IP address in ISE live authentication after vlan change

Similar Messages

• ISE policy, DACLs and VLAN changes together

  So I have been having a hard time finding consistency in a policy that both changes the VLAN and applies a DACL. Originally, I found out that remarks were causing it to mess up. But I can't find any consistency. I can use the vanilla 'oermit all' DACL in ISE, along with a VLAN change, and it just doesn't work. My AuthZ is very simple...If you are wired_MAB and your endpoint is in a particular group, then apply a policy that changes the VLAN and applies a DACL. This seems like it's at the root of what ISE is supposed to do, but it seems so buggy. Weird thing is, that if I do the VLAN change by itself, it works. But when I add the DACL neither work. Anyone have any ideas as to why this is?

  So it worked this time. The machine has been sitting in sleep mode for a while now. This is so inconsistent. Could it have something to do with me using the same machine to test a few different policies? I'm just switching the machine's MAC between different groups in order to test different policies. Thats really when it stops working.
  - Do you have a pre-auth acl configured already on the port ? Yes, one that says permit any any
  - Is the port running open mode ? Yes
  - What does the "show auth sess int x/x" tell you once the ise has sent the authorization result to the switch ?
  SJ5051IDF1#show authentication sess int g1/5 d
              Interface:  GigabitEthernet1/5
            MAC Address:  d4be.d905.3973
           IPv6 Address:  Unknown
           IPv4 Address:  10.42.163.59
              User-Name:  D4-BE-D9-05-39-73
                 Status:  Authorized
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
      Common Session ID:  0A0600210000007B24636E88
        Acct Session ID:  0x00000086
                 Handle:  0x4A000055
         Current Policy:  POLICY_Gi1/5
  Local Policies:
  Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
        Security Policy:  Should Secure
        Security Status:  Link Unsecure
  Server Policies:
             Vlan Group:  Vlan: 1620
                ACS ACL:  xACSACLx-IP-BLDG-AUTOMATION-DACL-52fa7487
  Method status list:
         Method           State
         mab              Authc Success
  interface GigabitEthernet1/5
  switchport access vlan 32
  switchport mode access
  switchport voice vlan 64
  ip access-group ACL-ALLOW in
  logging event link-status
  authentication event fail action next-method
  authentication event server dead action authorize vlan 2700
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  service-policy input QoS-Input-Policy
  service-policy output QoS-Host-Port-Output-Policy
  end

• ISE Live Authentications Not Visible

  Hi,
  I have a single node ISE deployed and have been adding and deleting policies for the past two weeks without issue.  It's using our production AD and CA server and connected to NCS.  My problem is that today when I was working on a new MAB policy, the policy would let the laptop on the network, but nothing appeared in live authentications screen or the reports.  I tried this with both a MAB and 802.1x policy set and both times I logged on with the correct policy, but nothing was showing in the logging.  These were both wireless and I had both the authentication and the accounting pointing at ISE.  As well as SNMP too.
  I forgot to see if the clock was off, but if the authentications are working, I'm not sure why the reporting is not.
  Any help would be appreciated.
  Thanks,
  Mike                  

  Is your log target set up?
  Admin/System/Logging/Remote Logging Targets/LogCollector
  Also if this is a guest wifi setup between a Cisco foreign & anchor WLC, make sure Auth & Accounting are set up on the foreign WLC.

• Cisco ISE and Authentication Failed VLAN

  I am trying to setup ISE to assign a VLAN to unauthorized computers. I tried using "authentication event fail action authorize vlan 666" command but unfortunately I'm using multi-auth because we have users with bridged VMs and Cisco does not support it (http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875).
  Is there a way to make an Authorization/Authentication profile within ISE to assign the VLAN to failed devices?

