ISE 1.1.2 with Bluecoat ProxySG

Hi,
As I understand that Cisco ISE performs function as RADIUS server. So, if I use Bluecoat ProxySG as a RADIUS client. The authentication should work as it should, right.
I have try this with FreeRADIUS and Bluecoat ProxySG and its working fine.
Does anyone try this integration between ISE and Bluecoat ?
Sent from Cisco Technical Support Android App

Hi,
I am exeperiencing the same issue described above, with a similar network layout:
     BlueCoat1---N2K---2*N5K(vPC)---2*C6880(VSS)---Inter Datacenter Links---2*C6880(VSS)---2*N5K(vPC)---N2K---BlueCoat2
I have configured an IGMP querier in the BlueCoat VLANs on both 2*N5K(vPC), even if on one 2*N5K(vPC) should be enough. 
For each VLAN I've used the same free IP-Address on all 4 N5K:
     Is that correct?
I am asking, bacause the Cisco-documetation says, that only the one with the "lowest IP-Address (?)" will be active:  
     How should the IGMP-Querier-election work in my case?
Any help will be really appreciated.
Many thanks

Similar Messages

  • IGMP Querier with Bluecoat ProxySG

    Hi all
    I ran into a problem with VIP for high availability on Blue Coat ProxySG. Both ProxySG send multicast packets
    to advise the other ProxySG that it is up and the priority is contained in the multicast packet, along with the IP address of the VIP and so on. 
    This worked fine with Catalyst switches. Unfortunately it does not work over the newly installed Nexus switches.
    There is no Vlan interface on the switches. The Vlan is only trunked through.
    I found a hint that IGMP Querier could solve this issue. After configuration of IGMP Querier end acitvating Multicast on ProxySG
    a IGMP group is built and all seems fine.
    In a trace I can see IGMP Queries leaving the Querier but no answer from both ProxySGs.
    After 6 minutes (3 times Querier Interval) the group disappears and both Boxes become active.
    The topology looks like this:
    Bluecoat1 -----N2k------2*N5k-----2*N7k-------Inter Datacenter Link-------2*N7k------2*N5k-----N2k-----Bluecoat2    
                                        vPC         vPC                                             vPC          vPC
    On both N7k in the left Datacenter is a Querier configured:
    vlan configuration 85
      ip igmp snooping querier 10.101.22.7
    # sh ip igmp snoop querier
    Vlan  IP Address       Version   Expires     Port
    85    10.101.22.7      v3        00:01:22     Switch querier
    I wonder if an additional setting has to be made. Could it be that the Bluecoats ignore IGMPv3?
    I  would be very grateful for a hint.
    Many Thanks!
    Regards,
    Urs

    Hi,
    I am exeperiencing the same issue described above, with a similar network layout:
         BlueCoat1---N2K---2*N5K(vPC)---2*C6880(VSS)---Inter Datacenter Links---2*C6880(VSS)---2*N5K(vPC)---N2K---BlueCoat2
    I have configured an IGMP querier in the BlueCoat VLANs on both 2*N5K(vPC), even if on one 2*N5K(vPC) should be enough. 
    For each VLAN I've used the same free IP-Address on all 4 N5K:
         Is that correct?
    I am asking, bacause the Cisco-documetation says, that only the one with the "lowest IP-Address (?)" will be active:  
         How should the IGMP-Querier-election work in my case?
    Any help will be really appreciated.
    Many thanks

  • ACS 5.3.0.40 with Bluecoat Packetshaper via Radius Auth using PAP/CHAP

    Hi,
    We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. Anyone have any idea what is the issue anything to be done with the patch upgrade or any issue with the packetshaper??????
    below is the logs in ACS server.
    Logged At:        September 4,2012 4:10:26.250 PM
    RADIUS Status: Authentication        succeeded
    NAS Failure:
    Username: knpdtf
    MAC/IP Address:
    Network        Device: Test-PS : 10.187.115.83:
    Access Service: Radius Network
    Identity        Store: Internal Users
    Authorization Profiles: Permit Access
    CTS        Security Group:
    Authentication Method: PAP_ASCII
    By
    Karthik

    Hi,
    Do you have any special characters in the password? I would see if you can create an internal user in ACS and use a basic password (like cisco123) and see if the authentication will succeed. I have seen with some GUI based products that some special characters can cause some headaches.
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE reauthenticaiton in wireless with posture

    Hi,
    There is an issue which the wireless reauthentication in our environment. The posture feature has been used and everyone install the Cisco NAC agent. I found that if someone disconnect the wireless SSID, then reconnect the wireless SSID by authenticate the identity & compliant, can't be transfered to the correct the right SSID again. Can anyone help resolve this problem?

