Facing issue in integrating with Cisco ISE

Similar Messages

• Afaria 7 SP3 integration with Cisco ISE

  Hi,
  I am trying to find the configuration procedure that is needed for Afaria MDM to integrate with Cisco ISE 1.2.
  1. What service should be installed/enabled?
  2. Which port or service path (<IP:port/abc/xyz?>) it will listen for the communication from Cisco ISE?
  3. Cisco ISE uses REST API to communicate with Afaria. Does this require REST API installation or service activation?
  4. What type certificates are supported in Afaria for this integration.
  5. Anything that related to this topic.
  Appreciate if someone can provide the configuration procedure or any information possible.
  Regards,
  Mudasir Abbas

  From the user guide it seems that LDAP only allows you to strip the prefix/suffix and can't add the suffix.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1054421
  Strip start of subject name up to the last occurrence of the separator
  Strip end of subject name from the first occurrence of the separator
  Regards,
  Jatin
  Do rate helpful posts-

• Strip @domain on LDAP Integration with Cisco ISE?

  Hi there ,
  I got a WLC conntect with a Cisco ISE. There are two SSID authenticated against the ISE.
  One SSID has AD-Integration as External Identity Source, the other SSID is authenticated through LDAP.
  Authentication ist working fine.
  When an user authenticates through LDAP, he/she has to enter "username@domain". The protocol is EAP-GTC.
  How can I change the ISE that the user has only to enter "username" and the "@domain" part ist already set on the ISE?
  Thansk a lot,
  Norbert

  From the user guide it seems that LDAP only allows you to strip the prefix/suffix and can't add the suffix.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1054421
  Strip start of subject name up to the last occurrence of the separator
  Strip end of subject name from the first occurrence of the separator
  Regards,
  Jatin
  Do rate helpful posts-

• Strip multiple @domain used in username on AD Integration with Cisco ISE?

  Hi there ,
  How to strip multiple domain suffixes from username through ISE with AD being used as external Identity Source. Username is being used in username@domain format.
  Cisco ISE 1.2 patch 4 introduced strip prefix or suffix @domain realm from username through ISE with AD being used as external Identity Source. But the documentation is not updated for this feature. I am able to strip 1 domain suffix successfully but subsequent ones listed in the suffix list fails to get stripped.
  Any thoughts on the same.
  Thanks Kumar

  In the ISE Under Administration > Identity Management > External Identity Sources
  Choose Active Directory on the Left, Select your AD Server and select Advanced Settings
  Under Identity Suffix Strip, Make sure Strip prefixes listed below: is selected (I know, it says prefix).
  In the List of Suffixes box, enter your list of domain suffixes to strip.  The separating character is a comma (,). 
  If this doesn't fix your issue, then I am afraid that a call to TAC may be in order.
  *****UPDATE*****
  Spaces are significant characters.  When listing domains, do so as such:
  @domain.com,@domain.local,@testdomain.com
  *****END UPDATE*****
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton
  Message was edited by: Charles Moreton

• Coa issue with Cisco ISE 1.2

  Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa.  I have enabled debug and i can see ISE trying to push out the url redirection to the port,  however the url was not show when i issue a show authentication session interface gi 1/0/x command.  The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after.  Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
  please see attachment for the debugging i had mention above.  If anyone know or had this issue before please let me know how i can resolve this.

  finally figured it out.  redirection acl was mess up. 

• Ask the Expert: C-Series Integration with Cisco Unified Computing System Manager

