Cisco ISE Root CA

Hi all,
I have a query on onboarding iOS, Android and windows devices through Cisco ISE.
I understood that we are going to provision and onboard above devices issuing certificates.
Do ISE has Certificate authority where it can generate its own Root CA and Intermediate CA signed by root CA and device certificates signed by intermediate CA i mean profile signing CA???
Or else we need to create CSR and send it to CA to get it signed . then we have to import root, intermediate CA's to ISE. CA's like godaddy ,verisign...when we send CSR .. do they send root certificate, intermediate certificate and signed certificate??
Thanks
Srikanth

HI,
After installation, ISE generates, by default, a self-signed local certificate and private key, and stores them on the server. ISE authenticates itself to clients using the default self-signed certificate that is created at the time of installation. This self-signed certificate is used for both HTTPS and EAP protocols to authenticate clients. This self-signed certificate is valid for one year and its key length is set to 1024 bits. At the time of generation, this certificate is used for both EAP and HTTPS protocols.
Cisco strongly recommends installing a CA-signed certificate.(Dont use self generated certificare from ISE).
Process for certificate deployment:see the link:
https://www.youtube.com/watch?v=d-ro6P2Azl8
Regards

Similar Messages

Cisco ISE 1.2 - BYOD Guest Access Error with Certificate

Hi all !
I'm running on Cisco ISE 1.2. I'm trying to setup BYOD (dual SSID).
Here's a walkthrough of what's happening:
1. I connect to open SSID, enter username/password and register MAC
2. I download WinSPwizard, get trust root CA but WinSPwizard error
This is spwprofilelog
[Wed Oct 01 11:27:17 2014] Installed [pvgas-DC-CA, hash: d0 ad c2 1e 19 b0 8b 61 8a 2d 81 88 da 8a a2 ca
da d3 ab e8
] as rootCA
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:17 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:21 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:25 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:29 2014] Failed to get certificate from server - Error: [2]
[Wed Oct 01 11:27:29 2014] Failed to generate scep request. Error code:
[Wed Oct 01 11:27:29 2014] ApplyCert - End...
[Wed Oct 01 11:27:29 2014] Failed to configure the device.
[Wed Oct 01 11:27:29 2014] ApplyProfile - End...
[Wed Oct 01 11:27:32 2014] Cleaning up profile xml: success
This is SCEP RA profiles
Other Cert
ACL On WLC
and policy
Please help me fix error.
Thanks.

you could create an ISE local user with a GUEST membership and provided you have your ISE password policy set so that it doesn't expire accounts, etc it would be a "permanent" guest account. we do something similiar. sponsors make temporary accounts while long-term or test guest accounts are created in the ise local identity store as guests and are processed the same way. you just have to ensure that the internal user store is part of your guest identity source sequence.

Pages in Cisco ISE 1.2 says Error code WAP00008.

When i am trying to access Cisco ISE
Pages Policy>Policy Elements>Dictonaries
i get the following error on firefox(MAC)
There was an error while parsing and rendering the content. (node.getAttribute is not a function)
Error code WAP00008.
Error on Chrome(MAC)
There was an error while parsing and rendering the content. (Object # has no method 'getAttribute')
Error code WAP00008.
it works fine on IE(windows) and firefox
but gives the same error on Chrome,
Any one else facing the same issue ?

This now seems to be across Firefox and Chrome on both Mac and Windows OS systems.. Cisco need to make sure there products can work with the updated browsers as customers cannot be expecetd to always roll back a browser version to fix a problem..... Does anyone know what the root cause might be for this issue ? Java plugins ? so customers can get a solution to allow administration of ISE across OS platforms and Browsers...

