Cisco ISE. Windows Native Supplicant on VMware

Similar Messages

• Cisco ISE & NAC Agent in a Vmware View VDI Environment

  Hi,
  Anyone deployed Cisco ISE NAC agent on a vmware view virtual desktop environment (VDI)?

  There are no known issues regarding VMWare view that would cause this.
  For AV see -> http://www.novell.com/support/kb/doc.php?id=7007545
  I find ProcMon for Sysinternals useful to see if other prcesses such as
  AV are hitting those files unexpectedly. A few times I have seen AV
  Exclusions not quite working as expected until tweaked.
  The ZMD-Messages.log may show if the agent is doing something....
  On 9/30/2014 9:36 PM, harrymsg wrote:
  >
  > We have been running 11.2.4 in our View VDI environment and overall been
  > very successful. We just rolled Win 7 and are seeing approx. 10% of the
  > VMs with the zenworkswindowsservice.exe running steadily around 50% for
  > hours. Any thoughts? One thing I just set to try was excluding that
  > from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.
  >
  >
  Going to Brainshare 2014?
  http://www.brainshare.com
  Use Registration Code "nvlcwilson" for $300 off!
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Cisco ISE windows workstation endpoint profiling

  Hi all,
  i am configuring cisco ISE to autenticate wireless clients using 802.1x . AP's are all lightweight managed by a cisco 5508 WLC . I would like to discriminate users accessing that wlan using mobile phones or tablet from users connecting using windows workstations. ISE profiles all mobile devices in the right way, iphones and ipad are profiled as apple devices and even MAC OSX devices are profiled correctly. The problem is that all windows workstation are profiled as unknown devices.In ISE i'm using windows workstation default profile configuration.
  what can i check to make windows workstation profile working correctly?
  Thanks in advance.
  Regards

  i noticed that default profile for microsoft workstations uses dhcp probe to profile devices, so i solved the issue adding in our core switch, to the vlan interface used to tag dot1x wireless lan,  ise ip address as ip helper-address. I don't know if that is the best solution or there's something i can do on WLC to avoid adding ip helper-address on vlan interface but this worked for me.
  Thanks to all for helping me.
  Regards

• Cisco ISE - Excessive "Misconfigured Supplicant Detected/Fixed" events

  I have noticed recently that I am getting a LOT of Misconfigured Supplicant Detected messages, followed anywhere from 3-6 hours later by a "fixed" message.  Example below:
  Misconfigured Supplicant Detected with EndpointID=00:1B:77:xx:xx:xx from user=host/Example
  Misconfigured Supplicant Detected with EndpointID=00:1B:77:xx:xx:xx is fixed.
  I'm getting 100+ of these messages every day.   The amount of these messages doesn't seem normal to me.  I currently have my ISE deployment in Monitor mode, and I am guessing that if I was in Low-impact mode, I would be getting many calls about user authentication failures every day.
  Anyone have any insight/advise on this?
  thx

  What version of ISE are you running on?
  Version:
  1.3.0.876
  Patch Information:
  1
  Is this error occurring for same endpoints all the time?
  I ran a report on misconfigured supplicants over the past week and discovered that of the 92 offenders 71 are wireless clients using Intel wireless NICs and 21 are connected to a WS-C3560-48PS switch running 12.2(55)SE9.  I cannot get a 15.x image on it because of flash memory limitations.
  Do you have client suppression feature enable on ISE?
  I have Anomalous client suppression enabled for logging.
  Are there known issues with Intel NICs?  There are 4 different Intel MACs among the 71 wireless clients. 

• IOS 8.x Apple users and CISCO ISE native supplicant provisioning not working

  Hi there guys ,
  I was wondering if anybody else have the following problem:
  Apple iOS 8.x users are not able to register their devices on the ISE portal (native supplicant provisioning).
  After they receive the redirection from the WLC, they freeze. Apple 7.x users have no problem.
  ISE is version 1.2.1.198 patch 2.  WLC is running 8.0.102.14.
  Anybody experienced the same?
  MB

  I am also running ISE 1.2.1.198 patch 2 with 8.0.100.  I am testing with an iPad running IOS 8.1.  The device will register in the registration portal, but is not being classified as an IOS device within client provisioning, I believe.  It is getting profiled as a workstation even though all apple device profiles are enabled.  I have an authorization policy for registered devices, and ipad, iphone, ios devices to gain access to the network without going through posture assessment.  I then have my posture assessment authorization rules with apple IOS devices set for a ssid native supplicant profile.  I keep getting an error page on the iPad when connecting to the ISE SSID saying "Client Provisioning Portal     ISE is not able to apply an access policy to your log-in session at this time.  Please close this browser, wait approximately one minute, and try to connect again".  It gives this message over and over.  If I turn off the posture checking authorization profiles, the IOS device is selected as a rule further down which tells me that ISE does not recognize it as an IOS device in the profiling or client provisioning.

