Distirbtued ISE 1.3 timezones

Question about timezones in ISE 1.3 for distributed deployments across the globe. I've seen some comments/recommendations on not configuring timezone on ISE nodes when deploying in dispersed geography and just leaving timezone as UTC. I've even seen that supposedly it's not allowed to change timezone after installation.
Is this an outdated recommendation that doesn't apply to ISE 1.3 anymore?
Should I use the same UTC timezone on all ISE nodes? How do admins deal with reading logs in this environment? I can see how tricky it can be to analyze. What about guest provisioning in sponsor portals, won't it be confusing for sponsors when setting time periods for guest accounts? What about Active Directory sync, is it ok if the ISE PSN's timezone doesn't match AD server's timezone?

Hi Kevin-
A couple of questions/suggestions:
- Is there a chance that the students are also part of the employee AD group? I know it is a silly question but I must ask :) In fact, when a successful authentication happens, you can open the "detailed authentication screen" for that session and you can see all of the AD groups that the user is member of
- Have you tested this yourself? For instance, you can create a test account in each group and then try it for yourself
- Another silly question but can you confirm that each SSID has a unique interface in the WLC, thus going to a different subnet/DHCP scope
- I would make your authorization rule a bit simpler. I would like you to remove the:
"AD1:ExternalGroups NOT_EQUALS mydomain/Students/All Students"
When it comes to AD groups, ISE would process them in a "top-down" fashion and as soon as a match occurs, ISE would stop looking. I don't think this is the issue in your case but still worth the try.
- If the main issue is lack of DHCP addresses then why not address that? :) For instance, you can:
1. Expand the DHCP scope (From let's say /24 to a /23)
2. Assign a "secondary IP" address to the L3 interface, thus giving it more subnets
3. Utilize "Interface Groups" in the WLC, that way you can have multiple subnets tied to the same SSID
Thank you for rating helpful posts!

Similar Messages

ISE 1.2 Timezones

Hi everybody
Does anyone know how to change the time displayed in the GUI (Monitoring/Authentication)?
On the Commandline we did set the timezone when installig the ISE, but when troubleshooting in the GUI the time is displayed with "wrong" timezone.
Show clock 13:41:51 CEST
But new logentries in the Gui is displaying: Time = 12.41.51
The CLI time is the correct one, does anyone having an idea how to change the GUI to display the proper time?
Best Regards
Jarle

Both the time and timezone are controlled by the commands entered in the CLI. Thus, there shouldn't be any discrepancies between the two. What version of ISE are you using?

Ntp on ise

I have configured new NTP servers on our primary ISE node (admin and monitor persona). I have saved the config. Ideally the primary admin/monitor node should now sync new ntp servers to secondary admin/monitor persona node as well as to other PSNs. But that is not happening. I also tried to manually sync NTP servers to secondary admin/monitor node but that shows old NTP IPs only. Primary node shows that config of secondary node is in sync. What is the problem?

You must configure the system time and NTP server settings on each ISE node in your deployment individually.
Step 1 From your primary ISE node, choose Administration > System > Settings.
Step 2 From the Settings navigation pane on the left, click System Time.
The timezone that you have configured appears in the Time Zone field. You cannot edit this value from the ISE user interface. To configure the time zone, you must enter the following command from the ISE CLI:
clock timezone timezone
For more information on the clock timezone command, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.
Step 3 In the NTP Server Configuration area, enter the IP address of your primary, secondary, and tertiary NTP servers.
If you have only one NTP server in your network, enter the IP address in the Primary Server text box. If you have two NTP servers, enter the IP address in the Primary Server and Secondary Server text boxes.
Step 4 Click Save to save the NTP server settings.