  You can set endpoint protection status to quarantine, and establish policies  that assign different
  authorization profiles, depending on the status of the  endpoint.
  Quarantine essentially moves an endpoint from its default VLAN to a  specified Quarantine VLAN. The
  The Quarantine VLAN must be previously defined  by a network administrator and supported on the
  same NAS as the endpoint.  Unquarantine reverses the quarantine action, returning the endpoint to  its
  original VLAN.
  The quarantine and unquarantine actions are performed  as a result of established Authorization Rules
  that are defined to check for  EPSStatus
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_eps.html#wp1219979

• ISE Live Authentications

  I have ISE with latest version 1.2.1.198
  I never see any entries in the live authentications page even though I have clients successfully authenticating and being authorised.
  Different browsers seem to make no difference.
  Has anyone also seen this and has anyone found a bug relating to this?
  Regards
  Roger

  make sure your NAD is configured correctly . and try
  ms-ise-mgm01/admin# app config ise
  Selection ISE configuration option
  [1]Reset Active Directory settings to defaults
  [2]Display Active Directory settings
  [3]Configure Active Directory settings
  [4]Restart/Apply Active Directory settings
  [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
  [6]Enable/Disable ERS API
  [7]Reset M&T Session Database
  [8]Rebuild M&T Unusable Indexes
  [9]Purge M&T Operational Data
  [10]Reset M&T Database
  [11]Refresh M&T Database Statistics
  [12]Display Profiler Statistics
  [13]Exit
  try
  7 to reset the session db
  10 to reset the M&T database
  Once you have run these commands the DashBoard should begin to display information.

• Export ISE Live Authentications and Sponsor activities

  Dear all,
  We need to know if it is possible to export to a syslog or any other service the live authentications logged on ISE.
  In addition, I need to know if is possible to export the sponsor activities.
  Thanks in advance!
  David

  make sure your NAD is configured correctly . and try
  ms-ise-mgm01/admin# app config ise
  Selection ISE configuration option
  [1]Reset Active Directory settings to defaults
  [2]Display Active Directory settings
  [3]Configure Active Directory settings
  [4]Restart/Apply Active Directory settings
  [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
  [6]Enable/Disable ERS API
  [7]Reset M&T Session Database
  [8]Rebuild M&T Unusable Indexes
  [9]Purge M&T Operational Data
  [10]Reset M&T Database
  [11]Refresh M&T Database Statistics
  [12]Display Profiler Statistics
  [13]Exit
  try
  7 to reset the session db
  10 to reset the M&T database
  Once you have run these commands the DashBoard should begin to display information.

• Why are my addresses disappearing on my events after making changes?

  I have addresses disappearing on my calendar after I make a change to an event. For instance: I make an error with a house number so I make the change. After I click DONE, the whole address vanishes. Or, if I insert a phone number in notes, the address disappears. The only fix is to add the address last so that no entry causes the problem.

  I have addresses disappearing on my calendar after I make a change to an event. For instance: I make an error with a house number so I make the change. After I click DONE, the whole address vanishes. Or, if I insert a phone number in notes, the address disappears. The only fix is to add the address last so that no entry causes the problem.

• Q: How can ISE 1.2 be configured to display "IP Address" in the Operations-Authentication view ?

  Hi Forum !
  I have several ISE installations running, and I have come across an Issue, that may or may not be a real issue.
  How can ISE 1.2 and/or the WLC be configured to display "IP Address" in the Operations-Authentication view ?
  I simply can not see any IP address in this field, when the dot1x Authentication is done on a WLC.
  This may be "works as designed" due to the fact that dot1x runs before the IP is assigned, but then again I do get profiler date etc, and hence I would expect the IP to be displayed.
  Please see attachment for clarification of the field in the ISE dashboard.
  FYI
  I do see IP in WIRED dot1x senarios, but then again I run LowImpact modes, as opposed to CloseMode in the WiFi senarios
  I have the same ono WLC OS 7.0, aswell as on 7.5 & 7.6 (i.e. no IP address shown in dashboard)
  Have Fun !
  Regards
  Martin

  I have seen this before but never really bothered to look more into it. It has always showed for wired but not wireless. I did some digging and it appears that the "framed-ip-address" is being sent/honored by the NAS in the "access-accept" packet.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0101001.html#ID676
  Why is it not showing in ISE's screen is now another quesiton. I would say a bug but I recall this since the 1.0 days and I have done several deployments. Perhaps Cisco can chime in here or if you can open a TAC case and report back your findings :)
  Thank you for rating helpful posts!

