Cisco ISE with multiple Network interface

Similar Messages

• BadRequest: Virtual machines with secondary network interfaces and virtual machines with no secondary network

  I'm trying to create an "ExtraLarge" VM with multiple NICs.  The New-AzureVM returns the following error:
  BadRequest: Virtual machines with secondary network interfaces and virtual machines with no secondary network
  interfaces are not supported in the same deployment, also a virtual machine having no secondary network interfaces
  cannot be updated to have secondary network interfaces and vice-versa.
  But I have no other VMs.  Or at least I did and then deleted them and all their disks.  The service has no deployments (either staging or production).
  Why is New-AzureVM complaining about a mismatch of VMs with and without secondary network interfaces when no other VMs exist?
  I have tried many things to fix this, including the deletion of ALL of my resources.  I have deleted and created the service many times, both with an affinity group and without.  I have a screen print of the -debug output if your interested.
  Thanks for the outstanding help.

  Hi Ron,
  IMPORTANT NOTE: Please do not post the CONFIDENTIAL DETAILS ever on the public forums, this is HIGH RISK action.
  Please send an email with your contact details to my email
  [email protected] so that I guide you on steps which help you come out of the current scenario. Thank you for understanding.
  I suggest you to create a new VNET and new VM with cloud services. Create Multiple NIC VM. Let us know the results.
  Ref:
  http://azure.microsoft.com/blog/2014/10/30/multiple-vm-nics-and-network-virtual-appliances-in-azure/
  http://blogs.technet.com/b/canitpro/archive/2014/11/04/step-by-step-create-a-vm-with-multiple-nics-in-azure.aspx
  If you are unable to create a VM with multiple NIC, please open a support case as it requires more confidential information which is out of scope of FORUM support offerings.
  Regards,
  Girish

• ACS 5.4 multiple network interfaces support

  In ACS 5.4 release note, it says:
  Multiple network interface connector support
  ACS  5.4 supports up to four network interfaces: Ethernet 0, Ethernet 1,  Ethernet 2, and Ethernet 3. ACS management functions use only the  Ethernet 0 interface, but AAA protocols use all configured network  interfaces. You must connect the ACS nodes in the distributed deployment  only to the Ethernet 0 interface. Therefore, the syslog messages are  sent and received at the log collector's Ethernet 0 interface. Data  forwarding from one interface to another interface is prohibited to  prevent potential security issues. The external identity stores are  supported only on the Ethernet 0 interface. In ACS 5.4, multiple network  interface connectors are also supported for proxies.
  But in the CSACS 1121 Series Appliance Rear View section, it still says on Ethernet 0 is usable. All other  interfaces are blocked.
  I am confused. Can anyone clarify for me if we can use multiple network interface in ACS 5.4? What about management interface?
  Thanks!

  We configured 2 interfaces in past within testing enviornment and it worked. ACS 5.4 supports multiple network interfaces on the UCS platform, on a virtual machine and on the legacy ACS 5.x IBM/CAM hardware. The ACS management functions use the interface eth0 only and the AAA protocols use all available network interfaces.
  Jatin Katyal
  - Do rate helpful posts -

• OTV site vlan with multiple overlay interface

  Hi,
  I have an OTV multihoming sites. 2 sites. 2 otv edge device each site.
  and with multiple overlay interface sharing 1 joint interface
  otv edge device connected to multiple VDC.
  each internal / downlink will forward different vlan for each vdc.
  ================================
  example
  int overlay 1
  otv extends-vlan 10
  int overlay 2
    otv extends vlan 20
  int eth 2/1
  description trunk to VDC1
  switchport trunk allowed vlan 10,100
  int eth 2/2
  description trunk to VDC2
  switchport trunk allowed vlan 20,100
  otv site-vlan 100
  ================================
  i understand that i can only use 1 site vlan.
  so in order for the failover to happen, both eth 2/1 and eth2/2 must fail?
  what if only int eth2/1 fail? will the int overlay 1 failover to secondary otv device?
  thanks,
  ivan

  "So when querying the adjacency server the ED then knows which other ED is within the same site?"
  Yes for the first part of the question, using the site Vlan unique to each site.
  Why do you need a routed link between ED's at local site? You dont need to connect those back-back over L3. Moreover if you want to use it for L3 ADJ over peer-link, you need to make sure that VLAN that you are using is not allowed on the VPC member ports, just on the peer-link, else VPC loop alrorithm will break your traffic.
  Are you planning to use multicast or a Unicast deployment? I remember I tried testing the topology in a POC for one of my customer, things did not work as expected in multicast deployment mode and worked fine in Unicast Adjacency server mode. I need to go back and check my notes on this.
  I would rather have the join-interface go back to a routed core at site rather than back-back connecivity as it opens up the tested Multicast deployment mode.
  Cheers,
  -amit singh

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• Cisco ISE with AD Problem: "Could not read groups data: Global catalog not found"

