ISE 1.2.0.899 patch 1,2,3,4 with blackberry 9700

Similar Messages

• ISE 1.2.0.899 Patch 7

  Hey guys I have ISE 1.2.0.899 with patch 7 installed in my environment, also I have a WLC 5508 running version 7.4.121.0. We are authenticating our user with ISE. We are having an issue with our Guest WLAN, after we create an account with the sponsor portal for our guests, they can log in and get to the internet, but after 7 to 10 minutes the guest user is ask to re-authenticate again. I check in the WLC to see if there is any timeout for our Guest WLAN, but there not. At this point we don't know what is causing this problem since it only happens with the Guest WLAN, the other WLAN for Users that authenticate with AD credentials works without any problems. Is anybody experiencing this same issue? 

  Saurav Lodh, I did check the default time profile that is being used the sponsor. I even created a custom time profile to rule out any timeout on the Guest account, but even with the custom profile time the Guest account times out between 7 to 10 minutes and asks to re-authenticate again. I don't know if there is another place to look out for any timeouts, or is it maybe a bug with this version of ISE, but I couldn't find anybody else having this same issue which makes me think that it has to be a setting that is causing this problem.

• Applying Patches to ISE 1.2.0.899

  I am running ISE 1.2.0.899 Patch level 2. 
  I want to upgrade to patch level 6. 
  I understand that the ptaches are supposed to be cumulative and not incremental...but I want to make sure as I am 4 levels behind...Is there anything special I have to do? Do I just apply patch 6 from the Primary Admin node and it brings me straight to patch 6?
  Didn't note anything in the release notes, but I don't want to run into any surprises.
  Thanks, 
  Phill

  Well,
  I upgraded to patch 6. The patch did not replicate over to the other two nodes as I expected.
  I called TAC and was told to accomplish this manually, which I did on the secondary node.
  I did not have FTP access to the one in my DMZ, so I had to put that one off until the evening (had to get the firewall guy to give me access...then wait until after production hours). Anyhow, we noted a large increase in traffic between the primary ISE node and the Policy Service node in our DMZ...traffic flow seemed to be around 40 megs. This flow ceased when I manually upgraded the DMZ Policy Service Node.

• Ise 1.2.0.899 CWA Windows AD based

  Hi, I'm running ISE 1.2.0.899 patch 6
  When a use a internal ISE user which in the Identity Group "Onboard". The guest authentication, self registration and profiling are going just great (see picture) . But when I use a AD created user which on AD is in the same "Onboard"  security group, it is authenticated but further than that I got the message" The system admin has either not configured or enabled a policy for your device". Furthermore I can see in the log that the AD user is authenticatd with Identity Group "Any".  I tried several things in the authorization in matching the memberof/ external group based on "Onboard" with or without the guest flow specified.  If I manage to get the device to registered in the Identity Endpoint and I try to match on a AD group I see that is working.
  So to bottom line of this question is; if the BYOD/CYOD is not registered in the ISE ( Identity Endpoint)  which policy rule can I make so it will profile it as a android and put it as a registered device?
  Does anyone know how this can be configured?  Any help is appreciated.
  Thanks in advance,
  Kind regards, 
  Michel

  Hi Neno,
  I was mislead by the d0t1x AuthN in my first statement, if a connection is made on d0t1x with PEAP (mschapv2) then the AuthN check in the identity source sequence (first AD ) if the user exist. This is the case so this connection is allowed by AuthZ rule: BYOD_AD_D0t1x
  1. What do you have configured under: Administration > System > Settings > Profiling > CoA?
  currently it is configured for: "no COA"
  as the cisco documentation said:
  Exemptions for Issuing a Change of Authorization:
  An Endpoint Created through Guest Device Registration flow—When endpoints are created through device registration for the guests. Even though CoA is enabled globally in Cisco ISE, the profiling service does not issue a CoA so that the device registration flow is not affected. In particular, the PortBounce CoA global configuration breaks the flow of the connecting endpoint.