• Cisco ISE on VMware blank Web GUI

  Hi,
  I have just installed Cisco ISE on a VM in VMware workstation 7.1 so that I can play around with the interface.
  I have tried multiple browsers including Mozilla 3.6 all with the same symtoms.
  From the host I can-
  -Ping the ISE
  -I can browse to https://10.0.0.2/admin and I recieve a certificate error ( if I check the certificate I can validate it is a self signed certificate from the ISE) I continue and I get a blank webpage with Identity Services Engine on the tab at the top.
  From the ISE CLI-
  - I can ping the host 10.0.0.1.
  - I can do a "sh application status ise" and all applications are running and have PIDs
  VM settings -
  - Memory 4096
  - Hard drive 60 Gig
  - 1 prcecessor
  - Host only network connection

  If I do a view source in Mozilla 3.6 I get the following the page itself appears blank. I have also verified java is installed and up to date.
       Identity Services Engine
       css/images/favicon.ico">
       lib/xwt/themes/kubricklite/kubricklite-base.css">
       lib/xwt/themes/kubricklite/kubricklite-xwt.css">
       css/errorpage.css">
            djConfig = {
                    isDebug: false,
                    debugAtAllCosts: false,
                    parseOnLoad: true
       lib/dojo/dojo.js">
       lib/cpm/widget/ErrorPage.js">
                 var hrefurl = "http://www.cisco.com";

• Cisco ISE: Error 5411 No response received ...

  Hi all,
  we've been running Cisco ACS version 4.x half a year ago, but decided to upgrade to Cisco ISE. So we've made a fresh installation with our cisco partner. At the moment we're live with this equipment, but running in a lot of troubles, as we're receiving a lot of those errors each day. Once the users restart their PCs a few times the problem is solved, but at the moment its pretty annoying:
  No response received during 120 seconds on last EAP message sent to the client
  Steps from the detailed view:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  5411  No response received during 120 seconds on last EAP message sent to the client
  Allowed Protocol: EAP-TLS and PEAP
  Authentication Protocol : EAP-TLS
  Actually I don't know which version we're running. Where can I check the proper release once on the webinterface?
  Switches are 3750x with the following switchport configs (some things has been xxx-out), Firmware is Version 12.2(55)SE1:
  interface GigabitEthernet1/0/1
  description xxx
  switchport access vlan xxx
  switchport mode access
  switchport voice vlan xxx
  srr-queue bandwidth share 10 10 60 20
  queue-set 2
  priority-queue out
  authentication event fail action next-method
  authentication event server dead action authorize vlan xxx
  authentication event no-response action authorize vlan xxx
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate 28800
  mab
  mls qos trust device cisco-phone
  mls qos trust cos
  macro description cisco-phone | cisco-phone
  dot1x pae authenticator
  dot1x timeout tx-period 15
  dot1x timeout supp-timeout 15
  auto qos voip cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  service-policy input AutoQoS-Police-CiscoPhone
  Can someone introduce anything to solve the problem, maybe some misconfiguration or improvements before starting a TAC-Case.
  Thanks in advance
  regards
  Marc

  The Global Help icon is located in the bottom left corner of the Global  Toolbar in the Cisco ISE window. You may check the ISE version there.
  To launch Global Help, complete the following steps:
  Step 1 On the global toolbar, move your cursor over the Help icon.
  Step 2 Choose Online Help from the pop-up menu.
  A new browser window appears displaying the Cisco ISE Online Help.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE PRA Periodic Reassment

  Hi Experts,
  i have a good challenge.
  Nac Agent 4.9.0.51
  I've set the periodic reassment to 1 hour, the behaviuor is that, in one hour, the client pass to compliant state, to unknown posture state (with the respective WLC acl applied), and then to compliant status again.
  What is not desiderable in this is that for the 10-15 seconds i have the client that is not able to reach the resources.
  How can i avoid this? what i want is that the client that is checked every hour is still compliant DURING the checks.
  I've seen that in Administration > Settings > Posture > General that is a setting about the default compliant state, anyway, set this to "compliant"
  will lead to devices to be compliant during the "remediation timer".
  Andrea

  The Global Help icon is located in the bottom left corner of the Global  Toolbar in the Cisco ISE window. You may check the ISE version there.
  To launch Global Help, complete the following steps:
  Step 1 On the global toolbar, move your cursor over the Help icon.
  Step 2 Choose Online Help from the pop-up menu.
  A new browser window appears displaying the Cisco ISE Online Help.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Inactive Windows 7 supplicant tries to reauthenticate every 4 to 10 minutes in Cisco ISE 1.2.1.899

  Hi,
  We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.
  What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.
  Swith port configuration looks likt this:
  interface FastEthernet0/31
  description 802.1x Poort
  switchport access vlan xxx
  switchport mode access
  switchport nonegotiate
  switchport voice vlan xxx
  no logging event link-status
  priority-queue out
  authentication control-direction in
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer inactivity 120
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout quiet-period 300
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 300
  dot1x max-reauth-req 3
  dot1x timeout held-period 300
  dot1x timeout auth-period 3
  no mdix auto
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  no cdp enable
  spanning-tree portfast
  service-policy input xxxx
  end
  Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?
  ISE Version: 1.2.0.899
  Patch Information: 5,6,8
  Help would be much appreciated

  Hi Jan,
  Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.
  "authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.
  We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).
  And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore.

