Cisco ISE version 1.2.1.198 distribution deployment issue

Similar Messages

• Cisco ISE version 1.2 (corporate owned)

  Hi Guys,
  We are deploying Cisco ISE with version 1.2, one of  our requirement is to identify the corporate and personally owned  devices. Is there a feature in ISE with this requirement? Thanks.

  To identify a device as a corporate or non-corporate device requires something, say a credential, which is locked to that
  particular device. While common wisdom suggests attaching a certificate to a non-corporate device, the more logical choice is to lock a credential to the corporate device and assume all other devices are non-corporate devices.
  One solution is EAP Chaining which uses a machine certificate or a machine username / password locked to the device
  through the Microsoft domain enrollment process. When the device boots, it is
  authenticated to the network using 802.1X.
  When the user logs onto the device, the session information from the machine authentication and the user credentials are sentup to the network as part of the same user authentication. The combination of the two i
  ndicates that the device belongs to the
  corporation and the user is an employee.
  If the device is not a member of the domain, then the machine authentication fails and the device is not a corporate device. If the device does not support EAP Chaining, then
  the device is also not a corporate device. In either case, the result would be
  to treat these devices differently than the corporate device. That could be limited access for employee owned devices and outto the Internet for non-employee devices depending
  on corporate policy

• Cisco ISE Version control via HTTPS

  Hi there. 
  Is it possible to verify the ISE version by Web GUI? If yes. where can I find the version number`?'
  BR.

  At the bottom left corner there is a question mark with button "help", hover over it and then press "About Identity Services Engine".

• OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

  We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
  Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
  thanks - ciscosx

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Cisco ISE and Switch 3560-X

  Good Morning,
  I am conducting an implementation of Cisco ISE version 1.2.1.198 with all its features on a switch 3560-X and in the ISE compatibility chart the minimum version for this switch would be the IOS v 15.0.2-SE2 (ED).
  My doubt is whether i need the feature ipbase or just the lanbase would be sufficient to meet all the features of 802.1x for the Cisco ISE.
  I appreciate the attention and Thanks,

  Please see the "Cisco Secure Access and Cisco TrustSec Release 5.0 System Bulletin".
  It notes that the 3560-X requires IP base license for all the 802.1X features.

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Cisco ISE trying to posture a device that should not be able to be postured

  Overview:
  Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
  Mobile device authorisation policy configured:
  Problem:
  A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
  Troubleshooting:
  I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
  I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
  Have any of you guys experienced this before?

  Hi,
  I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
  I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ISE patching find out

  Hi all,
  Would like to find out on patching process on inline posture node.
  My topology is one ISE appliance node type is Admin/Policy Service Node; while another unit is inline posture node.
  Both appliance have the identical software versiona and patch, namely 1.1.3.124, patch 2
  I would like to update it to patch version 4.
  My question:
  01. If i apply the patch on the Admin/Polic Service Node using GUI patch maangement, will this also apply the patch to Inline Posture node?
  02. Or should i use console into Inline Posture node and using CLI way to update the patch? Anything i should mention in this process, example: stop application etc?
  Please advice, million thanks
  Noel