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Inactive Windows 7 supplicant tries to reauthenticate every 4 to 10 minutes in Cisco ISE 1.2.1.899

  Hi,
  We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.
  What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.
  Swith port configuration looks likt this:
  interface FastEthernet0/31
  description 802.1x Poort
  switchport access vlan xxx
  switchport mode access
  switchport nonegotiate
  switchport voice vlan xxx
  no logging event link-status
  priority-queue out
  authentication control-direction in
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer inactivity 120
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout quiet-period 300
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 300
  dot1x max-reauth-req 3
  dot1x timeout held-period 300
  dot1x timeout auth-period 3
  no mdix auto
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  no cdp enable
  spanning-tree portfast
  service-policy input xxxx
  end
  Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?
  ISE Version: 1.2.0.899
  Patch Information: 5,6,8
  Help would be much appreciated

  Hi Jan,
  Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.
  "authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.
  We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).
  And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore.

• ISE 1.1.2.145 patch-3 and CLI password disable

  I am running ISE 1.1.2.145 patch-3 on VMWare ESXi 4.1  The ISE is running fine without any issues.
  During the initial setup of the ISE, I create an account called "admin" so that I can ssh into the ISE.  According to Cisco, the CLI password does NOT expire and does NOT lock out.  However, when I ssh into the ISE and "intentionally" entered the wrong password 5 times.  After that, I can no longer ssh or console in the ISE with the "admin" account.  The only way to fix this is to do "password recovery" with the DVD.
  I notice the same issue with ISE version 1.1.1.268 patch-5 as well.
  Is this a "known" issue with ISE or bug?

  There looks like there was a bug fixed for this issue in 1.1.1, you may need to open a tac case and see if the bug has resurfaced.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  CSCub89895
  SNMP process stops randomly due to an issue in netsnmp
  The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of  the Cisco ISE node to fail until the daemon is restarted. This issue  has been observed in Cisco ISE, Release 1.1.1.
  Workaround   Remove all SNMP commands and re-add them to start the daemon again or restart the ISE node.
  For more information, see: http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=12694&atid=112694
  Tarik Admani
  *Please rate helpful posts*

• 11i to R12 upgrade : Unable to merge patch 9179588:R12.AD.B with 9477107:R12.AD.B and patch 7461070:R12.AD.B.1

