ISE 1.1.2 and certificates
Hello all,
i have a pretty simple setup, 2 admin/mon node and 2 PSN
Both PSN have public cert installed and on the admin, i did add a private CA root cert.
Problem: the CA root cert was upgraded from a SHA1 to SHA256RSA. I imported the new CAroot to the CA store on the primary admin node and activated the 'trust for client authentication' but i get a: could not initialize eap-tls,eap-fast,peap. Both cert have the same name, same issuer
Question: Wich certificate are being uses for eap-tls authentication. should i delete the old one on CA store?
endpoint are still using sha1 and some sha256.
am i right to think that client to server is using the CAroot and server to client is using publicCert ?
Any hint would be grealty appreciated
If your existing network topology requires you to use a proxy for Cisco ISE, to access external resources (like www.perfigo.com, the remote download site where you can find client provisioning and
posture-related resources), you can use the Cisco ISE user interface to specify proxy properties.
For more configurations, please check the below link:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_admin.pdf
Similar Messages
-
EAP-TLS and ISE 1.1 with AD certificates
Hello,
I am trying to configure EAP-TLS authentication with AD certificates.
All ISE servers are joined to AD
I have the root certificate from the CA to Activie Directory installed on the ISE servers
I created the certificate authentication profile using the root certificate
I have PEAP\EAP-TLS enabled as my allowed protocol
I am getting the following error for authentication:
"11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12814 Prepared TLS Alert message
12817 TLS handshake failed
12309 PEAP handshake failed"
I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
Any other issues I am missing?
Thanks,
Michael Wynston
Senior Solutions Architect
CCIE# 5449
Email: [email protected]
Phone: (212)401-5059
Cell: (908)413-5813
AOL IM: cw2kman
E-Plus
http://www.eplus.comPlease review the below link which might be helpful :
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf -
Hi all,
Im trying to get my head around using 3d party certificates with the ISE and I think I need some guidance here.
I have a setup of 6 ISE nodes, 2xAdmin, 2xMonitoring and 2xPolicy.
All of these have the domain-name of abc.local.
I want to use MS-CHAPv2 and guest service without certifcate error.
So do I need to enroll all of my six nodes with a 3d party CA? Or just 2xPolicy nodes?
I know the best solution would be all six but just to know if it is possible.
How do I get around the problem with .local? I do not think it is possible to get a certificate with .local as a domain in FQDN.
Is SAN certificate usefull here? How would the look (still .local in CN..?)
Other things to consider in this?
regards
MikaelIt is ok to use Apache you just need the correct OID enabled which is for server authentication. You can use the same cert for authentication and http web server, however the eap authentication server requirements are not as stringent on the hostname as the http management.
Also what are you using for the format when creating the CSR are you just using the CN-isefqdn, or did you follow the example here: http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292
Step 4 Enter the certificate subject and the required key length. The certificate subject is a distinguished name (DN) identifying the entity that is associated with the certificate. The DN must include a common name value. Elements of the distinguished name are:
•C = Country
•S = Test State or Province
•L = Test Locality (City)
•O = Organization Name
•OU = Organizational Unit Name
•CN = Common Name
•E = E-mail Address
Tarik Admani
*Please rate helpful posts* -
Hi,
I have two ISE-3315 Appliances in production network.
I need someone's help to explain, how to make the Secondary node as the primary admin note to reset-config.
And then I would like to know how to keep the license files and Certificate during the Upgrade.
Please help me to answer my questions.
Thanks
CSCO11872447The Cisco Identity Services Engine (ISE) provides distributed deployment of runtime services with centralized configuration and management. Multiple nodes can be deployed together in a distributed fashion to support failover.
If you register a secondary Monitoring ISE node, it is recommended that you first back up the primary Monitoring ISE node and then restore the data to the new secondary Monitoring ISE node. This ensures that the history of the primary Monitoring ISE node is in sync with the new secondary node as new changes are replicated.
