ISE 1.1.2.145 patch-3 and CLI password disable

Similar Messages

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Snmp stops working on ISE 1.1.2(145) patch 10

  I have a Primary Admin/Primary Monitoring, Secondary Admin/Monitoring and two PSN nodes, distributed mode
  A few days ago, the primary Admin/Monitoring node snmpd daemon just stopped working.  I had to remove the snmp community string and re-add it back and snmpd starts working again.
  Yesterday, the secondary admin/monitoring node snmpd daemon also stopped working and had to do the same thing (remove and re-add snmp community string) for snmp to work again.
  Is this a bug in ISE?

  There looks like there was a bug fixed for this issue in 1.1.1, you may need to open a tac case and see if the bug has resurfaced.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  CSCub89895
  SNMP process stops randomly due to an issue in netsnmp
  The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of  the Cisco ISE node to fail until the daemon is restarted. This issue  has been observed in Cisco ISE, Release 1.1.1.
  Workaround   Remove all SNMP commands and re-add them to start the daemon again or restart the ISE node.
  For more information, see: http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=12694&atid=112694
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Ise patch 1 and 2 for 1.1.4 problem with resetting-application

  Hi guys,
  For your info. ISE patch 1 and 2 got the same problem on 1.1.4. If you got patches installed and tries to reset the application of ISE the monitoring applets are all gone. It's loading an empty page. Solution: rollback any installed patches. Monitoring is back up again. Install the patches again and erverything is fine. Took me one afternoon to figure this out.

  Hi Ravi,
  Do you know, what is going wrong? I'm wondering if everything is working correctly and if patches are applied correctly.

• ISE 1.2.0.899 patch 1,2,3,4 with blackberry 9700

                     Hi, I'm using ISE 1.2.0.899 patch 1,2,3,4, and I am trying to use guest portal on blackberry 9700.
  I verified that I am able to do 802.1x with blackberry.
  I associated to ssid, and opened web browser, and I can see the guest portal.
  However, when I clicked on "don't have account?" to creating guest ID, I could not go any further.
  does anyone know if it's supported or not ? if it's working or not ?
  I know in the network compatibility document for 1.2, there is no mention about blackberry.
  does anyone know about this ?

  Saurav Lodh, I did check the default time profile that is being used the sponsor. I even created a custom time profile to rule out any timeout on the Guest account, but even with the custom profile time the Guest account times out between 7 to 10 minutes and asks to re-authenticate again. I don't know if there is another place to look out for any timeouts, or is it maybe a bug with this version of ISE, but I couldn't find anybody else having this same issue which makes me think that it has to be a setting that is causing this problem.

• ISE version 1.1.2 patch-5 or 1.1.3

  I am about to deploy ISE in a new environment.  My plan is to go with ISE 1.1.2 with patch-5 or with 1.1.3
  My problem with 1.1.3 is that it is new and no patch.  While there are new features in 1.1.3 but it also comes with unknown issues and bugs that will not be resolved until patch-1 in 1.1.3.  Therefore, I plan on staying at 1.1.2 patch-5.
  What do  you think?

  Hello David-
  With any new products, such as ISE (version 1.x), I tend to always go with the latest release as there are constantly more and more bugs that are being fixed along with new features. I have one deployment running on 1.1.3 and I have not had/heard any issues.
  Also, there is a nasty bug with 1.1.2 where if you use automatic backups your EAP-TLS authentications start to fail and can only be resolved by a reload. (CSCud00831). So if you are planning to use EAP-TLS type authentications then I would strongly recommend that you go with 1.1.3
  Thank you for rating!

• ISE 1.2 Profiling with iPAD Mini and Chromebooks

  Anyone run into issues with profiling device properly with iPAD mini and Chromebooks.  Recent testing with customer shows that ISE was not able to identify the devices properly.  We have a case opened with Cisco, they came out with a patch for Chromebook last week but still broken, continuing to pursue with TAC.  Just wondering what others have came across.                  