ISE 1.2 patch 3 - Sponsor Portal default timezone changed to non-existant ECT

Hi everybody,
We've applied patch3 to our ISE 1.2 cluster and after the upgrade all the sponsor accounts (externally autenticated on Active Directory) now have GMT +01:00 Europe/ECT as default Time Zone. Thus all the guest account created have the same time zone and guest authentication fails.
This is the error from ise-console.log:
guest:- com.cisco.cpm.guest.exceptions.PortalUserException: java.lang.IllegalArgumentException: The datetime zone id 'ECT' is not recognised
guest:- at com.cisco.cpm.guest.edf.GuestUserAdaptor.isAcctValid(GuestUserAdaptor.java:489)
I checked the admin interface and the 1.2 documentation but could not find any default setting for sponsor users Time Zone
Time zone for the 3315 is CET:
clock timezone CET
A workaround is to have each sponsor user update its Time Zone setting on the Sponsor Portal, but this is impratical.
Did anybody experience the same issue?
Regards,

Hi Luigi Gangitano,
From when are you experiencing this issue? I suspect this would have been an issue when the server timezones are changed from CEST timezone to CET timezone.
To further figure out where exactly the issue is ,
1.Can you please let us know what is the timezone in the UI on the top most right corner in the server information section is ?
2.Similarly can you please check the timezone in the CLI of Primary ISE node.
If the above two locations are displaying correct timezone then we have to suspect with the sponsor portal.

Changing timezone in ISE 1.1.2

Hi,
I need to change the timezone of two ISE 1.1.2 servers. One primary and one secondary. Both are set to "EST" timezone and i would like to change
them to AMERICA/Montreal because they are now one hour late since day light saving change.
According to the release notes, it is not recommended to change the timezone on ISE after the installation. I'm thinking of doing a backup
of the ISE application (in the maintenance GUI or CLI) and then changing the timezone on both servers. After the change the ISE servers will gain one hour. So after i will do a restore of the backup i did just before the timezone change. The timestamp of the backups will be older then the current time
of the servers.
Will this work? Is it the best way to change the timezone?
Does anyone run into this issue? How did you fix that? Did you have any problems?
Thanks in advance.
Stephane

Ive had success with no obvious issues changing time zone on a PSN box. I first broke the join from the PAN server and then did a time zone change. Then rejoin the PSN back to the PAN. Again, I didnt see any issues.
As for the PAN time zone change, I would probably rebuild the box if you didnt feel comfortable. In most cases if you are very fimilar with ISE it take like 30 minutes to put the config back on it ..
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

How to set logging on ISE not to UTC timezone

Hello everyone,
I was wondering if there's a way to change the way ISE logs authentications in terms of timezone. I found that it is UTC even if I changed the timezone to my local timezone (PST8PDT).

You are correct, the time is set before the ise application is installed. The database is primed after to configure ntp dns and basic configuration.
Also the doc recommends using utc.
Thanks,
Tarik

ISE 1.2 Time Zone

Hi Community!!
I have a ISE 1.2 pair, v9 patch installed and sychronized. Recently our time zone changed to summer time which is one hour later. In the CLI I can see that the reference is sent by NTP and the clock has changed but in monitoring I can still see that there is an hour difference from real time.
I read in Cisco official documentation that time cannot be changed on ISE or else it will become unusable but the logs are not being timestamped correctly and also the time the RADIUS request are made by NAD vs the time they are recieved by ISE have one hour difference.
Is there a way to solve this? it seems to be prone to any kind of unexpected behaviour when we are least expecting it.
Thank you!!