Self-Registration Portal Cisco ISE 1.3 Keeps Going Back to Auth Page

We upgraded our Cisco ISE from 1.2.x to 1.3.x. The migration was successful, and everything appears to be correct. I see that our customized portals were brought over as well. We've created a new customized guest portal. We've updated the authorization profile to reflect the new portal. When a user goes through the process of registering, they register successfully, and then use the registration information to sign in successfully. However, when they attempt to browse to a web page, they are redirected right back to the authentication page. I've checked the SSID. It's set for L2 mac-filtering, Radius NAC, and for our ISE ACL. For the authentication security, CoA is enabled. When the upgrade was completed, I did follow all of the post-migration tasks. Can anyone give me any ideas why users are being redirected right back to the auth screen, once successfully authenticating, and not able to get to any internet sites? Thanks for your help!

Salodh,
Thank you so much for the quick reply! Please find the export below:
<?xml version="1.0" encoding="UTF-8"?>
@namespace html url(http://www.w3.org/1999/xhtml); :root { font:small Verdana; font-weight: bold; padding: 2em; padding-left:4em; } * { display: block; padding-left: 2em; } html|style { display: none; } html|span, html|a { display: inline; padding: 0; font-weight: normal; text-decoration: none; } html|span.block { display: block; } *[html|hidden], span.block[html|hidden] { display: none; } .expand { display: block; } .expand:before { content: '+'; color: red; position: absolute; left: -1em; } .collapse { display: block; } .collapse:before { content: '-'; color: red; position: absolute; left:-1em; }
<Root>

<PolicySets> <PolicySet name="Wired" description=""> <Conditions relationship="OR"> <Condition name="Wired_MAB" type="REUSABLE_COMPOUND"/> <Condition name="Wired_802.1X" type="REUSABLE_COMPOUND"/> </Conditions> <Authentication> <rules> <rule name="Default" status="Enabled"> <Conditions/> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult name="Internal Endpoints"> <IdentitySource name="Internal Endpoints" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>CONTINUE</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> </rules> </Authentication> <Authorization> <StandardRules> <rule name="Default" status="Enabled"> <Conditions/> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="PermitAccess" type="Standard"/> </rule> </StandardRules> <LocalExceptionRules/> </Authorization> </PolicySet> <PolicySet name="Wireless" description=""> <Conditions relationship="OR"> <Condition name="Wireless_MAB" type="REUSABLE_COMPOUND"/> <Condition name="Wireless_802.1X" type="REUSABLE_COMPOUND"/> </Conditions> <Authentication> <rules> <rule name="Wireless Users" status="Enabled"> <Conditions relationship="AND"> <Condition name="Wireless_802.1X" type="REUSABLE_COMPOUND"/> </Conditions> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult name="AD1"> <IdentitySource name="AD1" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>REJECT</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> <rule name="Default" status="Enabled"> <Conditions/> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult name="Internal Endpoints"> <IdentitySource name="Internal Endpoints" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>CONTINUE</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> </rules> </Authentication> <Authorization> <StandardRules> <rule name="Internal-Users-KMTMACHINE" status="Enabled"> <Conditions relationship="AND"> <Condition name="WLAN-User" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="WLAN-PERMITALL" type="Standard"/> </rule> <rule name="Internal-Users-MDM" status="Enabled"> <Conditions relationship="AND"> <Condition name="WLAN-User" type="REUSABLE_COMPOUND"/> <Condition name="WLAN-UserMDM" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="WLAN-PERMITALL" type="Standard"/> </rule> <rule name="Internal-Users-NONMDM1" status="Enabled"> <Conditions relationship="AND"> <Condition name="WLAN-User" type="REUSABLE_COMPOUND"/> <Condition name="WLAN-NotMDM" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="WLAN-PERMITONLYINTERNET" type="Standard"/> </rule> <rule name="Guest" status="Enabled"> <Conditions relationship="AND"> <Condition type="ADHOC">DEVICE:Device Type EQUALS All Device Types#Wireless</Condition> </Conditions> <identityGroups> <identityGroup name="Guest" type="User Identity Groups"/> </identityGroups> <Result name="Internet-Only" type="Standard"/> </rule> <rule name="Guest-CWA" status="Enabled"> <Conditions relationship="AND"> <Condition type="ADHOC">DEVICE:Device Type EQUALS All Device Types#Wireless</Condition> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="Guest-CWA" type="Standard"/> </rule> <rule name="Default" status="Enabled"> <Conditions/> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="DenyAccess" type="Standard"/> </rule> </StandardRules> <LocalExceptionRules/> </Authorization> </PolicySet> <PolicySet name="Default" description="Default Policy Set"> <Conditions/> <Authentication> <rules> <rule name="MAB" status="Enabled"> <Conditions relationship="OR"> <Condition name="Wired_MAB" type="REUSABLE_COMPOUND"/> <Condition name="Wireless_MAB" type="REUSABLE_COMPOUND"/> </Conditions> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult name="Internal Endpoints"> <IdentitySource name="Internal Endpoints" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>REJECT</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> <rule name="Dot1X" status="Enabled"> <Conditions relationship="OR"> <Condition name="Wired_802.1X" type="REUSABLE_COMPOUND"/> <Condition name="Wireless_802.1X" type="REUSABLE_COMPOUND"/> </Conditions> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult> <IdentitySource name="Internal Users" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>REJECT</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> <rule name="Default" status="Enabled"> <Conditions/> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult> <IdentitySource name="Internal Users" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>REJECT</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> </rules> </Authentication> <Authorization> <StandardRules> <rule name="Wireless Black List Default" status="Enabled"> <Conditions relationship="AND"> <Condition name="Wireless_Access" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Blacklist" type="Endpoint Identity Groups"/> </identityGroups> <Result name="Blackhole_Wireless_Access" type="Standard"/> </rule> <rule name="Profiled Cisco IP Phones" status="Enabled"> <Conditions/> <identityGroups> <identityGroup name="Cisco-IP-Phone"/> </identityGroups> <Result name="Cisco_IP_Phones" type="Standard"/> </rule> <rule name="Profiled Non Cisco IP Phones" status="Enabled"> <Conditions relationship="AND"> <Condition name="Non_Cisco_Profiled_Phones" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="Non_Cisco_IP_Phones" type="Standard"/> </rule> <rule name="Default" status="Enabled"> <Conditions/> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="PermitAccess" type="Standard"/> </rule> </StandardRules> <LocalExceptionRules/> </Authorization> </PolicySet> <GlobalExceptions> <rules/> </GlobalExceptions> </PolicySets>