  Resolved Issues in Cisco ISE Version 1.1.0.665—Cumulative Patch 4
  Lists the issues that are resolved in Cisco Identity Services Engine Maintenance Release 1.1.0.665 cumulative patch 4.
  You must deploy this patch on Cisco Identity Services Engine Maintenance Release 1.1.0.665 (with or without patch 1, 2, and 3 applied), otherwise the patch install will fail and Cisco ISE will return an error message stating, "This patch is intended to be installed on ISE 1.1.0.665."
  To obtain the patch file necessary to apply the patch to Cisco ISE Release 1.1, log into the Cisco Download Software site at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm (you might be required to provide your Cisco.com login credentials), navigate to Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software, and save a copy of the patch file to your local machine. Then refer to the "Installing a Software Patch" section of the "Administering Cisco ISE" chapter of the Cisco Identity Services Engine User Guide, Release 1.1. for instructions on how to apply the patch to your system.
  If you experience problems installing the patch, please contact Cisco Technical Assistance Center.
  Cisco ISE Patch   Version 1.1.0.665—Patch 4 Resolved Caveats
  Caveat
  Description
  CSCui22841
  Apache Struts2 command execution   vulnerability
  Cisco ISE includes a version of Apache   Struts that is affected by the vulnerabilities identified by the following   Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2251. This fix   addresses the potential impact on this product.
  Managing Software Patches
  You can install patches on ISE servers in your deployment from the primary administration node. ISE patches are usually cumulative; however, any restrictions on the patch installation will be described in the README file that will be included with the patch. Cisco ISE allows you to perform patch installation and rollback from either the command-line interface (CLI) or GUI.
  Standalone Deployment
  When you install or roll back a patch from a standalone or primary administration node, ISE restarts the
  Application. You might have to wait for a few minutes before you can log back in.
  Distributed Deployment
  When you install or roll back a patch from the primary administration node that is part of a distributed deployment, Cisco ISE installs the patch on the primary and all the secondary nodes in the deployment. If the patch installation is successful on the primary node, Cisco ISE then proceeds to the secondary nodes. If it fails on the primary node, the installation is aborted. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment.
  Installing a Software Patch.
  Please check the below link for step by step installation.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_admin.pdf

• Cisco ISE CLI and GUI password expire

  I had Cisco ISE version 1.1  i face a problem with the CLI and GUI password, as it expire and i can't login, i do the password reset using the ISE DVD,
  i navigate to the ISE CLI, and do the following commands:
  conf t
       password-policy
            no password-expiration-enable
  and reset the GUI admin password, using the command:
       # application reset-passwd ise admin
  from the ISE GUI i had remove the option for diable admin account after 45 days.
  but after 60 days the password expire again.
  so kindly advise what to check for this expire issue.

  Hi Mostafa,
  Yes, the last reply was more towards GUI password-mgmt because in maority of cases it happens with UI admin account. I need to know if you've restarted the ISE after disabling the expiration from the CLI because what I read few weeks ago in an internal defect that password policy configurations are not preserved on cli after restart so just to check could you please check the current settings on CLI w/ the help of show run | in password-policy.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE NTP MD5 hash is 20-Bytes?

  When attempting to configure an NTP authentication-key in the Cisco ISE CLI I noticed that it will not accept an md5 hash of 32 characters (16 bytes). Instead it is expecting a 40 character (20 bytes) hash. That is in line with a SHA-1 hash, not an MD5 hash even though there is no SHA-1 keyword, only an MD5 keyword.
  What's the deal?
  Cisco ISE Version: 1.1.2.145 (Update 3)
  ise/user(config)# ntp authentication-key 75 ?
    md5  MD5 authentication
  ise/user(config)# ntp authentication-key 75 md5 hash ?
    <WORD>  Hashed key for authentication (Max Size - 40)
  ise/user(config)# ntp authentication-key 75 md5 hash 12345678901234567890123456789012
  % ERROR: Bad hashed key.
  ise/user(config)# ntp authentication-key 75 md5 plain test
  ise/user(config)# do show run | i md5
  ntp authentication-key 75 md5 hash 97dc37c94236ec1b4c56871c2e482cbd6f56bd33
  That's not an MD5 hash as it's 40 characters long (20 bytes).

  Hmm, that is an interesting observation. I am guessing that it is a typo and should be "sha-1" because 40 characters is definitely not MD5 :)
  I would suggest you open a case with Cisco TAC and report this. If you get a bug ID or a different answer please let us know. 
  Thank you for rating helpful posts!

• Rename (Change of Hostname) of Cisco ISE Appliances !!!