Hmm, this is very strange and it almost seems like a bug with ISE. I would recommend that you contact TAC and have them check this out.
The reason I think that it is a bug (Related to the timezone) is the fact that the base OS (Cent/ADE OS) appears to be running fine and keeping track of DST (Day light savings) but the actual application (ISE) installed on Cent is not.
I am far from NTP or Linux expert but I don't believe that NTP pushes/honors timezones. I think NTP just synchronizes the clock while timezones/DST is controlled locally.
If the issue is not a bug, it is perhaps due to selecting the incorrect timezone. I have never done a deployment outside of the US and the UK so I am not familiar with timezones in Chile. However, if we take Eastern Time Zone for example. I had to make sure that I select "EST5EDT" in ISE and not just EST. If I simply selected EST then DST was not observed and made things ugly :) The same applied for Pacific timzone where I had to make sure that I select "PST8PDT" With all of that being said, I checked the CLI in ISE and I don't see any Chile related timezones that would indicate DST observations. You can check for those yourself by using the following command "show timezones"
I was able to find these but perhaps there are more and a specific one to CST/CLST. I tried searching for those but could not find anything:
NS-ISE-01/admin# show timezones | i Santiago
America/Santiago
NS-ISE-01/admin# show timezones | i Chile
Chile/EasterIsland
Chile/Continental
NS-ISE-01/admin# show timezones | i CLT
NS-ISE-01/admin# show timezones | i CLST
Let me know what you find. I would like to know the cause/resolution
Thank you for rating helpful posts!

ISE 1.2 - Wrong Displayed Time

Hi everybody,
I have an issue with ISE 1.2.0.899 concerning the sponsor portal. I have set up the ISE in UTC, and synced it to NTP. If I log in as a sponsor and create a guest account in timezone e.g. GMT +02:00 Europe/Zurich ...
...I get a confirmation like this:
It can be seen that the Timezone is shown correctly, but the Start/End time of the account is still shown in UTC!! The time above should be from 7:45 until 8:45. This is very confusing for Sponsors and Guests, as these results are printed and handed out to guests. Is there a possibility to change this behavior? I have looked through the language template, managed changed the time format, but did not find an option to change the displayed start/end time.
Hope someone can help me with this!!
Regards

Please check the below links which may be helpful for you:
Link-1
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_custom_portals.html

An issue with authentication and authorization on ISE 1.2

Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
end

Yes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.

ISE 1.2 web authentication problem with wired clients

Hello,
i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
here the output form the debug aaa coa log.
Any ideas
thanks in advanced
Alex
! CLIENT CONNECT TO SWITCHPORT
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
User-Name: 00-1F-29-7B-BD-82
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026B28C02CDC
Acct Session ID: 0x0000029C
Handle: 0x8C00026C
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE
! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
ISE-TEST-SWITCH#
191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
191527: .Jun 24 10:42:24.340 UTC: RADIUS: authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
191528: .Jun 24 10:42:24.340 UTC: RADIUS: NAS-IP-Address [4] 6 172.20.132.100
191529: .Jun 24 10:42:24.340 UTC: RADIUS: Calling-Station-Id [31] 19 "00:1F:29:7B:BD:82"
191530: .Jun 24 10:42:24.340 UTC: RADIUS: Acct-Terminate-Cause[49] 6 admin-reset [6]
191531: .Jun 24 10:42:24.340 UTC: RADIUS: Event-Timestamp [55] 6 1403606529
191532: .Jun 24 10:42:24.340 UTC: RADIUS: Message-Authenticato[80] 18
191533: .Jun 24 10:42:24.340 UTC: RADIUS: E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E [ <Ggi=aSn]
191534: .Jun 24 10:42:24.340 UTC: RADIUS: Vendor, Cisco [26] 43
191535: .Jun 24 10:42:24.340 UTC: RADIUS: Cisco AVpair [1] 37 "subscriber:command=bounce-host-port"
191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
191537: .Jun 24 10:42:24.340 UTC: ++++++ CoA Attribute List ++++++
191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
191543: .Jun 24 10:42:24.349 UTC:
191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
ISE-TEST-SWITCH#
191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
! SESSION ID CHANGES, USER ENTERS CREDENTIALS
! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026C28C2FA05
Acct Session ID: 0x0000029D
Handle: 0x2C00026D
Runnable methods list:
Method State
dot1x Running
mab Not run

Guest authentication failed: 86017: Session cache entry missing
try adjusting the UTC timezone during the guest creation in the sponsor portal.
86017
Guest
Session Missing
Session ID missing. Please contact your System Administrator.
Info