  Hi all,
  When I make the ActiveDirectory integration with Cisco ISE, I have complete with this integration. but when I try to read the Groups from Active Directory, ISE shows the message "Could not read groups data: Global catalog not found".
  My Domain has multiple sites and subnets, each contains GC for local logon. I have set ISE to the correct site and subnet. Forward and Reverse DNS are working with no error.
  Does anyone get this problem, please help.
  I have check into the ISE CLI Reference Guide 1.1.x
  You are about to configure Active Directory settings.
  Are you sure you want to proceed? y/n [n]: y
  Parameter Name: dns.servers
  Parameter Value: 10.77.122.135
  Active Directory internal setting modification should only be performed if approved by ISE
  support. Please confirm this change has been approved y/n [n]: y
  What shoud I set in the Parameter Name ? dns.servers or my dns hostname ?
  Please suggest for this too.
  Thanks and Regards,
  Pongsatorn M.

  Hi Pongsatorn,
  Thanks for the reply!
  I've attached the results of the ISE detailed AD test. As you can see, there is a fair number of domain controllers in the AD forest.
  It seems everything works correctly until it gets to testing the AD connectivity on port 3268. Then I get this:
    Testing Active Directory connectivity:
      Global Catalog: pdascdc02.xyz.com
        gc:       3268/tcp - refused
    Testing Active Directory connectivity:
      Global Catalog: pdascdc02.xyz.com
        gc:       3268/tcp - refused
  For some reason, the request to the controllers on port 3268 is being refused.
  Any thoughts you might have are greatly appreciated.
  Cheers,
  Greg

• Cisco ISE with cisco-av-pair

  Hi All
  I am deploying a Cisco ISE together with a WLC to provide guest services. After the authentication the users will be redirected to the device registration page, this is done via the radius attribute "cisco-av-pair = url-redirect=https://FQDN:8443/guestportal/gateway?sessionId=SesionIdValue&portal=..." returned by the ISE. My problem is that there is no internal DNS server in the guest network (point to public DNS servers), so the clients cannot resolve the FQDN. We can manually add the redirect URL, however the SessionIdValue in the URL is a dynamic value, is there a way to put a dynamic value in the attributes manually?
  Thanks a lot!
  Leo

  Thanks Tarik, I saw u helped a lot of ppl on ISE configuration, really appreciate for your help.
  In ISE there is a place to set the default URL for Sponsor and My device, not sure why not for Guest portal. As the DNS server is not available at this moment, we are using the WLC to do the redirect (so not CWA), the downside is we cannot have a whitelist since all request will be redirected to the guest portal.

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• Cisco ISE with Flex Connect ios 7.4

  Hello my name is Ivan
  I have a question:
  Is possible to do a deployment with cisco ise (trust sec 2.0)  and flex connect and web authentication to a cluster of cisco wlc (ios 7.4)?
  There are a features or requeriments to configure this?
  Regards
  Ivan

  By "cluster of cisco wlc" are you referring to the HA features for the 5508?  HA or not should be irrelevant to the configuration of ISE w/ 7.4 WLC on flex connect.
  Configuring CWA (central web auth) via L2/Mac-Filter and RADIUS NAC will require that you have a FlexConnect group built with the desired AP within the group.  You will need to build FlexConnect ACLs and apply them to the FlexConnect group that correspond with the various NAC states the client will be in during the CWA process. 
  You will probably need 1 or 2 Web Policy ACLs
  1. allow traffic to/from dns and ISE PSN
  2. allow traffic to/from dns, ise and other resources (for instance for posturing/remediation)
  Please note that you cannot "dynamically" assign ACLs to FlexConnect APs/Groups as part of the transition from central webauth reqd to RUN.  The WebPolicies ACLs are the only ones that can override (think of them like pre-auth acls).  Once you finally send back the access-accept for the client you can not apply dynamic acls to the particular wlan/vlan.
  For instance if you needed differentiated access on a single network between guest and vendors, you couldn't send an access-accept back with an ACL for vendors vs an ACL for guests - in a FlexConnect environment.  They would have to be placed on separate networks with their respective access.
  It's possible this type of configuration (much desired) will be allowed in 7.5 whenever it rears its head.

• ISE with guest network

  Can I use ISE to authenticate guest SSID,(only allowing Internet connection, while denying all production network access)?
  If the answer is yes, please let me know how to do it.
  Thanks,

  Network Access for Guest Users
  With the increased use of and dependency on mobile devices, such as laptops, tablets, and mobile phones, people have become accustomed to being able to access the Internet from anywhere. However, access to corporate networks requires more security than free Wi-Fi at a local coffee shop. To protect your company's network and to ensure that only authorized guests can access it, your company uses Cisco Identity Service Engine (ISE) guest services. Cisco ISE ensures that only authorized guests, such as visitors, contractors, consultants, and customers, can access the network.
  Please refer: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/sponsor_guide/b_spons_SponsorPortalUserGuide/b_spons_SponsorPortalUserGuide_chapter_01.html
  Hope that hleps.