<ReusableConditions> <Authentication> <Compound> <condition name="Wired_MAB" description="A condition to match MAC Authentication Bypass service requests from Cisco Catalyst Switches" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Call Check</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="Wireless_MAB" description="A condition to match MAC Authentication Bypass service requests from Cisco Wireless LAN Controller" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Call Check</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> <condition name="Wired_802.1X" description="A condition to match an 802.1X based authentication requests from Cisco Catalyst Switches" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="Wireless_802.1X" description="A condition to match an 802.1X based authentication request from Cisco Wireless LAN Controller" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> <condition name="Switch_Local_Web_Authentication" description="A condition to match authentication requests for Local Web Authentication from Cisco Catalyst Switches" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Outbound</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="WLC_Web_Authentication" description="A condition to match authentication requests for Web Authentication from Cisco Wireless LAN Controller" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Login</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> </Compound> </Authentication> <Authorization> <Compound> <condition name="Wired_802.1X" description="Default condition used to match an 802.1X based authentication requests from Cisco Catalyst Switches." relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="Wired_MAB" description="Default condition used to match MAB Authentication Bypass service requests from Cisco Catalyst Switches." relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Call Check</Condition> <Condition type="

Cisco ISE - expired demo license alarm

Hi,
We are implementing Cisco ISE 1.2.0.899 and have an alarm reporting expired license. This alarm refers to the Advanced License demo and is therefore a false positive.
This issue is that we cannot remove the demo icense and stop the root cause of this false positive alarm.
Does anyone has an idea?
Thanks in advance.
Regards,
Telmo Oliveira

Please refer the discussion below
https://supportforums.cisco.com/discussion/12059041/ise-advanced-eval-license-alerts-after-full-base-install

Cisco ISE to block jailbroken or android specific versions

We have Cisco ISE deployed with Advanced subscription license. Is it possible to block IOS jailbroken devices and android devices with older OS version (or rooted) from joining the wireless network.