ISE 1.1.3.124 secondary node not reachable after registration

G'day All,
I'm constantly seeing that the sync and replication status for my secondary admin/monitor node in the primary node as node not reachable. The secondary still thinks it is in standalone mode. When I run the ISE diag tool connectivity tests I am able successfully ping the devices from each other using both hostname and ip and the nslookup also works fine between both nodes. Ping and nslookups also work from different networks within the environment. The two nodes are in the same vlan on a 6500 vss pair but on different switches of the pair. I'm new to ISE so any help is greatly appreciated.
Thanks All.
JS
Sent from Cisco Technical Support iPhone App

Hi Saurav,
Thanks for your prompt repsonse...
I have worked through that section of the document. The registration completes successfully, I've got NTP sync on both nodes and the system time on both nodes is identical.
I am only using the self signed certificates, but following the user guide instructions I have imported the secondary's cert into the primary node.
Just as of about 30 minutes ago, I saw an alarm on the Secondary ISE node stating that a Slow or Stuck Replication has been detected...
As I said in the original post, I can ping the fqdn's from each other so it appears that the DNS requirements have been satisfied.
I've changed the admin account password, I am certain that the ISE DB passwords are correct and the same on both nodes and the timezones for both nodes is the same also....
It looks to me that registration is fine, but the first full replication isn't completing successfully
Thanks,
JS

ISE 1.2 scheduled backup not working

Hi all,
I have clean installation of ISE 1.2 (HA) Patch1 and tried to create scheduled backup from GUI. I can create it without problems but it does not start.
I have created manual backups which are working fine, so there is no problem with FTP server. I have checked CLI and there is no kron job in CLI as I would expect it from version 1.1.x.
Any idea or do you think its TAC case?
Thanks,
ML

There is known defect whereby if the timezone has more than 3 characters. Could you please check the timezone on the ISE CLI with "show timezone"
CSCui44324 ISE 1.2 scheduled backup can't be configured
Symptom:
Backup task can't be configured in ISE 1.2 UI
Conditions:
Install/Upgrade ISE to v.1.2
Login via GUI and try configure backup task under "Administration -> System -> Backup and restore".
ISE timezone shortname is more than 3 characters (e.g. CEST).
Workaround:
N/A
Further Problem Description:
Looks like patch 2 would fix this defect.
~BR
Jatin Katyal
**Do rate helpful posts**

ISE v1.1 NAD 6500 failed to decrypt Key......