    Please follow this link to configure your settings
    https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configuring-posture-services-with-the-Cisco-Identity-Services/ta-p/221702
    also check this for trouble shoot
    https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/ISE-Posture-Agent-Profile-Parameter-Details-NACAgentCFG-xml/ta-p/239024

  • Cisco WCCP (multicast method ) with Bluecoat Implementation

    hi
    Cisco WCCP with Bluecoat Implementation  . during implemetation multicast packet not flow to other vlan interface.
    few observation .
    Cisco wccp with bluecoat proxy ( Multicast method )  - Multicast IP # 224.1.1.103 , Group 11, dense-mode
    Same Vlan  its working ( user and Proxy SG )
    Different Vlan not working ( user Vlan 10 and server Vlan 20 )
    sample configuration :
    ip multicast-routing
    ip wccp 11 group-address 224.1.1.103 redirect-list 103
    sh ip access-lists 103
    Extended IP access list 103
        40 permit tcp 10.10.10.0 0.0.0.31 any eq 443
        50 permit tcp 10.10.10.0 0.0.0.31 any eq www
        60 permit tcp 10.10.10.0 0.0.0.31 any eq ftp
        70 deny ip any any
    interface Vlan10 description "AP_User_Range"
     ip address 10.10.10.0 255.255.255.0
     ip helper-address 10.10.20.100
     ip wccp 11 redirect in
     ip wccp 11 group-listen
     ip pim dense-mode

    Dear Jon,
    After changes the WCCP Command  ,still  WCCP not working
    but  both client and Proxy Same VLAN its working fine with Multicast mode
    interface Vlan10
     description "AP_User_Range"
     ip address 10.10.10.10 255.255.255.0
     ip helper-address 10.10.10.100
     ip wccp 11 redirect in
    interface Vlan20
     description PROXY_WAN_VLAN
     ip address 10.10.20.10 255.255.255.0
     ip helper-address 10.10.10.100
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip wccp 11 group-listen
    ip wccp 11 group-address 224.1.1.103 redirect-list 103
    sh ip access-lists 103
    Extended IP access list 103
        40 permit tcp 10.10.10.0 0.0.0.255 any eq 443
        50 permit tcp 10.10.10.0 0.0.0.255 any eq www
        60 permit tcp 10.10.10.0 0.0.0.255 any eq ftp
        70 deny ip any any
    sh ip wccp
    Global WCCP information:
        Router information:
            Router Identifier:                   -not yet determined-
            Protocol Version:                    2.0
        Service Identifier: 11
            Number of Service Group Clients:     0
            Number of Service Group Routers:     0
            Total Packets s/w Redirected:        0
              Process:                           0
              CEF:                               0
            Service mode:                        Open
            Service Access-list:                 -none-
            Total Packets Dropped Closed:        0
            Redirect access-list:                103
            Total Packets Denied Redirect:       0
            Total Packets Unassigned:            0
            Group access-list:                   -none-
            Total Messages Denied to Group:      0
            Total Authentication failures:       0
            Total GRE Bypassed Packets Received: 0

  • ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired

    Hi all.
    I have a (2) Policy Services Nodes (PSNs) in an ISE 1.2 deployment running patch 1. We are using Wireless MAB and CWA on 5760 Wireless LAN Controllers running v3.3.3.
    We are hitting an issue wherein a client first passes MAB and then gets redirected to a CWA custom portal. The client then receives a Session Expired message. This seems to be related to the fact that CWA is technically a 2-stage authentication (MAB by the WLC and then CWA by the client). Specifically, it seems to happen when the WLC makes its MAB RADIUS access-request to PSN-1 and then the client comes in to PSN-2 to complete the CWA. This issue does not happen when only one PSN is in use and all authentication traffic (both MAB RADIUS and CWA) is directed at a single PSN.
    Clients resolve the FQDN in the redirect URL using public DNS and a public DNS zone file (call it cwa-portal.example.com). cwa-portal.example.com has two A records for the two PSN nodes. DNS is responding to queries using DNS round-robin.
    I have the PSNs configured in a Node Group for session information replication between PSNs, but this doesn't seem to make a difference in behavior.
    So I ask:
    What is the recommended architecture for CWA when using more than one PSN? It seems that you would need to keep the two authentication flows pinned together so that they both hit the same PSN when using more than one PSN in a deployment. A load balancer balancing on the SessionID string comes to mind (both the RADIUS MAB request and the CWA URL contain this unique per-client SessionID), but that seems terribly overbuilt for a seemingly simple problem. On the other hand, it also seems like using a Node Group setup should easily be able to replicate client SessionIDs to all nodes in the deployment so that this isn't an issue. I.e., if the WLC authenticates MAB on PSN-1, then PSN-1 should tell the Node Group about it such that when the client CWA's on PSN-2, PSN-2 doesn't respond with a Session Expired message.
    Is there any Cisco documentation that talks about this?
    Possibly related:
    https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
    Justin

    Tim,
    Thanks for your reply and confirming my suspicion. Hopefully a future version of ISE will provide automated SessionID synchronization among PSNs so that front-end finagling in a multi-PSN environment won't be necessary.
    For anyone else with this issue who for whatever reason can't implement a load balancer(s), I built an automated EEM applet running on a "watchdog" switch (3750 running 12.2(55)SEE9) using IPSLA tracking that senses when PSN1 is down and then
    modifies an ASA to change its client-facing NAT statement for PSN1 to PSN2
    modifies the primary and HA wireless LAN controllers to change its MAB RADIUS aaa server group to use PSN2
    reverts the ASA and WLCs to using PSN1 when PSN1 is detected up and running again
    The applet ensures the SessionID authentications stay "glued" together so that both WLCs and the client hit the same PSN for both stages of authentication. It's failover only, not a load balancing solution, but it meets our current project's need for an automated HA environment.
    PM me if you want the code. I'm have a little too much going on ATM to sanitize and post it. :)
    Justin

  • ISE 1.2 issue with CWA (Error : Your session has expired)

    Hii
    we have ISE deployment with two administration nodes and two service policy nodes running 1.2.1.198 , with CWA for wireless guest users (Cisco WLC) . Suddenly , many guest users faced an issue where login page is redirected but after inserting user/password  it gave ""Your session has expired. Sign on again""
    authentication logs on ISE shows:
    Event  5418 Guest Authentication Failed
    Failure Reason  86017 Session Missing
    Resolution  Please contact your Administrator
    Root cause  SessionID is missing. Please contact your System Administrator
    we suspected the bug CSCul10677 , but it is fixed in 1.2.1.198 . We reloaded the two service policy nodes and that resolved the issue temporarily , but it showed back after couple of hours . The issue appeared with some users not all , and with no specific devies or operating systems.
    Any idea ?
    Regards,
    Mohammad

    Please refer the link : https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
    Workaround:
    Terminate session from admin UI and type in the original URL to redirect to guest portal with a new session-id.
    Disconnect SSID, wait for a few minutes, reconnect and enter the original URL to redirect to guest portal with the new session-id.

  • Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

    Hi,
    I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
    My authentication and authorization rules relating that case are as on following screenshots:
    So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
    Looking in ISE's Authentication section I can see following:
    Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
    So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

    Hi,
    -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
    -- Then try to add the ISE.
    -- Once it fails, collect the logs from Administration > Logging > 
    check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
    - Ashok
    Please rate the post or mark as correct answer as it will help others looking for similar information

  • Cisco ISE 1.2.x with Posture Configuration - Windows Patches

    Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
    With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
    pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
    Thanks.

    Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.

  • ISE 1.2 Profiling with iPAD Mini and Chromebooks

    Anyone run into issues with profiling device properly with iPAD mini and Chromebooks.  Recent testing with customer shows that ISE was not able to identify the devices properly.  We have a case opened with Cisco, they came out with a patch for Chromebook last week but still broken, continuing to pursue with TAC.  Just wondering what others have came across.                  