You cannot do that with ISE alone. You will need to purchase a supported MDM solution (Airwatch, MobileIron, Maas360, etc) and integrate that with ISE. The MDM can then be queried by ISE and check for things like rooted device, PIN, encryption, etc
Thank you for rating helpful posts!

CIsco ISE use two different local certificates for EAP

Hi Experts,
ISE 1.2.1.198
It is possible to use two different local certificates on cisco ISE, generated by two different root CA, for EAP?
Example:
1 - Microsoft CA for notebooks
2 - Different CA (public, openssl, other) for mobiles
And, in case it is possible, which will be the first one presented from the server to the client for EAP-TLS authentication?
Thanks
Andrea

Thanks for your reply,
i think i'll go for another pair of PSN for the mobiles
Andrea

Remote Access VPN posturing with Cisco ISE 1.1.1

Hi all,
we would like to start using our ISE for Remote VPN access.
We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
I know ISR's are support NADs but what about ASRs? There is no mention.
Any advise will be appreciated!
Mario

OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
essentially my requirements are
2-factor authentication VPN using a Certificate & RSA Token
Posturing of the VPN endpoint.
Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
Can anyone help?
Mario

Multiple domains authentication on Cisco ISE

Hi,
Does the current Cisco ISE supports for authenticating on multiple Active Directories ?
I can only set Cisco ISE to join on single active directory and LDAP
Does anyone have set Cisco ISE to support EAP-FAST with WPAD or PAC provisioning ?
Thanks
Pongsatorn

Hi,
We are into a situation where we need to authenticate users of two domains and these two domains are completely independent (no common DNS server). ISE is not able to resolve one of the domain using the DNS server settings and Adding a host entry for the domain name is not sufficient since Kerberos, GC and LDAP SRVs need to be resolvable as well.
From what I know ISE 1.3 should supports disjointed domains and there is no requirement for ISE to have 2 way trust relationship with domains.
Please share your experience if someone has faced similar situation before.
Regards,
Akhtar

Cisco ISE trying to posture a device that should not be able to be postured

Overview:
Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
Mobile device authorisation policy configured:
Problem:
A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
Troubleshooting:
I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
Have any of you guys experienced this before?

Hi,
I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
Tarik Admani
*Please rate helpful posts*

Cisco ISE 1.2 MDM Integration Question

I have a working Cisco ISE 1.2.1 install which I've performed the integration to our MobileIron server. The "integration test" reports that the integration is good, but whenever ISE verifies MDM compliance, registration, etc.. with MobileIron when a mobile device connects it always reports that all statuses are good even if they aren't.
My test phone is out of compliance on Mobileiron because of an unapproved app, but when the phone connects ISE believes the MDM compliance status is good. I'm not sure if it isn't really checking with MDM or if the Mobileiron server is reporting erroneous results.
I also saw in a video that the phone has to be registered with MobileIron through ISE. Is this correct? I don't plan to on-board devices with MobileIron through ISE, it will be done directly through MobieIron (not connected to the Wifi network).
I only want ISE to check the compliance status of the device against MobileIron and quarantine if it isn't compliant or MDM registered.
Any help would be appreciated

Saurav and others,
Unfortunately, on-boarding sets some attribute fields on the endpoints that will then allow them to participate in a policy. It is nice that we all have MDM integration working but we almost need another class of on-boarding for corporate devices that are already in the MDM of choice (where we prefer to manage them!)
There is a little documented feature in ISE.
It appears to me that;
the on-boarding turns on the following states for the endpoint;
BYODRegistration
No ( No becomes Yes)
DeviceRegistrationStatus
NotRegistered (becomes Registered)
( The device is actually registered in MobileIron - this means did ISE register with MI. )
No MI attributes will work without this magic. TAC engineers I have dealt with don't seem to understand this feature.
This is definitely an enhancement that is needed.