Hello everyone ,
I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.
Here is the network topology:
DNSs are fully resolvable forward and reverse zone and ISEs, AD, WLC and SW Core are synched with the same NTP server.
As I mentioned Authentication and Authorization were working fine. Two weekends ago there was an electrical outage in the office. When the ISEs servers came up, the trust relationship between AD and ISEs was broken and so was HA replication. I did some troubleshoot to delete and install new certificates from AD into both ISEs and build again the HA configuration. I finally got the ISEs working fine again.
This last weekend, another electrical outage occurs in the office (client is working with a temporary plant and is already warned about electrical damages not covered by warranty) and the ISE servers came up in the same condition again, no trust relationship with AD (Domain Controller). So I fix this again by deleting and installing new certificates into ISE. The problem is that for some reason the NAD 6500 is not authenticating to the ISE. I´m receiving the following debug messages in the SW:
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
Sep 12 17:41:00.222: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:00.222: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:00.226: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:00.226: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:00.226: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:00.226: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:00.226: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:00.226: RADIUS: Response (165) failed decrypt
Sep 12 17:41:05.110: RADIUS(00000000): Request timed out
Sep 12 17:41:05.110: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:05.110: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:05.114: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:05.114: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:05.114: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:05.114: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:05.114: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:05.114: RADIUS: Response (165) failed decrypt
Sep 12 17:41:10.438: RADIUS(00000000): Request timed out
Sep 12 17:41:10.438: RADIUS: No response from (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:10.438: RADIUS/DECODE: parse response no app start; FAIL
Sep 12 17:41:10.438: RADIUS/DECODE: parse response; FAIL
Sep 12 17:41:13.682: %MAB-5-FAIL: Authentication failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-5-FAIL: Authorization failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
I have deleted and created again the 6500 NAD in the ISE, and configured againd the Radius-Key in the 6500 making sure they are exactly the same. But I keep receiving the same errors.
I have already reviewed the following links:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
http://puck.nether.net/pipermail/cisco-nas/2004-May/000686.html
And the troubleshooting section from the Cisco Identity Services Engine User Guide, Release 1.0.4
Everything points me that the Radius Key between ISE and the 6500SW is wrong, but I´ve configured it again twice and typed it letter by letter slowly to avoid any typos.
ISE version: 1.1.0.665
ADE OS: 2
Active Directory: Windows 2008 R2 Standard
6500 SW Config:
Building configuration...
Current configuration : 65413 bytes
! Last configuration change at 12:22:42 MXVeran Tue Jul 31 2012 by ho1a
! NVRAM config last updated at 22:21:11 MXVeran Mon Jul 30 2012 by ho1a
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service counters max age 5
boot-start-marker
boot system flash bootdisk:
boot-end-marker
logging buffered 64000
enable secret 5 $1$QoxK$w6sZJ66pXDMLS1lGPp3KR.
username ho1a privilege 15 secret 5 $1$DYMo$O8BQi2u.emzdCFfNMxCTd.
username test-radius password 7 14141B180F0B7B7977
aaa new-model
aaa authentication login Tr3s41ia.2012 local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 172.16.3.5 server-key 7 110A1016141D5A5E57
aaa session-id common
platform ip cef load-sharing ip-only
platform rate-limit layer2 port-security pkt 300 burst 10
clock timezone MXInv -6
clock summer-time MXVerano recurring
authentication critical recovery delay 1000
interface GigabitEthernet8/1
switchport
switchport access vlan 2
switchport mode access
ip access-group ACL_ISE_Default in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
spanning-tree portfast edge
ip default-gateway 172.16.3.2
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.3.2
ip radius source-interface Vlan3 vrf default
logging origin-id ip
logging source-interface Vlan3
logging host 172.16.3.5 transport udp port 20514
snmp-server group Tr3s41ia.2012aes v3 priv
snmp-server group Tr3s41ia.2012md5 v3 auth
snmp-server community public RO
snmp-server community tresaliarw RW
snmp-server community tresaliaro RO
snmp-server trap-source Vlan3
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps memory bufferpeak
no snmp-server enable traps entity-sensor threshold
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps flash insertion removal
snmp-server enable traps mac-notification move change
snmp-server enable traps errdisable
snmp-server host 172.16.3.4 version 3 priv Tr3s41ia.2012aes
snmp-server host 172.16.3.4 version 3 auth Tr3s41ia.2012md5
snmp-server host 172.16.3.5 version 2c tresaliaro
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 172.16.3.5 auth-port 1812 acct-port 1813 test username test-radius key 7 104D000A061843595F
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
service-policy input policy-default-autocopp
line con 0
logging synchronous
login authentication Tr3s41ia.2012
line aux 0
line vty 0 4
login authentication defaulTr3s41ia.2012
transport input ssh
line vty 5 1509
login authentication defaulTr3s41ia.2012
transport input ssh
ntp clock-period 17179836
ntp peer 172.16.4.9
no event manager policy Mandatory.go_switchbus.tcl type system
end
Additionaly, I´m getting the following screen when accesing the Stand-by server via https:
I´m thinking that there might be some problems with the CA Certificates installed on ISEs, or some corrupted data due to the 2 sudden restarts.
Any help, hint or direction will be really appreciated.
Thanks in advanced for your time. Best Regards.