  Hello Sir,
  As per readme for Patch 9179588, I am trying to merge patch (9179588:R12.AD.B) with 9477107:R12.AD.B and R12.AD.B.1
  (patch 7461070). When I run admrgpch without -admode option, admrgpch completes successfully.
  However, when I just add -admode option in same command, getting error that "invalid option -s". Please see below details and suggest since there is Note: This merge should be a full merge using -admode.
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  drix10:/fmstop/patches/R1211AD/merge>ls -lrt
  total 13992
  -rw-r--r-- 1 appltest dba 7035668 Aug 03 10:59 p7461070_R12_AIX64-5L.zip
  -rw-r--r-- 1 appltest dba 79016 Aug 04 03:48 p9179588_R12.AD.B_R12_GENERIC.zip
  -rw-r--r-- 1 appltest dba 38579 Aug 04 05:22 p9477107_R12.AD.B_R12_GENERIC.zip
  -rw-r--r-- 1 appltest dba 94 Aug 04 13:27 manifest.txt
  drix10:/fmstop/patches/R1211AD/merge>cat manifest.txt
  p7461070_R12_AIX64-5L.zip
  p9179588_R12.AD.B_R12_GENERIC.zip
  p9477107_R12.AD.B_R12_GENERIC.zip
  drix10:/fmstop/patches/R1211AD/merge>
  drix10:/fmstop/patches/R1211AD/merge>admrgpch -admode -s /fmstop/patches/R1211AD/merge -d /fmstop/patches/R1211AD/merge -merge_name merged_R12AD11 -manifest manifest.txt
  Error: Invalid option: -s
  usage: admrgpch -help
  admrgpch <source_directory> <destination_directory>
  admrgpch -s <source_directory> -d <destination_directory>
  [-verbose <level>] [-merge_name <pattern>]
  [-manifest <filename>] [-logfile <filename>]
  where
  * -help Print help message.
  * -verbose <level> Can be one of: { 0(SILENT),
  1(QUIET), 2(VERBOSE) or 3(LOUD) }
  Default - 1(QUIET).
  * -merge_name <pattern> The name of the merged patch (max 24 characters).
  Default - "merged".
  * -s <source_directory> Path of source directory where all patches to be
  merged have been unzipped.
  * -d <destination_directory> Path of destination directory where the merged
  patch will be created.
  * -manifest <filename> Full pathname of a file containing the list of
  patch zip files to be merged.
  * -logfile <filename> Admrgpch log file name.
  Default:"<CWD>/admrgpch.log".
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  Without option -admode :
  drix10:/fmstop/patches/R1211AD/merge>admrgpch -s /fmstop/patches/R1211AD/merge -d /fmstop/patches/R1211AD/merge -merge_name merged_R12AD11 -manifest manifest.txt
  unzipping p7461070_R12_AIX64-5L.zip..
  unzipping p9179588_R12.AD.B_R12_GENERIC.zip..
  unzipping p9477107_R12.AD.B_R12_GENERIC.zip..
  Executing the merge of the patch drivers
  -- Processing patch: /fmstop/patches/R1211AD/merge/7461070
  -- Done processing patch: /fmstop/patches/R1211AD/merge/7461070
  -- Processing patch: /fmstop/patches/R1211AD/merge/9179588
  -- Done processing patch: /fmstop/patches/R1211AD/merge/9179588
  -- Processing patch: /fmstop/patches/R1211AD/merge/9477107
  -- Done processing patch: /fmstop/patches/R1211AD/merge/9477107
  Copying files...
  5% complete. Copied 44 files of 876...
  10% complete. Copied 88 files of 876...
  15% complete. Copied 132 files of 876...
  20% complete. Copied 176 files of 876...
  25% complete. Copied 219 files of 876...
  30% complete. Copied 263 files of 876...
  35% complete. Copied 307 files of 876...
  40% complete. Copied 351 files of 876...
  45% complete. Copied 395 files of 876...
  50% complete. Copied 438 files of 876...
  55% complete. Copied 482 files of 876...
  60% complete. Copied 526 files of 876...
  65% complete. Copied 570 files of 876...
  70% complete. Copied 614 files of 876...
  75% complete. Copied 657 files of 876...
  80% complete. Copied 701 files of 876...
  85% complete. Copied 745 files of 876...
  90% complete. Copied 789 files of 876...
  95% complete. Copied 833 files of 876...
  100% complete. Copied 876 files of 876...
  Character-set converting files...
  3 unified drivers merged.
  Patch merge completed successfully
  Please check the log file at ./admrgpch.log.
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  I am executing admrgpch after sourcing 11i environment and version for admrgpch is :
  drix10:/fmstop/fmstest/fmstestappl/ad/11.5.0/bin>adident Header admerge.pl
  admerge.pl:
  $Header admerge.pl 115.22 2008/09/18 12:12:08 nissubra noship $