Please Check the below configuration guide for Secondary ISE- Nodes.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.pdf -
ISE 1.3 Rollback and ISE 1.2 Backup
Hi All,
I am curious to know about following related to ISE
1) ISE 1.3
Once we installed ise 1.3, can we rollback to ise 1.2.0 or do we need to re-image it
2) ISE 1.2
If I take backup of ise 1.2.0, will it include backup of certificates also ?
Please do share your views..
Thanks,
AdityaHi cciesec2011,
thanks for reply.
I am curious about backup of ise 1.2 and certificates. can you share any link/document related to this.
Thanks,
Aditya -
ISE Guest portal digital public certificate with dual deployment
I have a deployment of ISe which has a primary and secondary node. We are using ISE for Guest web access and it's Guest portal functionality.
I have installed a public VeriSign certificate onto the primary node so that guest users don't certificate errors when they get redirected to the guest portal.
We have a DNS server with an entty for the guest portal URL e.g. guest.company.com with the IP adresses of both ISE servers.
When users are loggin onto the guest wireless it is pot luck whether or not they get the primary ISE node because of the DNS round robin of the ISE IP addresses.
Is there anyway to make the secondary ISE node use the Verisign certificate as well or do I need to buy another certificate which is linked to the secondary ISE nodes FQDN?
(the certificate I have currently has a CN of the FQDN of the primary ISE server with subject alternative names of the secondary ISE node and the guest web redirect URL).
Any help would very much be appreciated.
thanks
CraigHi Craig,
Please check the below link with a similar prob, might help.
https://supportforums.cisco.com/thread/2161878 -
How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones
Hi Team,
We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy. However, we're now looking to see how we can accomplish this for Mac book and iphones? Is there an open source application or something we can leverage to do this?
ThanksI think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications.
Hope this helps!
Thank you for rating helpful posts! -
Windows Server 2012 R2 - Essentials Experience
In trying to put pieces together, I jacked my CA and certificates all to @#&$%!!
Some of the factors involved are:
Server0 - Hyper-V Host
Server1 - DC, 2012 R2 Essentials Experience role
Server2 - Exchange 2013
Client Machines -
Windows 7 Pro
XP (Yes, these are my cross to bear... - worth noting their presence, but I'm working them out)
The functional requirements:
Anywhere Access for Remote users
- Remote Desktop for Windows 7 machines
Outlook Web Access
The mistake... 'Web Application Proxy'
-which uninstalled the CA
There is a CA back now, but after days of spinning in cirles in a rare area where I feel nearly completely lost (Certificate services) I am asking for help getting these pieces put back together.
The current situation:
The network is up with all of the network and business services required to work 'Inside the Office' - so the client is "functional".
The "Essentials Experience" is broken and won't install to the clients, though it does provide the Essentials website, access to server shared files (fairly gracefully, I might add) and, as an administrator user, I can get to the servers via
RWA through the site and there are no certificate problems with that since I have a secured certificate for the domain.
OWA has been moved to a further back burner while I try to get the Essentials Experience functioning t the point where the remote users can get to their workstations through RWA... This is the biggest current hurdle... RWA for the clients.
Trying to install the client to the workstations nets me the "The Server is not available. Try connecting this computer again,..." message at the point of username and password authentication.
The clientdeploy.log finishes like this:
[4976] 141016.153746.2670: ClientSetup: Standard Error:
[4784] 141016.153746.2670: ClientSetup: The exit code of the process (C:\Windows\system32\nslookup.exe) is: 0
[4784] 141016.153746.2670: ClientSetup: Set CD Fail reason 10 for SQM in ClientDeployment.exe
[4784] 141016.153746.2670: ClientSetup: RecordClientDeploymentFailReason: Save registry failed in ClientDeployment.exe : System.UnauthorizedAccessException: Cannot write to the registry key.