  Welcome to the Cisco Support Community Ask the Expert conversation. This conversation is an opportunity to learn and ask questions about Cisco C-Series Integration with Cisco Unified Computing System® Manager (Cisco UCS® Manager) with Cisco experts Vishal Mehta and Manuel Velasco.
  Cisco UCS C-Series Rack-Mount Servers are managed by the built-in standalone software, Cisco Integrated Management Controller (Cisco IMC). When a C-Series rack-mount server is integrated with Cisco UCS Manager, the IMC no longer manages the server. Instead you will manage the server using the Cisco UCS Manager GUI or Cisco UCS Manager command-line interface (CLI).
  Cisco UCS Manager 2.2 provides three connectivity modes for Cisco UCS C-Series Rack-Mount Server management. The following are the connectivity modes:
  Dual-wire management (shared LAN On Motherboard [LOM]): Shared LOM ports on the rack server are used exclusively for carrying management traffic.A separate cable connected to one of the ports on the Payment Card Industry Express (PCIe) card carries the data traffic.
  SingleConnect (Sideband): Using Network Controller Sideband Interface (NC-SI), the Cisco UCS Virtual Interface Card 1225 (VIC1225) connects one cable that can carry both data and management traffic.
  Direct Connect Mode: Cisco UCS Manager Version 2.2 introduces an additional rack server management mode using direct connection to the Fabric Interconnect.
  Vishal Mehta is a customer support engineer for Cisco’s Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in the TAC for the past 3 years with a primary focus on data center technologies such as Cisco Nexus® 5000, Cisco UCS, Cisco Nexus 1000V, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching and service provider.
  Manuel Velasco is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California.  He has been working in the TAC for the past 3 years with a primary focus on data center technologies such as Cisco UCS, Cisco Nexus 1000V, and virtualization.  Manuel holds a master’s degree in electrical engineering from California Polytechnic State University (Cal Poly) and CCNA® and VMware VCP certifications. Remember to use the rating system to let Vishal and Manuel know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation in the Data Center, under subcommunity, Unified Computing, shortly after the event. This event lasts through May 23, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Sebastian,
  The different modes of connecting C-Series with UCSM come into play depending on the type of infrastructure you already have along with C-Series and NIC model.
  Cisco UCS C-Series Rack-Mount Servers are managed by the built-in standalone software, Cisco Integrated Management Controller (CIMC) .
  Powerful features provided by Cisco UCS Manager can be leveraged to manage C-Series server by integrating  C-Series Rack-Mount Server with UCSM.
  This not only gives you rich-feature set but also one management plane to operate UCS-B Series Chassis and UCS-C Series Rack Server.
  You will manage the server using the Cisco UCS Manager GUI or Cisco UCS Manager CLI.
  Cisco UCS Manager 2.2 provides three connectivity modes for Cisco UCS C-Series Rack-Mount Server management.
  The following are the connectivity modes:
  •  Dual-wire Management (Shared LOM):
  Shared LAN on Motherboard (LOM) ports on the rack server are used exclusively for carrying management traffic. A separate cable connected to one of the ports on the PCIe card carries the data traffic. Using two separate cables for managing data traffic and management traffic is also referred to as dual-wire management.
  http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c-series_integration/ucsm2-2/b_C-Series-Integration_UCSM2-2/b_C-Series-Integration_UCSM2-2_chapter_0100.html
  This mode is recommended when you have C-Server which does not  have or cannot support VIC 1225 card (such C-200 server)
  •  SingleConnect (Sideband):
  Using Network Controller Sideband Interface (NC-SI), Cisco UCS VIC1225 Virtual Interface Card (VIC) connects one cable that can carry both data traffic and management traffic.
  This feature is referred to as SingleConnect.
  http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c-series_integration/ucsm2-2/b_C-Series-Integration_UCSM2-2/b_C-Series-Integration_UCSM2-2_chapter_011.html
  This most recommended Integration model when using FEX and VIC 1225 card
  •  Direct Connect Mode:
  Cisco UCS Manager release version 2.2 introduces an additional rack server management mode using direct connection to the Fabric Interconnect.
  This mode will eliminate the need for FEX module as Servers are directly plugged into the base ports of Fabric Interconnect
  http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c-series_integration/ucsm2-2/b_C-Series-Integration_UCSM2-2/b_C-Series-Integration_UCSM2-2_chapter_0110.html
  Please let us know if you need more information. Thank you!
  Thanks,
  Vishal

• Can i have IVR feature with ccm 6.0.1 integrated with cisco unity connection 2.0.1

  Hi
  can i have IVR feature with ccm 6.0.1 integrated with cisco unity connection 2.0.1.
  And tell me a solution  how can i go for IVR with this design.
  Thanks.
  veera.

  Yes, you can have a basic IVR with CUC, no one can tell you how to design your CUC, that's up to you and your requirements.
  All you need are call handlers, caller input and greetings.
  If you need someone to do all this for you, engage with a local Cisco partner.

• Integration Safeword with Cisco ISE

  Hi,
  we have a Domain Integrated Safeword application, which was installed on our Domain Controller. Safeword requests were send over the Radius Port to the NPS server, and from there over Port 5040 to the Safeword application. This works without any problems.
  Now we would like to integrate the Cisco ISE to the Safeword. Because there is a checkbox "Safeword Server" at the Radius Token Identity Source, I thought that it is possible to communicate direct with the Safeword application, but it is not working.
  Anyone who already implemented this??
  T&R
  Frank

  Symptoms or Issue
  •Unsuccessful RADIUS or AAA functions in Cisco ISE
  •The NAD is unable to ping the Policy Service ISE node
  Conditions
  This scenario is applicable in a system in which Cisco ISE is configured to perform user authentication via an external RADIUS server on the network.
  Possible Causes
  The following are possible causes for losing connectivity with the RADIUS server:
  •Network connectivity issue or issues
  •Bad server IP address
  •Bad server port
  Resolution
  If you are unable to ping the Policy Service ISE node from the NAD, try any or all of these possible solutions:
  •Verify the NAD IP address
  •Try using Traceroute and other appropriate "sniffer"-type tools to isolate the source of disconnection. (In a production environment, be cautious of overusing debug functions, because they commonly consume large amounts of available bandwidth and CPU, which can impact normal network operation.)
  Check the Cisco ISE "TCP Dump" report for the given Policy Service ISE node to see if there are any indications.

