Hi, about provisioning in ISE

Similar Messages

• What is the provisioning feature in the settings under, general profile? It says something about "provisioning". What does that mean and what does it do?? (It's on my 5th generation iPod touch, black, iOS 6.1.3

  What is the provisioning feature in the settings under, general>profile? It says something about "provisioning". What does that mean and what does it do?? (It's on my 5th generation iPod touch, black, iOS 6.1.3

  A profile is used on iOS device to add specific settings and similar things to an iOS device.  Tryically, they are added when the iOS devices is controlled by a company or school.
  However, some apps install a profile. If your iPod is not controlled by a company or school then it seems an app added the profile. You can good the title if the profile and see if that gives any info.

• NAC Agent and NSP provisioning with ISE 1.1.1

  I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
  I am currently using the default guest portal in ISE.
  The environment has been setup using a Dual SSID design.
  At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
  The problem is the portal never attempts to install the NAC Agent.
  The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
  Any ideas?

  Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
  With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
  Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
  Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
  Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
  Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
  Hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• ISE, BYOD: guest clients provisioning

  Hello!
  The question is about provisioning different types of wifi clients through the ISE Guest portal.
  ISE 1.1.4, WLC 7.4.100 (Guest WLAN uses MAB)
  Suppose, there are two groups of wireless clients:
  1) guest user, which credentials are created through the ISE Sponsor Portal
  2) domain user, who has credentials in ActiveDirectory
  The aim is to provision domain user, and not provision guest user.
  When client connects to Guest SSID and opens the browser, he is redirected to ISE Guest portal.
  When client uses domain user, he is provisioned, and when uses guest credentials he is not provisioned
  How ISE understands, that domain user must be provisioned and guest user must not be provisioned if Web portal is configured to provision everyone?
  (Web Portal -> Settings -> Enable Self-Provisioning flow)

  The answer is that typically you either know that MAC address or you have someting installed (NAC agent?) and fulfill some requirements.
  Alternative, you can perform CWA first (and...)
  Then if user is part of guest users -> allow internet only access
  If user is part of AD -> send him to do registration.
  Authorization policy allows you to use "identity group" as part of condition.
  If device registered -> allow full access. (just an idea).
  M.

• ISE - EAP-FAST PAC Provisioning - Identity field??

  Hi all, very simple question regarding the fields in the PAC provisioning section of ISE. Basically wondering what the "identity" field under machine and tunnel PAC is meant to be? I am currently planning an EAP-FAST deployment and this is the only area I am wondering about. Essentially planning to auto-provision the PAC hopefully using authenticate in-band. The Cisco doco is a little vague on this particular field.
  Thanks in advance - have googled this for a day or so and frankly cannot find the information that I want.

  Use
  PAC
  •Tunnel PAC Time To Live—The Time to Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days.
  •Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%.
  •Allow Anonymous In-band PAC Provisioning—Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC.
  •Allow Authenticated In-band PAC Provisioning—Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE.
  When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning.
  –Server Returns Access Accept After Authenticated Provisioning—Check this check box if you want Cisco ISE to return an access-accept package after authenticated PAC provisioning.
  •Allow Machine Authentication—Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. Cisco ISE only supports Active Directory as an external identity source for machine authentication. After these details are correctly verified, no further authentication is performed.
  When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client).
  •Enable Stateless Session Resume—Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).
  Uncheck this check box in the following cases:
  –If you do not want Cisco ISE to provision authorization PACs for EAP-FAST clients
  –To always perform phase two of EAP-FAST
  When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication.
  •Preferred EAP Protocol—Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, and EAP-MD5. By default, LEAP is the preferred protocol to use if you do not enable this field.