    Hi Tarik,
    Thanks for the reply. I am testing this for Mike. We have setup ISE 1.2 ( running latest patch 4) for wireless BYOD
    Issue: Chrome Book Device Registration - Not Supported
    Issue: Chrome Book Profile - Unknown
    Probes Enabled - DHCP / RADIUS / HTTP / SNMP

  • ISE 1.2: Employee with personal device registration

    Hi experts,
    I'm aware of this discussion https://supportforums.cisco.com/discussion/11962026/ise-12-device-registration-mab-only-no-client-provisioning#comment-9371166
    but looking for a detailed configuration to get following to work:
    Employee's have access to the network with their corporate devices. No problem
    Now employees need to be able to use their own mobile devices to get access. There is no definition of what devices are allowed.
    II guess to let employees register their private devices with  MAC address on MyDevice portal would be the most sufficient solution.
    Does anyone have a detailed configuration or link how to achieve that?
    Thanks,
    Frank

    Having BYOD access be based on mac address only is not really ideal and also not secure. A mac address can easily be spoofed and consequently your security policy can be bypassed. If you have a PKI environment you can take the EAP-TLS with SCEP approach:
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html
    If you don't have a PKI environment and don't want to mess with certificates you can still use a more secure method than MAC addresses. For instance, you can perform PEAP user authentication. You can create a "special" BYOD AD group and place the authorized users there. Then they can use their AD credentials to authenticate. In the authorization policy you can limit the access for those type of authentications via dACLs (switches) or named access lists (WLCs)
    Hope this helps!
    Thank you for rating helpful posts!

  • Cisco ISE 1.2 - Problem with Device Onboarding of internal users using AD Credentials

    Dear experts,
    We have implemented ISE 1.2 with WLC 7.5 in our organization. We are using Device Onboarding by letting the users enter their AD Username and Passowrd on Guest portal which then redirects them to device registration portal where they simply register their device and they get internet access.
    The problem is that some users are unable to authenticate using this portal while some can successfully authenticate and register their devices. All users are of the same group in AD. Also, we have enabled this check on two places. One is when users connects to the SSID where the security WPA2-Enterprise uses 802.1x and asks for AD username password. The other is on the portal.
    All users are able to connect to the SSID using their AD credentials. However, 30% of the users are not being authenticated when they are redirected to the Guest portal for device registration. Also, it gives no error or event on either ISE or on the mobille device. When the users enters their credentials, the same guest portal page comes back blank with no errors or logs anywhere.
    Can someone guide me if there is some configuration mistake that I may have done or have someone faced this same issue and were/weren't able to resolve it.
    Thanks in advance.
    Jay

    Our problem got solved. It was related to a few user accounts in AD. Usually any authentication on AD User Account is carried out using the User ID. However, during Web Authentication, Login ID/Name is also checked by ISE and should be same as User ID.
    The problem you are facing might also related be to AD since we had the similar issue. try to check this on a laptop as the mobile portal gives no error if the user is unknown or invalid. Also, you can enable logs for web authentication which are off by default. It will give you a pretty good idea where the problem lies. And yeah, do not keep the web authentications log on for long, it can hang your ISE.
    Anyways, thanks for all the support.

  • ISE Guest Authentication only with email address

    Hi,
    I want to know is there an option to use ONLY the email address as an authentication credential for Guest user authentication using Guest Protal and this should be done only with Self Registration not with Sponsored accounts.
    Appreciate if someone has done this and advise us how to achieve this.?
    thanks