Cisco ISE 1.2 Patch 6 -- 8 Update failed

Hi all,
I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
Important notice : I though that this error could be an unlucky try but i've tested the update two time.
Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
The symptoms after this error are :
- Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
- The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
- GUI Unavailable
- MAB Auth is working
- Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
- Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
Thanks for your help.

This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
2014-05-28T10:26:30.023223+00:00 XXXXXXX logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
2014-05-28T10:26:30.311676+00:00 XXXXXXX logger: Loading PKCS11 ...
2014-05-28T10:26:30.978432+00:00 XXXXXXX logger: SLF4J: Class path contains multiple SLF4J bindings.
2014-05-28T10:26:30.978454+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
pl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978502+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978509+00:00 XXXXXXX logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
2014-05-28T10:26:31.638970+00:00 XXXXXXX logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

Cisco ISE 1.2.x with Posture Configuration - Windows Patches

Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
Thanks.

Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.

Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

Need help from ISE experts/gurus in this forum.
Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) . This leaves me no choice but to upgrade to version 1.2.0.899-2-85601.
Scenario:
- 4 nodes in the environment running ISE version 1.1.2.145 patch 3
- node 1 is Primary Admin and Secondary Monitoring - hostname is node1
- node 2 is Secondary Admin and Primary Monitoring - hostname is node2
- node 3 is Policy service node - hostname is node3
- node 4 is Policy service node - hostname is node4
Objective: Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
My understand is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601.
Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
I am trying to get a definite answer from Cisco TAC but it seems like they don't know either.
Question #1: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
Propose solution:
step #1: make ISE node1 to be both Primary Admin and Primary monitoring. ISE node2 is now Secondary Admin and Secondary Monitoring.
         Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring. At this point, apply ISE 1.1.2.145 patch 10
         to ISE node1 via the GUI,
step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3. Once that is completed, verify that node2 is working and accepting traffics,
step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4. Once that is completed, verify that node2 is working and accepting traffics,
Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
Propose solution:
step #1: Make ISE node1 the Primary Admin and Primary monitoring. At this point ISE node2 will become Secondary Admin and Secondary Monitoring
step #2: Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>". Once ISE node2 upgrade is completed, it will
          form a new ISE 1.2 cluster independent of the old cluster,
step #3: Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>". After the upgrade the ISE
          Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
step #4: Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>". After the upgrade the ISE
          Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
step #5: At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
step #6: Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
step #7: Perform the upgrade on the ISE node1 from command line "application upgrade <app-bundle> <repository>"
step #8: Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
step #9: Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
Question #3: How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
Propose solution:
step #1: make ISE node1 to be both Primary Admin and Primary monitoring. ISE node2 is now Secondary Admin and Secondary Monitoring.
         Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring. At this point, apply 1.2.0.899-2-85601
         to ISE node1 via the GUI,
step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3. Once that is completed, verify that node2 is working and accepting traffics,
step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4. Once that is completed, verify that node2 is working and accepting traffics,
does these steps make sense to you?
Thanks in advance.

David,
A few answers to your questions -
Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
Once the restore finished, I then restored the certificate and picked one of the PSNs
backup the cert,
Had the AD join user account handy
reset-db,
and run the upgrade script.
Once that is done I then restore the cert
Join the PSN to the new deployment
Join both nodes to AD through primary admin node
Monitor for a few days (seperate consoles to make sure everything runs smooth)
If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
Thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts*

Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

Hi All,
We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling
RADIUS Probe
SNMP Probe SNMP Trap HTTP Prob and DNS
2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
- Yellow mark issue -  Once authentication , posturing completed we are getting yellow mark on network drive but still we are able to connect to network
- Network Map Drive issue -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication )
That would be really great if any one can help me on the same.
Thanks & Regards
Pranav

Hi Pablo ,
Please find below solutions
Yellow mark issue - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
Regards
Pranav

Cisco ISE Root CA

Similar Messages

Maybe you are looking for