• IOS 8.x Apple users and CISCO ISE native supplicant provisioning not working

  Hi there guys ,
  I was wondering if anybody else have the following problem:
  Apple iOS 8.x users are not able to register their devices on the ISE portal (native supplicant provisioning).
  After they receive the redirection from the WLC, they freeze. Apple 7.x users have no problem.
  ISE is version 1.2.1.198 patch 2.  WLC is running 8.0.102.14.
  Anybody experienced the same?
  MB

  I am also running ISE 1.2.1.198 patch 2 with 8.0.100.  I am testing with an iPad running IOS 8.1.  The device will register in the registration portal, but is not being classified as an IOS device within client provisioning, I believe.  It is getting profiled as a workstation even though all apple device profiles are enabled.  I have an authorization policy for registered devices, and ipad, iphone, ios devices to gain access to the network without going through posture assessment.  I then have my posture assessment authorization rules with apple IOS devices set for a ssid native supplicant profile.  I keep getting an error page on the iPad when connecting to the ISE SSID saying "Client Provisioning Portal     ISE is not able to apply an access policy to your log-in session at this time.  Please close this browser, wait approximately one minute, and try to connect again".  It gives this message over and over.  If I turn off the posture checking authorization profiles, the IOS device is selected as a rule further down which tells me that ISE does not recognize it as an IOS device in the profiling or client provisioning.

• Ask the Expert: Integrating Cisco Identity Service Engine (ISE) 1.2 for BYOD

  With Eric Yu and Todd Pula 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions  about integrating Cisco ISE 1.2 for BYOD with experts Eric Yu and Todd Pula.
  Cisco Bring Your Own Device (BYOD) is an end-to-end architecture that orchestrates the integration of Cisco's mobile and security architectures to various third-party components. The session takes a deep dive into the available tools and methodologies for troubleshooting the Cisco BYOD solution to identify root causes for problems that stem from mobile device manager integration, Microsoft Active Directory and certificate authority services, and Cisco Enterprise Mobility integration to the Cisco Identity Services Engine (ISE). 
  Todd and Eric recently delivered a technical workshop that helps network designers and network engineers understand integration of the various Cisco BYOD components by taking a deep dive to analyze best practice configurations and time-saving troubleshooting methodologies. The content consisted of common troubleshooting scenarios in which TAC engineers help customers address operational challenges as seen in real Cisco BYOD deployments.
  Eric Yu is a technical leader at Cisco responsible for supporting our leading-edge borderless network solutions. He has 10 years of experience in the telecommunications industry designing data and voice networks. Previous to his current role, he worked as a network consulting engineer for Cisco Advance Services, responsible for designing and implementing Cisco Unified Communications for Fortune 500 enterprises. Before joining Cisco, he worked at Verizon Business as an integration engineer responsible for developing a managed services solution for Cisco Unified Communications. Eric holds CCIE certification in routing and switching no. 14590 and has two patents pending related to Cisco's medianet.   
  Todd Pula is a member of the TAC Security and NMS Technical Leadership team supporting the ISE and intrusion prevention system (IPS) product lines. Todd has 15 years of experience in the networking and information security industries, with 6 years of experience working in Cisco's TAC organization. Previous to his current role, Todd was a TAC team lead providing focused technical support on Cisco's wide array of VPN products. Before joining Cisco, he worked at Stanley Black & Decker as a network engineer responsible for the design, configuration, and support of an expansive global network infrastructure. Todd holds his CCIE in routing and switching no. 19383 and an MS degree in IT from Capella University.
  Remember to use the rating system to let Eric and Todd know if you have received an adequate response.
  Because of the volume expected during this event, Eric and Todd might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity AAA, Identity and NAC, shortly after the event. This event lasts through November 15, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Antonio,
  Many great questions to start this series.  For the situation that you are observing with your FlexConnect configuration, is the problem 100% reproducible or is it intermittent?  Does the problem happen for one WLAN but not another?  As it stands today, the CoA-Ack needs to be initiated by the management interface.  This limitation is documented in bug CSCuj42870.  I have provided a link for your reference below.  If the problem happens 100% of the time, the two configuration areas that I would check first include:
  On the WLC, navigate to Security > RADIUS > Authentication.  Click on the server index number for the associated ISE node.  On the edit screen, verify that the Support for RFC 3576 option is enabled.
  On the WLC, navigate to the WLANs tab and click on the WLAN ID for the WLAN in question.  On the edit screen, navigate to Security > AAA and make sure the Radius Server Overwrite interface is unchecked.  When this option is checked, the WLC will attemp to send client authentication requests and the CoA-Ack/Nak via the dynamic interface assigned to the WLAN vs. the management interface.  Because of the below referenced bug, all RADIUS packets except the CoA-Ack/Nak will actually be transmitted via the dynamic interface.  As a general rule of thumb, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.
  Bug Info:  https://tools.cisco.com/bugsearch/bug/CSCuj42870
  For your second question, you raise a very valid point which I am going to turn into a documentation enhancement request.  We don't currently have a document that lists the possible supplicant provisioning wizard errors that may be encountered.  Please feel free to post specific errors that you have questions about in this chat and we will try to get you answers.  For most Android devices, the wizard log file can be found at /sdcards/downloads/spw.log.
  As for product roadmap questions, we won't be able to discuss this here due to NDA.  Both are popular asks from the field so it will be interesting to see what the product marketing team comes up with for the next iterration of ISE.
  Related Info:
  Wireless BYOD for FlexConnect Deployment Guide