  Hi,
  I am having the two Cisco ISE (Version: 1.1.1.268) appliances. These appliances are running in Failover with the internal CA signed certificates.
  The hostnames are 19 character long with Upper cases and Hypen. Boxes are joined to the domain but freqently used to disconnect after sometime. After some investigation, we came to know that AD can accept only the 15 characters long hostname... thats the reason, one of the appliance keeps disconnected. Also, sometimes, the authentications donesn't works properly.
  My question is that how to change the Cisco ISE Appliance hostnames without impacting the production and hassle?
  Send me the steps in detail, or it is just a matter to change the hostname and register with DNS with new names and regenerated the certificates...???
  Need expert opinion....
  Thanks,
  Regards,
  Mubasher

  Hello Mubasher-
  I recently had to do this and I want to warn you to be careful. I had to rename 4 hosts and out of 4 of them only 1 remained useable. The other hosts had to be re-built For some reason ISE nodes get very unhappy when trying to change certain things (Hostnames, timezone, etc) Also, keep in mind that even if the renaming goes well you will still impact the environment as the nodes will restart.
  Here is what I did when I made the change:
  1. Disjoin the ISE nodes from the domain
  2. Ensure that their computer name is removed from AD
  3. Update DNS records
  4. Ensure that DNS records have replicated
  5. Change names on ISE
  6. Join nodes to the domain
  Hope this helps
  Thanks for rating!

• Coa issue with Cisco ISE 1.2

  Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa.  I have enabled debug and i can see ISE trying to push out the url redirection to the port,  however the url was not show when i issue a show authentication session interface gi 1/0/x command.  The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after.  Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
  please see attachment for the debugging i had mention above.  If anyone know or had this issue before please let me know how i can resolve this.

  finally figured it out.  redirection acl was mess up. 

• Cisco ISE 1.1 Guest Portal Services

  Do you have to have separate ISE appliances or VM clusters to have have 2 separate "Guest Portal" services?
  I have two sites that have their own equipment (Arizona / Illinois):
  - Cisco ISE Server
  - Cisco Wireless LAN Controller
  - Cisco Wireless Anchor Controller
  - Cisco ASA
  My understanding is that I'd need to have the ISE boxes running in "STAND ALONE" mode in order to have two separate "Guest Networks / Portal".
  Thanks in advance!!!

  Hi,
  Each Cisco ISE policy services node can run a guest portal also if they run in one deployment.
  Depending on the way you mean "separate", your requirement can be met in one deployment or in two stand alone deployments.
  Depending on your approach you need four Cisco ISE machines to build the in "one deployment" option.
  2 Admin/Monitoring Nodes (Admin is Active/Standby, Monitoring is Active/Active) and two Policy Services Nodes (RADIUS Servers).  Both Policy Services Nodes can run the guestportal. The configuration of the WLC determines which Policy Services Node is being used. ISE use RADIUS URL redirect is used to redirect to it's own guest portal.
  Hope that helps.

• How to deploy Cisco ISE agents through SCCM 2012 R2

  Hi,
  We are deploying Cisco ISE in our setup. we need to deploy following 3 .msi & 1 .xml files to 3000 PCs through System Center 2012 R2 Configuration Manager.
  The configuration.xml file must be deployed in specified (%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\NetworkAccessManager\newConfigFiles) location.
  anyconnect-nam-win-4.0.02052-k9.msi
  anyconnect-win-4.0.02052-pre-deploy-k9.msi
  nacagentsetup-win-4.9.0.42.msi
  configuration.xml
  The above 3 .msi files should be installed silently and configuration.xml file to be copied to said location.
  I want to create  one package to deploy 3.msi files at once and another package for .xml file.
  or
  Is there anyway to create in one package to install the .msi files first and copy the .xml file as well.
  Any idea please.
  Regards,Ali

  Hi,
  Have you tried to create a script.
  You can easily test this by running your script manually with psexec -s
  to emulate running as SYSTEM account. 
  Reference:
  Robocopy
  https://technet.microsoft.com/en-us/library/cc733145.aspx
  Windows Installer : MSIEXEC Silent Install End to END
  http://sccm2o12.blogspot.com/2010/04/windows-installer-msiexec-silent.html
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]