at Microsoft.Win32.RegistryKey.EnsureWriteable()
at Microsoft.Win32.RegistryKey.CreateSubKeyInternal(String subkey, RegistryKeyPermissionCheck permissionCheck, Object registrySecurityObj, RegistryOptions registryOptions)
at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck)
at Microsoft.WindowsServerSolutions.ClientSetup.ClientDeploy.Helper.RecordClientDeploymentFailReason(UInt32 failReason)
[4784] 141016.153746.2670: ClientSetup: Exiting ValidateUserTask.Run
[4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has TaskStatus=Failed
[4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has RebootStatus=NoReboot
[4784] 141016.153746.2670: ClientSetup: Exting ConnectorWizardForm.RunTasks
[1272] 141016.153755.0976: ClientSetup: Back from the Client Deployment Wizard
[1272] 141016.153755.0976: ServerDiscovery:HostsFileUpdater: Removing hosts file entry: 1-WGB-01
[1272] 141016.153755.0976: ClientSetup: Saving Wizard Data
[1272] 141016.153755.0976: ClientSetup: End of ClientDeploy: ErrorCode=1603
The computerconnector.log shows nothing of value.
What I want to accomplish as a 'first step' toward recovery is to get the workstations properly connected so they show up in the Dashboard 'Devices' pane and can be managed and access by the Essentials tools.
Secondarily, I would like to get the client side tools in place and functioning (I expect the latter will be a side effect of the former).
So,... for anyone patient enough to have read this far... uh,... help?Actually,... I can now confirm the delicacy of which you speak...
After a support incident with Microsoft which spanned a marathon 18+ hours on the phone and remote access by no fewer than 7 Microsoft Engineers, we got to a successful result.
It is a point of utter frustration for me when people put in threads like this then don't bother to come back and report 'how the issue was solved', and sadly, I am about to have done that merely because my span of functional attention and valuable reporting
capability was basically gone before I submitted the ticket and following all that was done in my state was not conceivably possible.
So - all I can do is apologize for not being able to report a valuable resolution and give a few little tidbits.
The net result is this - DO WHAT YOU CAN TO AVOID THE SITUATION IN THE FIRST PLACE. Once your CA is in place, LEAVE IT THE $%@& ALONE!!!! I mean... my best current advice.
In all, the CA was uninstalled and reinstalled 4 times after my blunder and significant work was done in ADSIEdit as well as substantial manual manipulation of certificates and CAs that was well outside of my (quite considerable) scope of expertise.
I wish I had more to offer in the world of resolution.
With this said, I will make one more request of viewers and moderators alike:
THIS QUESTION IS OFFICIALLY NOT ANSWERED. IT WILL NEVER BE ANSWERED. THE RESOLUTION IS NOT AVAILABLE TO THE MORTAL MAN.
DO NOT MARK IT AS ANSWERED
IF YOU MUST DO SOMETHING, DELETE THE WHOLE THREAD, BUT DO NOT BURDON PEOPLE WHO ARE LOOKING FOR REAL ANSWERS WITH THE NECESSITY OF READING THROUGH THIS.
DO NOT MARK THIS QUESTION AS ANSWERED
I hope this makes sense for people, and I hope people will appreciate NOT having to read this as though there is some 'resolution' contained within. -
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
October 27, 2014 through November 7, 2014.
The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer. He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio. Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
Remember to use the rating system to let Craig know if you have received an adequate response.
Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
(Comments are now closed)1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify.
For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port.
If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy. If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA. Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
Regarding AD multi-domain support...
Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option to have some users authenticated to different AD domains via foreign RADIUS server.
Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE. If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection. If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution. Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
Regards,
Craig -
PKCS#11 Provider unable to fetch asymmetric keys and certificates
Hi,
I'm facing a problem while getting keys and certificate from Eracom HSM (ProtectServer Orange:38039 Model: PSO:PL50) using Sun PKCS#11 Provider. It gets only the symmetric keys but NEVER gets the asymmetric keys.