• ISE and windows phone

  Ciao,
  Is there a support for windows phone 7.x (8.x when it'll released) in ISE ?
  I'm talking about provisioning process:
       - Network setup Assistant
       - SCEP (I think this a windows supports)
  or if W.P. will be inserted in a Cisco Design Guide ?
  I need to managed W.P. as BYOD.
  Regards,
  Iarno

  I checked the settings in ISE and the client provisioning policies do not have the windows phone operating system labeled. I also checked the QA and release notes and didnt find anything there either. The operating systems that you can check is the android, ios, windows 7, xp..etc and mac osx.
  It would be best for you to open a TAC case to get a definite answer, my feeling is that it isnt supported. If you go this route please post what you find for future reference.
  Hope that helps.
  Tarik Admani
  *Please rate helpful posts*

• Distirbtued ISE 1.3 timezones

  Question about timezones in ISE 1.3 for distributed deployments across the globe. I've seen some comments/recommendations on not configuring timezone on ISE nodes when deploying in dispersed geography and just leaving timezone as UTC. I've even seen that supposedly it's not allowed to change timezone after installation.
  Is this an outdated recommendation that doesn't apply to ISE 1.3 anymore?
  Should I use the same UTC timezone on all ISE nodes? How do admins deal with reading logs in this environment? I can see how tricky it can be to analyze. What about guest provisioning in sponsor portals, won't it be confusing for sponsors when setting time periods for guest accounts? What about Active Directory sync, is it ok if the ISE PSN's timezone doesn't match AD server's timezone?

  Hi Kevin-
  A couple of questions/suggestions:
  - Is there a chance that the students are also part of the employee AD group? I know it is a silly question but I must ask :) In fact, when a successful authentication happens, you can open the "detailed authentication screen" for that session and you can see all of the AD groups that the user is member of
  - Have you tested this yourself? For instance, you can create a test account in each group and then try it for yourself
  - Another silly question but can you confirm that each SSID has a unique interface in the WLC, thus going to a different subnet/DHCP scope
  - I would make your authorization rule a bit simpler. I would like you to remove the: 
  "AD1:ExternalGroups NOT_EQUALS mydomain/Students/All Students"
  When it comes to AD groups, ISE would process them in a "top-down" fashion and as soon as a match occurs, ISE would stop looking. I don't think this is the issue in your case but still worth the try. 
  - If the main issue is lack of DHCP addresses then why not address that? :) For instance, you can:
  1. Expand the DHCP scope (From let's say /24 to a /23)
  2. Assign a "secondary IP" address to the L3 interface, thus giving it more subnets
  3. Utilize "Interface Groups" in the WLC, that way you can have multiple subnets tied to the same SSID
  Thank you for rating helpful posts! 

• ISE - Which is first, profiling or posturing?

  Hi,
  I am wondering, if both profiling and posturing is enabled on ISE, which happens first? My guess is profiling, but I could not find any Cisco document that says how this works?
  Also, one more question, during client provisioning, the ISE must know the OS of the client, so that I can download the appropriate agents. So, how does ISE learn about the OS of the client? I don't think RADIUS passes this info.
  Any clarification on this would be appreciated and must be pretty basic. But I am unable to find any document to prove this.
  Appreciate any help.
  REgards,
  Mohan         

  Mohan,
  Profiling can be done based on multipe factors, easiest way is to read user agent when user connects to a portal :-)
  There are also configurable actions on ISE:
  What kind of scenario are you thinking about to evaluate which is done before?
  Although from logic point of view, it might make sense to evaluate what you're dealing with (profiling) before you decide whether's it's fit to access your network (posture assessment). :-)
  M.