    The exact scenario explained above is unachievable , however a little different from that can be achieved , see below
    New Features in Cisco ISE Version 1.2.0.899—Cumulative Patch 2
    Support for Guest Self-Registration Based on Email Domain Whitelist
    You can allow guests to create their own accounts by enabling the self-service feature by choosing: Administration  > Web Portal Management > Settings > Guest > Multi-Portal  Configurations > Operations > Guest users should be allowed to do  self service. When you enable this feature, the account credentials  display on the screen, and they are also emailed to the email address  used to create the account.
    You can restrict this feature by limiting guests' ability to create  their own accounts based on their email domain. By creating an email  domain whitelist, you can ensure that only guest users with email  accounts on those domains can create guest accounts.
    To prevent the account credentials from displaying on the screen, you  must create a custom portal when using an email domain whitelist. These  steps provide an overview:
    1. Create a custom portal, following these guidelines:
    –Add  a required email field and an acceptable use policy (AUP) page to the  Self-Registration html file. See the "Sample Code for Sponsor and Guest  Portal Customizations" appendix in the Cisco Identity Services Engine User Guide, Release 1.2 for a sample file.
    –Add  text to refer users to their email for their login credentials on the  Self-Registration Results html file. See the "Sample Code for Sponsor  and Guest Portal Customizations" appendix in the Cisco Identity Services Engine User Guide, Release 1.2 for a sample file.
    –Map the Login file to the Self-Registration page. See the "Mapping HTML Files to Guest Portal Pages" section in the Cisco Identity Services Engine User Guide, Release 1.2 for detailed instructions.
    2. Configure the SMTP server to support notifications (Administration > System > Settings > SMTP Server).
    3. Specify  the default e-mail address from which to send all guest notifications.  (Administration > System > Settings > SMTP Server and choose Use Default email address).
    4. Create the email domain whitelist. See the "Restricting Self-Registration Based on Email Domain" section.
    5. Customize the self-registration credentials email message. See the "Customizing the Self-Registration Credentials Email" section.
    6. Customize the self-registration failure message. See the "Customizing the Self-Registration Failure Message" section

  • ISE - EAP-TLS authentication with multi-tier PKI

    Hi Cisco Support Community,
    and again I'm struggling with my ISE understanding. It's kind of frustrating - daily more and more questions arise :)
    Here's the thing and I hope some of the ISE experts here know the answer:
    I want to authenticate my wired and wireless clients using 802.1X. I'm using a multi-tier PKI (see picture below)
    The ISE uses a certificate from the "Signing CA1" (Chain: Root CA - Signing CA1).
    The clients uses a certificate from the "Signing CA2" (Chain: Root CA - Intermediate CA1 - Signing CA2).
    Do I have to add the complete client certificate chain (Signing CA2, Intermediate CA1, Root CA) to the ISE trusted certificates in order to authenticate the client? Or is it enough for example just to add the root CA or the intermediate CA? I couldn't find any hints in the admin guide (1.3)
    Thanks in advance!

    Hello Johannes-
    You will need to add the root and all/any intermediate certificates in the trusted certificate store of ISE. 
    Thank you for rating helpful posts!

  • ISE using 2 domains with trust established

    Hi,
    I need to authenticate wireless network users from two different domains
    abc.company.com
    cde.company.com
    There is trust between domains and ISE joined abc.company.com and it can authenticate and authorize users without issues.
    Users from cde.company.com cannot be authenticated (I don't even get to authorization part).
    My identity source list has only External ID listed and when I see what is the reason of failure, message states that Authentication has failed (not authorization) because user cannot be found in any identity listed.
    Now, users from abc and cde companies are logging with their usernames only. Should they try to login with cde.company\username or something?
    Has anyone done this before?
    Thanks.

    I have trust. I can get the user information with cde\user and  [email protected], but authentication is still not working. So, I see  the user, but it is still not being authenticated by the policy.
    Here is log:
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12300  Prepared EAP-Request proposing PEAP with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318  Successfully negotiated PEAP version 0
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12810  Prepared TLS ServerDone message
    12305  Prepared EAP-Request with another PEAP challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12304  Extracted EAP-Response containing PEAP challenge-response
    12318  Successfully negotiated PEAP version 0
    12812  Extracted TLS ClientKeyExchange message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12509  EAP-TLS full handshake finished successfully
    12305  Prepared EAP-Request with another PEAP challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12304  Extracted EAP-Response containing PEAP challenge-response
    12313  PEAP inner method started
    11521  Prepared EAP-Request/Identity for inner EAP method
    12305  Prepared EAP-Request with another PEAP challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12304  Extracted EAP-Response containing PEAP challenge-response
    11522  Extracted EAP-Response/Identity for inner EAP method
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12305  Prepared EAP-Request with another PEAP challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12304  Extracted EAP-Response containing PEAP challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - AD-Suffolk
    24430  Authenticating user against Active Directory
    24412  User not found in Active Directory
    22056  Subject not found in the applicable identity store(s)
    22058  The advanced option that is configured for an unknown user is used
    22062  The 'Drop' advanced option is configured in case of a failed authentication request
    12315  PEAP inner method finished with failure
    22028  Authentication failed and the advanced options are ignored

Maybe you are looking for