• Dashbord and Live authentication ISE 1.1.3.124 p1

  Hello all,
  not long time ago, i lost all data in the HOME pannel, all sub windows says: no data avalable no nothing
  the only number i have there is the number of endpoints
  And now, in the live authentication, i dont any results, no pass, failed etc... running heath report gives me nothing.
  Am running ISE 1.1.3.124 patch 1 and the Admin and PSN are not separeted by any FW.
  i know i should go to 1.1.4 patch 2 but maintenance windows are hard to managed.
  Anyone seen that behavior?
  ps: replication are ok...
  Thx

  The issue could be due to incorrect or corrupted indexing and it need to rebuild via root patch. You may check the mnt-collector.out logs from the support bundle. I'd also suggest you to go directly to ISE 1.2 that is scheduled for July 3rd week. In order to resolve current issue, you may need to open a TAC case.
  Jatin Katyal
  - Do rate helpful posts -

• After IOS 5.0 update Apple Store insists on US address but I live in UAE. Any suggestions please?

  After IOS 5.0 update, Apple Store insists on US address, but I live in UAE. Suggestions, please?

  Same problem here, but in my Ipad 1, after IOS 5.0.1 the 3G data connection don't running anymore, and de EDGE is very slow.
  Some times i have 3g connection, but when i try to use safari or another aplication the signal disappear and lost the operator signal and apn configuration.
  I tried many  process to fix it ( Hardreset, remove simcard, change the operator, make apn configuration ), if any one have any idia, what can i do to fix this problem.
  Thx.

• No records in Live Authentications

  We have not updated to 1.2.1 yet and are running 1.2.0.899. the only changes made to the system was alarm settings, which was just adding emails to alarm notification in settings.
  Four hours after the alarm notif. change we started gettings alerts that ISE had not had any authent requests, 2 days later it shows no records in LIve authent or live sessions 4 hours after the change. All subfeilds at the top(i.e., Misconfigured Network Devices, Repeat Counters) are all zero as well. Authentication still SEEMS to be working, i am still able to log into network devices and users are still getting domain access so we are really puzzled as to why nothing is being reported in the logs. On the home page of ISE, it also shows the system summary as "no data available" and we get "no heartbeat" alarms continuously and Critical : health status alerts.

  ISE 1.2 Dashboard Statics do not update
  CSCul94611
  Description
  Symptom:
  Issue with the Live dashboard in ISE 1.1.4 not displaying information and only showing "No Data Available".
  The Dash Board will run and work for awhile, but it will randomly stop updating any statistics on the dashboard.
  Data will show and is seen in the database, but never updates per incoming/outgoing endpoints.
  Live authentications will work fine as well as all users are able to be authenticated. Customer reports do not produce data.
  Seen on multiple customer's deployments with fresh installs, a fresh install with a backup from a previous 1.1.x version, as well as upgrading to 1.1.4 from any earlier 1.1.x version.
  Conditions:
  Cisco ISE 1.2 or 1.1.4
  Any browser
  Distributed or single node deployment.
  Workaround:
  The workaround that fixes this M&T corruption is to enter the following commands below:
  ms-ise-mgm01/admin# app config ise
  Selection ISE configuration option
  [1]Reset Active Directory settings to defaults
  [2]Display Active Directory settings
  [3]Configure Active Directory settings
  [4]Restart/Apply Active Directory settings
  [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
  [6]Enable/Disable ERS API
  [7]Reset M&T Session Database
  [8]Rebuild M&T Unusable Indexes
  [9]Purge M&T Operational Data
  [10]Reset M&T Database
  [11]Refresh M&T Database Statistics
  [12]Display Profiler Statistics
  [13]Exit
  We need to select the following options:
  7 to reset the session db
  10 to reset the M&T database
  11 to refresh the statistics (Possibly do not need. Was only needed in 1 case.)
  Once you have run these commands the DashBoard should begin to display information.
  This process can take up to 12 hours to complete all three steps. Roughly 1 to 3 hours per option selected.
  Known Affected Releases:
  (1)
  1.2(0.899)