  Hi Tarik,
  Thanks for the reply. I am testing this for Mike. We have setup ISE 1.2 ( running latest patch 4) for wireless BYOD
  Issue: Chrome Book Device Registration - Not Supported
  Issue: Chrome Book Profile - Unknown
  Probes Enabled - DHCP / RADIUS / HTTP / SNMP

• 11.2.0.3 Patch Bundle and opatch installation approach

  Hi,
  I have installed the below 11.2.0.3 (64 bit) products in my windows 2008 server
  1. Oracle Grid Infrastructure for standalone server
  2. Oracle database server software and created a standalone database with ASM in this home.
  Now i need to apply Update 5 patch bundle and some bug fix patches.
  Since there are 2 home in my server what is the right approach for applying the patch bundle and opatch ?
  When i went through the patch bundle installation document i could see these 2 options
  1. Patch Installation Instructions for Single Instance
  2. Patch Installation Instructions for RAC
  Since i have 2 homes (OraCrs11g_home1 & OracDb11g_home1 ) in my server i am not sure which patch installation option i should choose and proceed.
  Can someone assist me ?
  Thanks,
  Ashok Kumar.G

  no we have to prepare a test POC but we don't have Xterm so had to use silent mode.using VNC server is best option to install or upgrade databases/grid Infrastructure.
  VNC server runs on the server and no fear of loosing network connection as in case of connecting thorugh putty.
  also you can open GUI in VNC server without need of any xterm or xwindows .
  So ask your SA to install VNC on your server and use it.

• OSB Patch TYBN and U37G - ws-security interoperability

  Hi All,
  I am using weblogic 9.x style security with OSB 11g which will be communicating with OWSM enabled weblogic server on the server side.
  According to the below URL
  http://docs.oracle.com/cd/E17904_01/web.1111/e16098/interop_osb.htm
  +"Note:+
  +Ensure that you have downloaded and applied the TYBN and U37Z patches released for Oracle Service Bus 10.3 using the patch tool."+
  I will have to apply patch TYBN and U37Z to oracle service bus domain
  where will I find these two patches? I went to oracle support site and searched for these patches, could not find any of these two.

  Hi Sebastian,
  Have you tried adding a "XML Transform" policy?
  (http://download-uk.oracle.com/docs/cd/B31017_01/integrate.1013/b31008/policy_steps.htm#sthref644)
  Regards,
  Mathias

• Apply patch to 11gR2 through OEM - ERROR: Invalid username and/or password

  I am trying to apply a patch to an 11gR2 database (11.2.0.1.0) running on AIX 6.1. Using Oracle Enterprise Manager, I click on 'Software & Support' on Database tab, click on 'Patch Advisor' and click on 'Stage Patch' link. I use 'Search by number', locate the patch, click Next etc etc - select target, enter Oracle Home credentials etc. Finally I submit the patch job, and, after a minute or so I am getting 'Step: prereqCheckOnHome Initialization Error'. When looking at details of the step, I can see only:
  Error Log
  ERROR: Invalid username and/or password
  I am at fault to understand which username/password is being referred to. I have checked Oracle Home credentials by running an OS command job with these credentials - job completed fine.
  Obviously, patches can be applied the 'old' way - using OPatch from command line and then runing necessary SQL scripts, but I wanted to try new 'civilized' approach.
  Anyone had this issue and know how to tackle it?
  Alex

  Thank you for advice. I made checks for nmo/nmb binaries permissions and made sure filesystems are mounted without nosuid option. Also, I re-entered preferred credentials (and tested them, wheneve rpossible). Enabled authentification tracing as per document, got following in emagent.trc when performing patch procedure:
  2010-06-20 00:48:26,847 Thread-1066 DEBUG Dispatcher: Request ID = 2273, type = 10640, Timeout = -1
  2010-06-20 00:48:26,847 Thread-1066 DEBUG Dispatcher: Adding wrapper context for request ID = 2273, batch = 0, type = 10640
  2010-06-20 00:48:26,847 Thread-1066 INFO Dispatcher: nmemdisp.c: Entering nmemdisp_StreamOpReq
  2010-06-20 00:48:27,327 Thread-772 INFO Authentication: Default nmo binary has setuid permissions
  2010-06-20 00:48:27,327 Thread-772 DEBUG Authentication: nmejcap.c :_adjustArgsForPDP args[0] = /app/oracle/product/11.2.0/perl/bin/perl
  2010-06-20 00:48:27,340 Thread-2604 DEBUG Dispatcher: Adding abort context for ID = 2273
  2010-06-20 00:48:27,386 Thread-2604 DEBUG Authentication: nmejcap.c: buf=''
  2010-06-20 00:48:27,386 Thread-2604 DEBUG Authentication: nmejcap: read error 7 from process
  2010-06-20 00:48:27,850 Thread-2604 DEBUG Dispatcher: Removing abort context for ID = 2273
  2010-06-20 00:48:27,850 Thread-2604 DEBUG Dispatcher: Removing wrapper context for asynchronous request ID = 2273
  Apparentry error happens in the Perl procedure and it is not being recorded in the log file. Any further advice?
  OEM Version I am using: Oracle Enterprise Manager Database Console     11.2.0.1.0
  Edited by: ultradumb on Jun 20, 2010 1:18 AM