My code snippet and configuration file are:
Java Code:
java.io.InputStream is = new java.io.FileInputStream("pkcs11.cfg");
sun.security.pkcs11.SunPKCS11 pkcs11_provider = new sun.security.pkcs11.SunPKCS11(is);
System.out.println("Provider Name : " + pkcs11_provider.getName());
java.security.Security.addProvider(pkcs11_provider);
KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11_provider);
ks.load(null, "password".toCharArray());
java.util.Enumeration obj_enumeration = ks.aliases();
while (obj_enumeration.hasMoreElements()) {
String str_certAlias = (String) obj_enumeration.nextElement();
System.out.println("Alias : " + str_certAlias);
pkcs11.cfg:
name = Eracom
library = G:\Eracom\cryptoki.dll
slot = 0
attributes(*, CKO_PRIVATE_KEY, *) = {
CKA_TOKEN = false
CKA_SENSITIVE = false
CKA_EXTRACTABLE = true
CKA_DECRYPT = true
CKA_SIGN = true
CKA_SIGN_RECOVER = true
CKA_UNWRAP = true
attributes(*, CKO_PUBLIC_KEY, *) = {
CKA_ENCRYPT = true
CKA_VERIFY = true
CKA_VERIFY_RECOVER = true
CKA_WRAP = true
I also ran my program without specifying any attributes in configuration file, also tried many other combination, but in all cases (with or without attributes) only symmetric keys are loaded from HSM. I am able to get all keys (symmteric and asymmteric) and certificates from the same HSM using IAIK PKCS#11 Provider. Though, the Sun PKCS#11 Provider is working fine with SmartCard tokens (Rainbow, Alladin etc.)
Any help to resolve my problem would be highly appreciated.
Thanks in advance.I recently had a problem with ECDSA and the PKCS#11 library of nCipher. Here's info from one of their engineers about the PKCS11 library:
"There are two separate issues - one is that our current pkcs11
release doesn't support ECDSA signature with SHA-2 hashes
(the v11.00 firmware adds support for it, but the main release version of
the pkcs11 library hasn't been updated to take advantage of it yet).
There is a hotfix version that does support SHA-2 hashes with some
restrictions, talk to [email protected] for details, and V11.10
should be out soon and have that merged in.
But the issue with setting CKA_SIGN is that our underlying HSM API
allows elliptic curve keys to be either key exchange (ECDH) or
signature (ECDSA) keys, but not both at one.
At the PKCS #11 level, if you specify CKA_DERIVE=true and let
CKA_SIGN default, it will default to false, and vice versa.
If you specify both CKA_DERIVE=true and CKA_SIGN=true, then we
return CKR_TEMPLATE_INCONSISTENT because we can't do both with
the same key. (However, the tests using C_GetMechanismInfo will
show that we can do both mechanisms, because we can - so long
as you use different keys, even though they have the same PKCS#11
type.)
I can't comment on when or how that will be changed."
I was using the PKCS#11 library through NSS when I ran into the problem, but I imagine Java would run into similar problems also using the PKCS#11 library. I was able to generate keypairs but not create a CSR (which required making a signature, which required SHA-2).
Can you just use the java classes to speak to the netHSM? I've never directly written code to do so myself, but I have used Corestreet's OCSP product that uses the java classes to speak to the nCipher HSMs (though not using EC). It might work better than going through the PKCS#11 layer. There should be a java directory under NFAST_HOME that contains some jars.
Please post back if you figure anything out as I'll probably be playing with this stuff myself soon.
Dave -
ISE first authorization sucess and then fail (MAB)
Hi,
Using ISE 1.1.1 and Switch 3650 12.2(55)SE6.
I have a client (computer) that should be authenticated with MAB and then the switch port should be asigned a DACL and VLAN 90. I do get
"Authorization succeeded" but directly after it fails and I can't figure out why. ISE only shows the successful authentication under "Live Authenticaions".