• Zone with multiple logical interfaces

  Hi,
  How can multiple logical network interfaces be added to a running zone?
  I have configured and installed a whole root zone with one shared-ip network interface.
  Now, I need to add more logical interfaces to the same zone.
  On a physical server with a bge interface, I would create a /etc/hostname file for each logical interface such as
  $ ls /etc | grep host
  hostname.bge0
  hostname.bge0:1
  hostname.bge0:2
  hostname.bge0:3
  hostname.bge0:4
  hostname.bge1
  hostname.bge1:1
  hostname.bge1:2
  hostname.bge1:3
  hostname.bge3
  hosts
  $How can the above be done for a zone?

  Hi
  This requires 2 steps. Firstly update your zone configuration to add the logical interface and its associated IP address.
  Assuming from below you want the logical interface to be added to bge0 then do the following replacing the zonename and ip address for whatever is appropriate for you.
  # zonecfg -z itchyzone
  zonecfg:itchyzone1> add net
  zonecfg:itchyzone1:net> set address=192.168.1.21
  zonecfg:itchyzone1:net> set physical=bge0
  zonecfg:itchyzone1:net> end
  zonecfg:itchyzone1> exitYou can do the above as many times as you like to create multiple logical interfaces for the zone.
  After doing the above you will need to reboot the zone to get the new logical interface.
  However if you cant reboot the zone you can plumb a logical interface into the zone by running something similar to the following (change for your zonename, IP etc) from the global zone:
  # ifconfig bge0 addif 192.168.1.21 netmask + broadcast + zone itchyzone1 upyou will now have an extra interface in the zone (in this case called itchyzone1). To verify, login to the zone and run ifconfig -a and you will see your new interface.
  # zlogin itchyzone1
  [Connected to zone 'itchyzone1' pts/4]
  Last login: Mon Oct  5 22:24:15 on pts/4
  Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
  # ifconfig -a
  lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
          inet 127.0.0.1 netmask ff000000
  bge0:2: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
          inet 192.168.1.20 netmask ffffff00 broadcast 192.168.1.255
  bge0:3: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
          inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255Hope this helps
  Martin

• ASA 5505 Site-to-Site VPN with multiple networks

  Hi,
  I have 2 Cisco ASAs 5505 in the different places with a created connection Site-to-Site VPN. It’s working fine in the networks where they are (10.1.1.0/24 and 10.2.1.0/24 respectively).
  Additionally to the ASA1 are connected two subnets: 10.1.2.0/24 and 10.1.3.0/24 and the ASA2 is connected to one subnet: 10.2.2.0/24
  A problem is when I’m trying to get to a host in the subnet behind the ASA2 from the subnet behind the ASA1  and vice versa.
  Any help would be greatly appreciated.

  It's all about the crypto ACL. You have to combine all networks behind ASA1 with all networks behind ASA2. You can use object-groups for that to handle it. What's the config of your crypto ACL?
  Sent from Cisco Technical Support iPad App

• Solaris 10 u11 : Is it possible to mix IPMP with vertual network interface

  Hi
  I have a system with 4 Ethernet interfaces , I'd like to try to have virtual network interface on two of them . then configure IPMP between each two.
  - Is it possible to mix IPMP and VNIC ?
  - online , I found posts about having vnic on solaris by creating additional interface file (ex, /etc/hostname.bge0:1 ) and also the IPMP create such interface?
  - How can I know which IPMP version installed on the system ? and how to know I'm reading the right configuration guide?
  - on what basis should i choose the type of IPMP for my system (Link-based or Probe-based)
  Thanks in advance
  HEBA

  Hi.
  IPMP can coexist with VNIC.
  IPMP - part of Solaris. So you not need check version of IPMP. Just read Docs for Solaris.
  http://docs.oracle.com/cd/E23823_01/html/816-4554/ipmptm-1.html#scrolltoc
  It's not clear what Vnic you plan use. Is it VLAN or just additional IP on interface ?
  For test address of IPMP you should configure interface like bge0:1 with additional options.
  Regards.

• Multiple network interface....

  I have group (cloud) of systems and each system has two network interfaces. One interface is 172.17.0.0/19 and other is 192.168.x.x.
  The 192.168.x.x network interface is dedicated to NFS (usually). So I want to configure that interface do not listen to inetd services and SSH. I want only RPC and Portmap services should be listening on that interface. And other interface (172.17.0.0/19) for normal services.
  ( Note: all system running Solaris 9)
  --Ritesh Patel                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  Hello.
  WHY do you want inetd not to listen on this interface?
  I do not think that is possible with inetd. If you wish to prevent users to connect from another interface you must use the "tcpd" tool (on the companion CD). However inetd will listen on the interface; tcpd will just block incoming connections.
  Martin