• Facing Issue while Integration Cybersource with ATG

  Hi All,
  I am facing issue with address verification while integrating cybersource with ATG.
  Rest all integration with cybersource are working fine.
  If i used VerifyOrderAddresses and mention addressVerificationProcessor to use CyberSourceAddressVerify , i get the below error related to houseno . box not found
  addressVerificationProcessor=/atg/commerce/payment/CyberSourceAddressVerify
  Can someone please help me on this.
  Need it urgently. Pls let me know if need further details
  TIA,
  Mayank
  Error Log :
  12:03:01,992 INFO [ShoppingCartModifier] DEBUG There are 0 gift certificates to be collected
  12:03:01,993 INFO [ShoppingCartModifier] DEBUG adding CreditCard to the Order
  12:03:02,075 INFO [ShoppingCartModifier] DEBUG no form errors - staying on same page.
  12:03:04,942 INFO [CyberSourceAddressVerify] DEBUG ----- request -----
  12:03:04,946 INFO [STDOUT] ship_to_state=CA
  bill_state=CA
  ship_to_city=San Jose
  bill_city=San Jose
  bill_country=us
  bill_zip=95131
  ship_to_country=us
  ignore_avs=
  merchant_id=mykkaushik
  bill_address2=
  ics_applications=ics_dav
  ship_to_zip=95131
  bill_address1=1, Main St
  ship_to_address2=
  client_lib_version=Sun Microsystems Inc./1.6.0_31/Windows 7/6.1/-/Java/5.0.3
  ship_to_address1=1, Main ST
  merchant_ref_number=pg460011
  12:03:06,320 INFO [CyberSourceAddressVerify] DEBUG ----- response -----
  12:03:06,320 INFO [STDOUT] dav_rcode=0
  ics_rcode=0
  ics_rmsg=House/Box number not found on street.
  request_id=3539115850040180464524
  dav_us_info=S00000
  dav_us_error_info=E421
  request_token=AhijLwSRf7YylSTvL7cYIJ+1EEDyqAJGlwtJMsXXwMhEAAAA/QNM
  dav_rflag=DINVALIDADDRESS
  ics_rflag=DINVALIDADDRESS
  merchant_ref_number=pg460011
  dav_rmsg=House/Box number not found on street.
  12:03:06,364 INFO [ShoppingCartModifier] DEBUG PipelineError: key=InvalidAddress; error={pg460011=House
  12:03:06,367 INFO [ShoppingCartModifier] DEBUG adding form exception: InvalidAddress: House/Box number
  12:03:06,367 INFO [ShoppingCartModifier] DEBUG root cause of exception: null
  12:03:06,368 INFO [ShoppingCartModifier] DEBUG Transaction Marked as Rollback - redirecting to: billing
  12:03:06,369 INFO [ShoppingCartModifier] DEBUG afterSet sees currentTransaction as TransactionImple < a
  nStatus.ABORT_ONLY >
  12:03:06,369 INFO [ShoppingCartModifier] DEBUG afterSet committing transaction TransactionImple < ac, B
  tus.ABORT_ONLY >
  12:03:06,494 INFO [ShoppingCartModifier] DEBUG Released local write lock using id 270000

  It's an issue with the input which you given to the field:House/Box
  Returning Error from Cybersource:
  House/Box number not found on street.
  could you please give valid number here which is the Cybersource service expecting number.

• WLC RADIUS attribute with Cisco ISE

  Hi All,
  Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?
  My Authentication Policy :
       Name: IsGuestAuthen
       IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"
  My Authorization Policy :
       Name: IsGuestAuthen
       IF "Guest" THEN "InternetOnly"
  When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?
  Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.
  Thanks,
  Pongsatorn Maneesud

  Exactly...here is the list of attributes sent in the access-request from the wlc -
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
  The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
  If you are up to speed on rest api's here is some reference material on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
  You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Remote Access VPN posturing with Cisco ISE 1.1.1

  Hi all,
  we would like to start using our ISE for Remote VPN access.
  We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
  That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
  I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
  We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
  I know ISR's are support NADs but what about ASRs? There is no mention.
  Any advise will be appreciated!
  Mario

  OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
  thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
  essentially my requirements are
  2-factor authentication VPN using a Certificate & RSA Token
  Posturing of the VPN endpoint.
  Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
  Can anyone help?
  Mario

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

• Cisco ip phones authenticate 802.1x with cisco ise

  Dears,
  I want to  configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
  I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
  Thanks. 

  802.1x configuration for IP Phones
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217

• SealthWatch intrgration with Cisco ISE-3315

  Hello Experts,
  i have Cisco ISE-3315 version 1.3 
  Can i order and SealthWatch Lancop and use it with this series of ISE 3315 ? Or i must have SNS ?

  Hi Imran-
  The 3315 appliance supports all personas running ISE 1.3
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/release_notes/ise13_rn.html#pgfId-527567
  Now, with that being said, keep in mind that this appliances has a lot less resources compared to the SNS appliances. Thus, if you are planning on running all personas on it then you will be greatly limited to the number of concurrent endpoints. 
  Thank you for rating helpful posts!