As you can se from the log below 802.1x fails, as it should, and then MAB succeed, asigns the VLAN and then fails:
0002SWC002(config)#int fa0/13
0002SWC002(config-if)#shut
0002SWC002(config-if)#
Jan 7 13:26:59.640: %LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down
Jan 7 13:27:00.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
0002SWC002(config-if)#no shut
0002SWC002(config-if)#
Jan 7 13:27:19.689: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Jan 7 13:27:22.063: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
Jan 7 13:27:22.776: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000
020D7C192D1
Jan 7 13:27:23.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
Jan 7 13:27:51.054: %DOT1X-5-FAIL: Authentication failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID
Jan 7 13:27:51.054: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (f04d.a223.8f43) on Interface Fa
0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0
A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-5-START: Starting 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC0000002
0D7C192D1
Jan 7 13:27:51.088: %MAB-5-SUCCESS: Authentication successful for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005
FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-5-VLANASSIGN: VLAN 90 assigned to Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.096: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT APPLY
Jan 7 13:27:51.096: %EPM-6-IPEVENT: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT
IP-WAIT
Jan 7 13:27:51.255: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A00
05FC00000020D7C192D1
Jan 7 13:27:52.027: %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENTReplacing duplicate ACE entry for host 10.90.5.1
Jan 7 13:27:52.036: %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00
000020D7C192D1
Jan 7 13:27:52.036: %EPM-6-POLICY_REQ: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT REMOVE
After this the proces starts over again.
This is the switch port config:
interface FastEthernet0/13
description VoIP/Data
switchport mode access
switchport voice vlan 20
switchport port-security
switchport port-security violation restrict
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 2.00 1.00
storm-control multicast level 2.00 1.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
service-policy input ax-qos_butnet
ip dhcp snooping limit rate 5
end
Is there a problem with the client (computer) or in ISE/Switch?Hi Tarik,
First off; thank you for helping me troubleshoot this problem.
I think the "IP-" part of "IP-ACL-IWMAC" is beeing added automaticly (in the switch maby?). I see this behaviour on other dACL too. I did not change the name of the ACL.
You seem to have a valid theory about the icmp statement. I changed it to "permit icmp any any" and it seems to work. But I can't explain why this is happening.
When I look at the debugs I see this difference
With the original ACL I get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT APPLYReplacing duplicate ACE entry for host 10.90.5.1
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-RELEASE
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-WAIT
%AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000053E70733F4
When using "permit icmp any any" i get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000055E70B8E7D| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-ACL-IWMAC-50eea905| EVENT DOWNLOAD-REQUEST
I tried googeling but can't find what "Replacing duplicate ACE entry for host xxx" means.
I have added debugs in attachment.
device1_orig_acl - the none working device with original ACL
device1_any_any - the none working device with permit icmp any any
working_device_orig_acl - the device that works with the original ACL
Do you have an answer to why this is happening?
Regards,
Philip -
ISE version 1.3 and static route not working
This command works without any issues with ISE version 1.1 and 1.2:
ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
However, it does NOT work in ISE version 1.3. See below:
ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
% Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.
% Error: Error adding static route.
ciscoisedev/admin(config)#
Any ideas anyone?So it appears that there is no option to lock down access to the shell now that the command that you used to use is no longer valid. What is worse is that there isn't an option to create an ACL in the shell that you could attach to the interface. So I would recommend that you create a defect with Cisco TAC and get this re-added or request that ACL functionality is added.
For the GUI (in case you were not already aware of this), you can restrict access from Administration > Admin Access > Settings > Access > IP Access -
Print out of Inspection report and Certificates
Hi Gurus,
I want to take inspection reports and certificates printout.
Is there any standard transaction other than QGA3 and QC21
Please let me know
Thanks and Regards
HariHello Hari,
You can take the certificates printout with QC21 or QC22 (as applicable). What information you are looking in inspection reports ? Then we can suggest the appropriate set of the reports
Cheers
Kaushik -
Webservice call failed during execution (SSL and certificates) on NetWeaver 7.30
Hey experts,
i need your help!
We make webservice calls to sap me with our own software.