Hello Tarik, thanks for your response,
I´ll go ahead and remove and configure again the complete radius configuration on the SW and let you know what happens, if this doesn´t work I´m thinking that re-installing the ISE server might be the solution. It´s was working fine after the fresh install.
I use the command "test aaa group radius username password new-code" to test SW communication to ISE and here is the debug output from the SW:
Sep 12 20:42:59.713: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Sep 12 20:42:59.713: RADIUS(00000000): Config NAS IP: 172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): sending
Sep 12 20:42:59.713: RADIUS(00000000): Send Access-Request to 172.16.3.5:1812 id 1645/93, len 56
Sep 12 20:42:59.713: RADIUS: authenticator 24 52 30 41 B7 06 74 CE - C7 4B 7B FF 87 88 F7 23
Sep 12 20:42:59.713: RADIUS: User-Password       [2]   18 *
Sep 12 20:42:59.713: RADIUS: User-Name           [1]   6   test
Sep 12 20:42:59.713: RADIUS: Service-Type        [6]   6   Login                     [1]
Sep 12 20:42:59.713: RADIUS: NAS-IP-Address      [4]   6   172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.485: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.489: RADIUS: Received from id 1645/93 172.16.3.5:1812, Access-Reject, len 20
Sep 12 20:43:14.489: RADIUS: authenticator B2 89 18 4B F5 D8 D6 67 - 85 4D 1E C3 DE C9 06 85
Sep 12 20:43:14.489: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 20:43:14.489: RADIUS: packet dump: 035D0014B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: expected digest: EDB6C64ADA12BCD81CD21C3EF28CDB27
Sep 12 20:43:14.489: RADIUS: response authen: B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: request authen: 24523041B70674CEC74B7BFF8788F723
Sep 12 20:43:14.489: RADIUS: Response (93) failed decryptUser rejected
And here are the results from the Operations/Authentications Tabe from ISE:
There are no other SWs in the network, just the Core. I cannot test Wireless Authentication since the AccessPoint Switchport is also controlled by ISE and is not Authenticated right now. I can Authenticate the Active Directory Users using NTRadPing tool as a test and its succesful. AD and 6500 SW are using the same Radius key to communicate with ISE. Here is the AD usert Authentication:
So I´ll proceed to re-configure the SW for Radius server and let you know if this is the solution.
Thanks in advanced for your time and comments.

ISE CWA with COA not work on 3750X.