• Problem to authenticate MAC address on ISE

  Hi guys,
  I have a Lab with a ISE ver 1.1.1 installed on VMWARE, a Switch 3750, a WLC 4200 and one AP registered on WLC, the WLC and AP are connected to Switch, we are testing the user authentication using a samsung tablet and it work ok. The authentication procces is using the actual AD. the issue is when I try to authenticate de device using their MAC address. I'm reading many pappers, but no one explain me the steps to do the both autentication: by user and by MAC address using the ISE.
  can any one help me about the authenticacion MAC address process on ISE. the  final deployment our client want to use user and device authentication.
  Thank you for your attention on this matter.

  Hi Tarik,
  Thanks for your reply,
  the port configuration of SW is it:
  DEMOSW# sh run int Gi2/0/11
  description Access Wireless LAN Controller
  switchport trunk encapsulation dot1q
  switchport mode trunk
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  spanning-tree portfast
  DEMOSW# sh run int Gi2/0/12
  description Access Point
  switchport access vlan 103
  spanning-­tree portfast
  Our goal is that the MAC address Tablets can be authenticated using the ISE Internal Enpoints Database.
  I hope you may help me about it.
  Thank you for your attention on this matter.
  Regards.

• ISE MAB authentication license usage

  Hello all. If I need ISE to authenticate wireless user MAC addresses (MAC Address bypass) in order to facilitate central web authentication - does every concurrent device MAC address that accesses my guest wireless SSID and gets forwarded to ISE for authentication use up a license?
  I have many users with smart phones and tablets that have the guest wireless SSID profile already saved and automatically connect to the guest SSID when in range. Most of these users do not go on to log in via central web authentication, but their MAC addresses get forwarded to ISE for authentication. Does ISE use up a license per MAC address?
  Thanks,

  Hello-
  Please take a look at the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html
  So, in your situation, a license will be consumed even though the user never authenticates. This is because a license is consumed as soon as a session hits a rule in your AAA ISE policies. However, you can from the document that as soon as the session times out the endpoint would free the license. If for some reason an "accounting-stop" message is not received then after 5 days of inactivity the system will automatically free the license. 
  Hope this helps!
  Thank you for rating helpful posts!

• WLC, ISE certificate authentication issue

  Hi Folks,
  This is the setup:
  Redundant pair of WLC 5508 (version 7.5.102.0)
  Redundant Pair of ISE (Version 1.2.0.899)
       The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
       There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
  A corporate WLAN is configured on the WLC:
  L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
  This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
  The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
  I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).   
  The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
  Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
  I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
  After I did this, I could no longer associate to the Corp WLAN.  
  My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.   
  The ISE troubleshooting tool reported no new failed or successful authentication attempts.   
  Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
  It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
  Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
  Thanks in advance,
  Darragh

  Hi,
  I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
  Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
  If this does not work, try to import the CA into another system and export it, then import into ISE.
  Regards,

• ACS 5.4 Can´t see device name in "Live Authentication"

  Hello,
  under dashboard i activated "Live Authentication". Under register card "General" i can see the IP-Adress of the switch (authenticator) but not the name. The IP-Adress is not listed under IP-Adress but under NAD.
  Under AAA Protocol > RADIUS Authentication it is perfect. Network device and IP-Adress is listed correct.
  Is there a way to see NAD in Dashboard?
  Regards Horst

  Hi,
  in the attachment, you can see the IP Adresses of the switches (authenticator) in the column of NAD but not in the column of IP Address.
  If you open the Authentication-RADIUS-Today the name and the IP Adress of the authenticator can be seen.
  I like to see the IP Adress and the name of the network device.
  Regards Horst