We connect to our software via SSL and certificates e.g. https://host:50001/XMII/CM/POD/MEDialogsWeb.irpt
At the beginning the software runs without any problems and than we become the following message on all our webservice:
thats the webservice configurations
(configuration - connectivity - single service administration):
(configuration - security - authentication and single sign-on)
if we restart the software after the error display, the webservice call runs successfully again.
is it a timeout?
can anybody help us?
Thanks,
Markus
our system info:
NetWeaver 7.30 Java
SAP ME 6.0
software runs log looks as following
software doesn't runs log looks as following
security Log Entry
more info from security_00.0.log
#2.0 #2014 06 06 14:51:17:136#+0200#Warning#/System/Security/WS#
com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tc~sec~wssec~service#C0000A650AD826FF0000000100000BEC#3855850000000005#sap.com/me~ws#com.sap.engine.services.wssec.authentication#Guest#0##207092CAED7111E3A01A0000003AD5EA#23386e31ed7911e39d560000003ad5ea#23386e31ed7911e39d560000003ad5ea#0#Thread[HTTP Worker [@648881277],5,Dedicated_Application_Thread]#Plain##
Received unsupported callback: com.sap.engine.interfaces.security.auth.SetLogonTicketCallback
Received unsupported callback: com.sap.engine.lib.security.http.HttpSetterCallback
Read data of type username and value MEFLEX from wsse:Security header and set on module javax.security.auth.callback.NameCallback
Read data of type username and value from HTTP header and set on module javax.security.auth.callback.NameCallback
Read data of type password and value xxx from wsse:Security header and set on module javax.security.auth.callback.PasswordCallback
Read data of type password and value xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback
Authentication for web service ShopOrderService, configuration ShopOrderService using security policy BASIC*SSO2*_*_*ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).Hi,
the authentication for the second call is failing. Have you tried suggest log level from note 880896 - Web Service authentication failure? I would also try to use something like SoapUI to test if the issue is caused by your application or something wrong on SAP side. Also coparing messages for the first and second calls might give you answer.
Cheers -
Question concerning WebService and certificates
Hi, well i'd like to get data from a WebService. Scenario is RFC to WebService in SAP XI.
Therefore i also have to use user&pw and a certificate key i got previously!
So i created the receiver channel and now i am stuck. There is the option User Authentification and Configure Certificate Authentication. What do i have to use and how to configure. I know i have to use the keystore-service in VisualAdmin, but how?!
I already read this: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter but it does not fir my needs actually.
Again, i have user&pw AND certificate-key (only key in plain characters!). how to use these 3?!
thx in advance, brHi Jens,
Go through following pdf. It will clear some of you doubts.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc
-Pinkle
Maybe you are looking for
-
Connection Pool Failure: "No suitable driver"
Hi, Upon server startup, I get the following result: <Nov 7, 2001 4:18:32 PM CST> <Error> <JDBC> <Cannot startup connection pool "ora cleTrufflePool" No suitable driver> I assumed it was a path problem, but in the startWebLogic.cmd script I've set th
-
PI 7.0/7.1 Installation on Windows 64-bit and MaxDB
Hi Folks, We have an installed PI in one server on Windows 2003 using Oracle DB (licensed). We wish to install PI in another server on Windows 2003 64-bit but this time it will be MaxDB. I've tried searching and found SAP NetWeaver Process Integratio
-
How can I get images in an Excel (.xls) file into Photoshop CC?
I received an Excel file with images that need editing in Photoshop. This is the only file type in which I have these images (no .jpg, or .png). How can I Import them into PS CC?
-
Standard Datasource for ECMCT and ECMCA:Consolidation
Hi, Are there any Standard Datasources available for extractiong data from ECMCT and ECMCA(ECCS Tables).I am currently working in SAP ECC6.0.I could not find any Standard datasources. Regards, Samir
-
Keeping podcast subscriptions.
so the company i work for is finally opting to get new machines, we've been designing on old G4s with 10.3. anyways, we're getting iMacs and i was wondering is there anyway i can export my list of podcast subscriptions from the old G4 to the new iMac