Hello.
I use ISE version 1.2.0.899 this patch number 4. I configure Central Web Auth for wired client. In first time client open web brouser, and ISE redirect him to guest portal. User input correct credentionals, and after that switch ignor CoA packet. In ISE logs "5417 Dynamic Authorization failed". If I use domain computer, authentification succecful whis use dot1x. All on Port g1/0/1. I use 3750X this version IOS 15.0(2)SE2, 15.0(2)SE4, 15.0(2)SE5, 15.2(1). On all of this version ios I have this mistake.
Config:
3750X-ISE# sh running-configBuilding configuration...Current configuration : 9575 bytes!! No configuration change since last restart! NVRAM config last updated at 01:29:01 GMT Wed Mar 30 2011!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname 3750X-ISE!boot-start-markerboot-end-marker!!!username admin privilege 15 secret 5 ----username radius-test secret 5 -----aaa new-model!!aaa group server radius end!aaa group server radius ise server name ise3 server name ise4!aaa authentication login default localaaa authentication login CON noneaaa authentication enable default noneaaa authentication dot1x default group radiusaaa authorization network default group radiusaaa authorization network ise group radiusaaa accounting dot1x default start-stop group radius!!!!!aaa server radius dynamic-author client 192.168.102.53 server-key P@ssw0rd client 192.168.102.54 server-key P@ssw0rd client 192.168.102.51 server-key P@ssw0rd client 192.168.102.52 server-key P@ssw0rd server-key P@ssw0rd!aaa session-id commonclock timezone GMT 0 0switch 1 provision ws-c3750x-24psystem mtu routing 1500ip routing!!ip dhcp snooping vlan 701-710ip dhcp snoopingip domain-name com.ruip device trackingvtp mode transparent!!device-sensor filter-list dhcp list DHCP-LIST option name host-name option name default-tcp-ttl option name requested-address option name parameter-request-list option name class-identifier option name client-identifier option name client-fqdn!device-sensor filter-list cdp list CDP-LIST tlv name device-name tlv name address-type tlv name version-type tlv name platform-type tlv name power-type tlv name external-port-id-typedevice-sensor filter-spec dhcp include list DHCP-LISTdevice-sensor filter-spec cdp include list CDP-LISTdevice-sensor accountingdevice-sensor notify all-changes!license boot level ipservices!!!dot1x system-auth-control!spanning-tree mode rapid-pvstspanning-tree extend system-id!!!!!!!!!vlan internal allocation policy ascending!!vlan 102!vlan 701 name ISE-network1!!lldp run!!!!!!!!!!no macro auto monitor!interface FastEthernet0 no ip address no ip route-cache shutdown!interface GigabitEthernet1/0/1 switchport access vlan 701 switchport mode access switchport nonegotiate authentication event fail action next-method authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator spanning-tree portfast!interface Vlan102 ip address 192.168.102.60 255.255.255.0!interface Vlan701 ip address 192.168.107.1 255.255.255.240 ip helper-address 192.168.102.50 ip helper-address 192.168.102.53!ip http serverip http secure-server!ip route 0.0.0.0 0.0.0.0 192.168.102.1!ip access-list extended ACL-WEBAUTH-REDIRECT deny udp any any eq domain deny tcp any host 192.168.102.51 deny tcp any host 192.168.102.52 deny tcp any host 192.168.102.53 deny tcp any host 192.168.102.54 permit tcp any any eq www permit tcp any any eq 443!!!snmp-server community test ROsnmp-server community test2 RWsnmp-server trap-source Vlan102snmp-server source-interface informs Vlan102snmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notification change movesnmp-server host 192.168.102.53 version 2c test2!radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request includeradius-server dead-criteria time 5 tries 3radius-server host 192.168.102.53 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 key P@ssw0rdradius-server host 192.168.102.53 pac key P@ssw0rdradius-server key P@ssw0rd!!!line con 0 login authentication CONline vty 0 4 exec-timeout 60 0line vty 5 15 exec-timeout 60 0!ntp master 5ntp server 198.123.30.132 prefermac address-table notification changemac address-table notification mac-moveend
Please, help me.

Use these Cisco IOS commands to monitor and troubleshoot CoA functionality on the switch:
•debug radius
•debug aaa coa
•debug aaa pod
•debug aaa subsys
•debug cmdhd [detail | error | events]
•show aaa attributes protocol radius

Time zone settings SNS3415-K9 with ISE 1.2

Hi, I require to change the time zone on a SNS3415-K9 which supports ISE 1.2 platform. I try to make the change but the application does not respond. I need to know if there are any special procedure for this?

Hi,
Have you rebooted your appliance after your time zone change ??
http://www.cisco.com/c/en/us/td/docs/security/nac/guestserver/configuration_guide/21/nacguestserver/g_setup.html
Step 1 From the administration interface, select Server > Date/Time Settings to display the Date/Time Settings page as shown in Figure 3-5.
Figure 3-5 Date/Time Settings
Step 2 Select the correct System Date and System Time for the location of the Guest Server.
Step 3 Select the correct System Timezone for the location of the Guest Server.
Step 4 Click the Save Settings button to apply the System Timezone.
Note Changing the System Timezone automatically adjusts the date and time on the server.
Step 5 If you have one, two or three NTP servers available on the network, click the Use NTP to set System Date & Time checkbox.
Step 6 Enter the IP address of each NTP server available into the fields provided.
Step 7 Click the Save Settings button to apply the changes.
Note When setting the NTP server it may take some time for synchronization. Synchronization occurs much faster if the time is set close to the NTP server (and saved by clicking the Save Settings button) before saving the NTP Server settings.
Step 8 Click the Reboot Server button to restart the NTP process so the new settings take effect.
HTH
Sandy

Distirbtued ISE 1.3 timezones

Similar Messages

Maybe you are looking for