• MAC OS X unable to download Cisco ISE supplicant agent

  Hi,
  I have a problem with MAC OS X clients unable to download the Cisco ISE supplicant agent using Safari browser but able to login on the ISE guest portal. If the same client was to login to the ISE guest portal using Firefox; it has no issues downloading the ise supplicant and posture agent.
  I have tried to update the Java version on the client to the latest; however it does not resolve the issue. As I am new to MAC OS clients; I was wondering what may be the cause of the issue?
  I have summarized the issue as follows:
  1. MAC OS X 10.8 with safari 6 -- unable to download agent but can login successfully on the Cisco ISE guest portal
  2. MAC OS X 10.8 with Firefox -- able to login to Cisco ISE guest portal and download agents; no issues
  3. MAC OS X 10.7 with safari and firefox ---  unable to download agent but can login successfully on the Cisco ISE guest portal
  4. Windows XP & Windows 7 & Iphone/Ipad/Android -- able to login/download agent without any issues
  Any suggestions is appreciated.
  Thanks.

  For Agent Download Issues on Client Machine
  • Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the
  policy identity group, conditions, and type of agent(s) defined in the policy.
  (Also ensure whether or not there is any agent profile configured under Policy >
  Policy Elements > Results > Client Provisioning > Resources > Add > ISE
  Posture Agent Profile, even a profile with all default values.)
  • Try reauthenticating the client machine by bouncing the port on the access
  switch.
  Remember that the client provisioning agent installer download requires the following:
  • The user must allow the ActiveX installer in the browser session the first time an agent is installed
  on the client machine. (The client provisioning download page prompts for this.)
  • The client machine must have Internet access.
  Client Machine Operating Systems and Agent Support in Cisco ISE
  Check the following link
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp95449

• Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

  Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication?  I have an authorization profile that permits the user login only after machine 'WasAuthenticated'.  I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication.  Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot.  Surely this isn't right.  What if a user logs on without any connection with cached credentials and then wants to use wireless?  Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states?  I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.
  Regards,
  Scott

  Microsoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.
  Sent from Cisco Technical Support iPhone App

• Supplicant doesn`t pop up on Win XP during authentication wth Cisco ISE

  Hello!
  I try to configure 802.1X authentication with Cisco ISE, Win XP SP3 and native supplicant.
  Problem is that when workstation connects to the network, it uses  hostname as an username and sapplicant doesn`t pop up to ask me  username and password. Anybody know how to resolve this problem? Mb to  install some patch on Win XP?
  Thank you!
  BR,
  Max

  Tarik, yes of course. Also I manually installed Cisco NAC agent on workstation and it also don`t ask credentials.
  I read this article, but I don`t understand what should I do?
  In RADIUS debug I see folowing:
  RADIUS(000000F7): Send Access-Request to ISE:1812 id 1645/243, len 248
  RADIUS:  User-Name           [1]   29  "host/ISEfuji.office"
  RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/1"
  RADIUS:  NAS-IP-Address      [4]   6   192.168.244.252
  Why User-Name is workstation hostname I don`t understand.      

• Cisco ISE 1.2.x with Posture Configuration - Windows Patches

  Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
  With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
  pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
  Thanks.

  Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.

• Cisco ISE AD (Windows Server 2013) Authentication Problem

  Background:
  Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
  Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
  Problem:
  Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
  Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
  xxdc01.xx.com (10.21.3.1)
  Pinged:0 Mins Ago
  State:down
  xxdc02.xx.com (10.21.3.2)
  Pinged:0 Mins Ago
  State:down
  xxdc01.xx.com
  Last Success:Thu Jan  1 10:00:00 1970
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:0
  Failures:11006
  xxdc02.xx.com
  Last Success:Mon Mar 11 09:43:31 2013
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:25
  Failures:11006
  Domain Controller: xxdc02.xx.com:389
      Domain Controller Type: Unknown DC Functional Level: 5
      Domain Name:            xx.COM
      IsGlobalCatalogReady:   TRUE
      DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
      ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
  Action Taken:
  Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
  2)     Tested wireless authentication using EAP-FAST but same problem occurs.
  3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
  12304  Extracted EAP-Response containing PEAP challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - AD1
  24430  Authenticating user against Active Directory
  24444  Active Directory operation has failed because of an unspecified error in the ISE
  4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
  5)     Tested wireless on different laptos and mobile phones with same error
  6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
  7)     Restarted ISE services
  8)     Rejoin domain on Cisco ISE
  9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
  10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
  Other possibilities/action:
  1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
  2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
  Anyone out there experienced something similar of have any ideas on why this is happening?
  Thanks.
  Update:
  1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
  2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
  This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

  Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
  Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

• Cisco ise 1.1.3 patch 3 and Windows 8

  Hello,
  Cisco NAC Agent does not display on my windows 8 computer. I have Cisco ise 1.1.3 and Nac Agent 9.8.0.52. Can you help me?

  I suspect the below listed defect here:
  CSCue41912    Posture : NAC agent not triggering on WIN8.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**