• ISE Auth policy based on MAC OUI and SSID

  I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
  The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.
  Anyone know how to do this on ISE?  Two questions -
  1) I can match based on WLAN-ID, but not SSID.  My WLAN-IDs for the same SSID don't match between controllers.  Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller?  Or, is there a different attribute I can use that refers to the SSID?
  2) What attribute do you use in ISE Authorization conditions to match OUI?  And can I match a list of OUIs?

  1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.
  2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"

• Cisco ISE CLI and GUI password expire

  I had Cisco ISE version 1.1  i face a problem with the CLI and GUI password, as it expire and i can't login, i do the password reset using the ISE DVD,
  i navigate to the ISE CLI, and do the following commands:
  conf t
       password-policy
            no password-expiration-enable
  and reset the GUI admin password, using the command:
       # application reset-passwd ise admin
  from the ISE GUI i had remove the option for diable admin account after 45 days.
  but after 60 days the password expire again.
  so kindly advise what to check for this expire issue.

  Hi Mostafa,
  Yes, the last reply was more towards GUI password-mgmt because in maority of cases it happens with UI admin account. I need to know if you've restarted the ISE after disabling the expiration from the CLI because what I read few weeks ago in an internal defect that password policy configurations are not preserved on cli after restart so just to check could you please check the current settings on CLI w/ the help of show run | in password-policy.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Patch 8602263 and 7502698 requires Password

  Hi,
  I am on 12.1.1. version and I am trying to download patches mentioned below.
  1) 8602263:R12.AZ.B - 1OFF:8352532:12.1.1:12.1.1:ONDEMAND:ISETUP EXTRACT OF INVENTORY CATEGORY INFORMA
  2) 8652905:R12.AZ.B - 1OFF:8424285:12.1.1:12.1.1:FRAMEWORK SUPPORT TO VALIDATE RECORDS FROM DETAILS TO
  3) 8661732:R12.AZ.B - 1OFF:7608712:12.1.1:12.1.1:ISETUP DOES NOT MIGRATE SYSTEM PROFILE VALUES
  4) 8599456:R12.FND.B - 1OFF:12.1.1:8441573:FNDLOAD DOWNLOAD COMMAND IS INSERTING EXTRA SPACE AFTER A NEWLINE CHARACTER
  5) 7502698:R12.GL.B
  While donwloading, two of the patches ( 8602263 and 7502698 ) requires password to download. If I dont have access to raise SR, how can I get it downloaded?
  With Regards,
  Vishal Majithia

  Thanks a lot. Now I am able to download Patch 8602263.

• Do we need to run patch-config and install-newconfig

  Hi Team,
  I have a scenario wherein I have installed the JES2005Q4 messaging server :
  bash-3.00# ./imsimta version
  Sun Java(tm) System Messaging Server 6.2-3.04 (built Jul 15 2005)
  libimta.so 6.2-3.04 (built 01:43:03, Jul 15 2005)
  SunOS sunjes22 5.10 Generic_118833-33 sun4u sparc SUNW,Sun-Blade-100
  bash-3.00#
  I have not configured this box. (Initial run time config is not executed.)
  I would be updating the latest patch 118207-63 on this box.
  Do we need to run the patch-config and install-newconfig after executing the patchadd command.
  This is a fresh installation of the messaging server without any configurations being done
  Thanks,

  Hi,
  I don't know if it is required, but best to err on the side of caution. Worst case nothing will be patched/modified (or there will be an error and the scripts will crash). Either way a valuable learning experience.
  btw. Why not install comm-suite-5 (Messaging Server 6.3)?
  Regards,
  Shane.