• ISE version 1.1.2 patch-5 or 1.1.3

  I am about to deploy ISE in a new environment.  My plan is to go with ISE 1.1.2 with patch-5 or with 1.1.3
  My problem with 1.1.3 is that it is new and no patch.  While there are new features in 1.1.3 but it also comes with unknown issues and bugs that will not be resolved until patch-1 in 1.1.3.  Therefore, I plan on staying at 1.1.2 patch-5.
  What do  you think?

  Hello David-
  With any new products, such as ISE (version 1.x), I tend to always go with the latest release as there are constantly more and more bugs that are being fixed along with new features. I have one deployment running on 1.1.3 and I have not had/heard any issues.
  Also, there is a nasty bug with 1.1.2 where if you use automatic backups your EAP-TLS authentications start to fail and can only be resolved by a reload. (CSCud00831). So if you are planning to use EAP-TLS type authentications then I would strongly recommend that you go with 1.1.3
  Thank you for rating!

• ISE 1.3 Rollback and ISE 1.2 Backup

  Hi All,
  I am curious to know about following related to ISE
  1) ISE 1.3
      Once we installed ise 1.3, can we rollback to ise 1.2.0 or do we need to re-image it
  2) ISE 1.2
      If I take backup of ise 1.2.0, will it include backup of certificates also ?
  Please do share your views..
  Thanks,
  Aditya

  Hi cciesec2011,
  thanks for reply.
  I am curious about backup of ise 1.2 and certificates. can you share any link/document related to this.
  Thanks,
  Aditya

• EPM Provisioning when using an external user directory

  I intend to use an external user directory, probably MSAD.
  Now from what I understand provisioning is done within native directory. How do I get the users which exist in the external user directory to show up in native directory OR how do I go about provisioning users who exist in the external user directory?

  I did see that link, and while I understand what needs to be done to configure the external user directory, my confusion is this:
  Once the external user directory is configured, I will see the users in shared services under the section "OID" or "MSAD" in user directories. That is fine. Now I want to provision and start assigning hyperion roles such as administrator, planner etc to the users. As per the documentation, only users in native directory can be assigned provisioning. However, I seem to be able to right click on a user under MSAD and provision it.
  So my confusion is, it seems that I can provision users listed under the external directory. So why does documentation say provisioning is done to users in Native directory. If that is indeed the case, then how do I get users in external directory into Native directory within Shared Services?

• How to cluster ISE 1.2.1.98

  Hi Team,
  I have 6 boxes of ISE and we planned to make 2 as a PSN's.
  how about other 4 ISE ...? How should i cluster them as admin and monitor nodes..?

  It would depend on your deployment but you can:
  1. Configure 4 nodes to be PSNs
  2. Place the nodes in a "node group" behind a load balancer. If you don't have a load balancer, you can configure the NADs in a way that the load is somewhat distributed. For instance, make PSN 1 be the primary Radius server and PSN 2 be the secondary for Wireless LAN Controllers. Then PSN 2 be the primary for switches while PSN 1 secondary. Then PSN 3 to be primary for ASAs/VPN, PSN 4 be the secondary, etc. 
  3. You can then take the other two nodes and dedicate them for Administration and Monitoring. You can split the load by making one node be the primary for "Admin" but secondary for "Monitor" while making the second node be the primary for "Monitor" and secondary for "Admin"
  Hope this helps!
  Thank you for rating helpful posts!

• Documentation(how to) for provisioning AD --OIM-- DB

  Hello all,
  Where i can find some "how to" about provisioning AD<--OIM-->DB? I need to install this resource , but i don't know how ? I didn't find (more difficult to me) a kind of "how to" about OIM-->DB provisioning.
  Thanks a lot.

  I was told that there is going to be (or potentially just has been) an OIM 9.1 training in Munich this spring.
  The core problem is that it is simply not possible to train someone on something as complex as OIM in just a few days so the basic bootcamp training has to focus on the basic principles and shield the user from all the evil details. The issue with this approach is that when the user gets back to the implementation project they are now seen as experts that should be able to resolve anything as they have attended the training.
  Find reconciliation in the fact that you now have a very marketable skill :)
  If OIM implementation was easy you would have to find a new job