capabilities including security group access (SGA)  through the use of security group tags (SGTs) and security group access  control lists (SGACLs)
  •Supports scalability to support a number of deployment scenarios from small office to large enterprise environments
  The following key functions of Cisco ISE enable you to manage your entire access network.
  Provide Identity-Based Network Access
  The Cisco ISE solution provides context-aware identity management in the following areas:
  •Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
  •Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
  •Cisco  ISE assigns services based on the assigned user role, group, and  associated policy (job role, location, device type, and so on).
  •Cisco  ISE grants authenticated users with access to specific segments of the  network, or specific applications and services, or both, based on  authentication results.
  ISE 3315 can support 1500 users with appropriate license.

• ISE Custom AUP for Guest Wireless

  Hi All,
  I am trying to setup Guest wireless using Cisco ISE for the first time.  Under Multi-Portal Configurations, i was hoping to be able to edit the DefaultGuestPortal profile so that I could change the wording of the AUP from Cisco's Blurb.  Can anyone point me in the direction where I can do this?  The only alternative I can see is to create a new portal from scratch.
  Cheers
  Brian

  MultiPortal Configurations
  Cisco ISE provides you with the ability to host multiple guest portals in the Cisco ISE server. The Guest user portal has a default Cisco look and feel. These pages are dynamically generated to offer portal features such as change password and self-registration in the Login Screen.
  You can use the Multi-portal configuration to upload set of GUI pages specific to your organization to handle the Login, AUP, Change Password and Self Registration. In order to access an uploaded client portal the guest portal URL must include the name of the portal specified during the upload.
  You can design and upload HTML pages to define new guest portals or replace the default guest portal. These pages must use plain HTML code and must contain form actions that point to the guest portal backend servlets. You must define separate HTML pages for login, acceptable use policy (AUP), the change-password function, and self-registration.
  For Complete Configuration Guide, Please click on below link
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.pdf

• Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

  Hello all,
  I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
  The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
  I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
  Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
  Thanks a lot for your help.
  The followings screenshots show the logs appearing in the ISE :  
  Kind regards, Emeric.

  This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
  In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
  When the user logs in you then see the user ID.
  For my benefit when rule are you talking about ?
  Thank you 

• Did Cisco ISE have limitation for policy setting?

  Deat All,
  Did anyone know about Cisco ISE limitation about policy setting?
  Right now my setting for windows posture policy around 200 windows patch checking, did ISE have limitation such as maximum windows patching policy line?
  Thanks you
  Best Regards

  Here is the nswer for your first question.
  Cisco ISE profiler collects a significant amount of endpoint data from the network in a short period of time. It causes Java Virtual Machine (JVM) memory utilization to go up due to accumulated backlog when some of the slower Cisco ISE components process the data generated by the profiler, which results in performance degradation and stability issues.
  To ensure that the profiler does not increase the JVM memory utilization and prevent JVM to go out of memory and restart, limits are applied to the following internal components of the profiler:
  Endpoint Cache—Internal cache is limited in size that has to be purged periodically (based on least recently used strategy) when the size exceeds the limit.
  Forwarder—The main ingress queue of endpoint information collected by the profiler.
  Event Handler—An internal queue that disconnects a fast component, which feeds data to a slower processing component (typically related to a database query).
  For more information go through :
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#12624

• Ask the Experts: Wired Guest Access

  Sharath K.P.
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
  Remember to use the rating system to let Sharath know if you have received an adequate response. 
  Sharath might not be able to answer each question due to the volume expected during this event.
  Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
  through January 27, 2012. Visit this forum often to view responses to your questions and the questions
  of other community members.

  Hi Daniel ,
  Wonderful observation and great question .
  Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
  Two separate solutions are available to the customers:
  A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.
  Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.
  So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
  I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
  We have already opened a bug for the same (Little late though )
  BUG ID :CSCtw44999
  The WLC Config Guide should clarify our support for redundancy options for wired guest
  Symptom:
  Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
  generate unpredictable results.
  Some of the other tthat changes we will be making as a part of doc correction would be
  http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
  1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)
  2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
  "Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
  generate unpredictable results."
  3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
  Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .
  Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
  Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
  00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
  I hope the above explanation could clarify your doubts to certain extent and also keep you
  informed on Cisco's  roadmap on this feature .
  Regards ,
  Sharath K.P.

• Cisco ISE Profling BYOD

  What happens with devices that are not in the list of Cisco ISE profiling?
  For example I have android Alcatel devices and are not recognized.
  I have just the ISE solution implemented without MDM and I have to add the device manually, is there any way to create a profiling for all devices of a specific brand?
  I updated the profiling frequently but the problem persists.

  Duplicate post, go here

• Permit only one access per user on guest portal Cisco ISE

  Hi,
  Could you please help me to figure it out if it´s possible to create a guest account on cisco ISE which permit only one concurrent access?
  We don't want to have multiple devices registering with the same account, just one different account for each device.
  Thanks,

  Hi Gino,
  You  can restrict guests to having only one device connected to the network  at a time. When guests attempt to connect with a second device, the  currently-connected device is automatically disconnected from the  network.
  This is a global setting affecting all Guest portals.
  Step 1 Choose Administration > Web Portal Management > Settings > Guest > Portal Policy.
  Step 2 Check the Allow only one guest session per user option.
  Step 3 Click Save.