  Hi Srini,
  Thanks a lot !
  Actually, I tried that one as well by running admrgpch from newly installed R12 code tree and I got below error.
  drix10:/fmstop/r12apps/apps/apps_st/appl/ad/12.0.0/bin>ls -rlt admrgpch
  -rwxr-xr-x    1 appltest dba        14293576 Mar 30 2009  admrgpch
  drix10:/fmstop/r12apps/apps/apps_st/appl/ad/12.0.0/bin>admrgpch -s /fmstop/patches/R1211AD/merge -d /fmstop/patches/R1211AD/merge -merge_name merged_R12AD11 -manifest manifest.txt -admode
  exec(): 0509-036 Cannot load program ./admrgpch because of the following errors:
          0509-150   Dependent module libnnz10.so could not be loaded.
          0509-022 Cannot load module libnnz10.so.
          0509-026 System error: A file or directory in the path name does not exist.
  Then I sourced R12 environment file and ran same command. Its completed successfully.
  drix10:/fmstop/patches/R1211AD/merge>admrgpch -s /fmstop/patches/R1211AD/merge -d /fmstop/patches/R1211AD/merge -merge_name merged_R12AD11 -manifest manifest.txt -admode
  unzipping p7461070_R12_AIX64-5L.zip..
  unzipping p9179588_R12.AD.B_R12_GENERIC.zip..
  unzipping p9477107_R12.AD.B_R12_GENERIC.zip..
  Executing the merge of the patch drivers
  -- Processing patch: /fmstop/patches/R1211AD/merge/7461070
  -- Processing file: /fmstop/patches/R1211AD/merge/7461070/u7461070.drv
  -- Done processing file: /fmstop/patches/R1211AD/merge/7461070/u7461070.drv
  -- Done processing patch: /fmstop/patches/R1211AD/merge/7461070
  -- Processing patch: /fmstop/patches/R1211AD/merge/9179588
  -- Processing file: /fmstop/patches/R1211AD/merge/9179588/u9179588.drv
  -- Done processing file: /fmstop/patches/R1211AD/merge/9179588/u9179588.drv
  -- Done processing patch: /fmstop/patches/R1211AD/merge/9179588
  -- Processing patch: /fmstop/patches/R1211AD/merge/9477107
  -- Processing file: /fmstop/patches/R1211AD/merge/9477107/u9477107.drv
  -- Done processing file: /fmstop/patches/R1211AD/merge/9477107/u9477107.drv
  -- Done processing patch: /fmstop/patches/R1211AD/merge/9477107
  Copying files...
  5% complete. Copied 45 files of 883...
  10% complete. Copied 89 files of 883...
  15% complete. Copied 133 files of 883...
  20% complete. Copied 177 files of 883...
  25% complete. Copied 221 files of 883...
  30% complete. Copied 265 files of 883...
  35% complete. Copied 310 files of 883...
  40% complete. Copied 354 files of 883...
  45% complete. Copied 398 files of 883...
  50% complete. Copied 442 files of 883...
  55% complete. Copied 486 files of 883...
  60% complete. Copied 530 files of 883...
  65% complete. Copied 574 files of 883...
  70% complete. Copied 619 files of 883...
  75% complete. Copied 663 files of 883...
  80% complete. Copied 707 files of 883...
  85% complete. Copied 751 files of 883...
  90% complete. Copied 795 files of 883...
  95% complete. Copied 839 files of 883...
  100% complete. Copied 883 files of 883...
  Character-set converting files...
    3 unified drivers merged.
  Patch merge completed successfully
  Please check the log file at ./admrgpch.log.

• I want to change patches on my Kurzweil PC1se with Mainstage.

  I want to change patches on my Kurzweil PC1se with Mainstage.  I'm using an Maudio Uno to run from MIDI in and out on my PC1se to my Macbook pro running Mavericks and Mainstage 3.
  Example:  Patch 1 is the Organ on my PC1se (Bank 1/Patch 0) and Patch 2 is the Piano on my PC1se (Bank 1/Patch 80)
  When I select Patch 2 in Mainstage I want my PC1se to go to my piano sound.
  I just can't figure out how to do this.  Any suggestions?

  I own some Kurzweils, but not the PC1.  I downloaded and looked through the manual, and I think you may want to give MIDI Receive Mode a try. 
  Also--in Mainstage--are you using External Instrument channel strips for the Kurz?
  Hope this helps.
  Josh

• ISE 1.2.1.198 patch 5 - Operations Authentications not loading or displaying

  Is anyone else having an issue with getting Authentications to display under operations? We were running 1.2.0.899 and started to run into a couple bugs so we upgraded to 1.2.1.198. Ever since then the Operations - Authentications have not been working right. I may occasionally see and actual authentication but not as many as I should. Most of the messages I saw yesterday pertained to radius processes already in progress from endpoint which was my wireless controller. Today I just get a loading data message at the bottom of the screen. It does not seem to be affecting system operation as users are still properly authenticating but I am unable to monitor the process or troubleshoot a users if they were to have an issue. We are on the edge of moving this into full production but really cannot until I get this resolved.
  I have a case open with tac and their comment was that the issue of authentications not displaying was fixed in 1.2.1 and not sure what may be happening. We went ahead and applied patch 5 just in case there was something else going on. That did not fix things and it now seens to be getting worse.
  I just wanted to see if anyone else had seen this and could possible shed some light on a resolution.
  I am running a cluster containing the following. Primary admin on a VM - two policy Services servers both on VMs - secondary admin on retired ACS 2111 appliance. All three VMs are on the same physical server. Memory utilization on the admin server is just under 50% with the Policy servers both in the 30% range. I do have one policy server that is showing authentications in the 10-12ms latency but do not think that should affect anything. The ISE cluster is also tied into our 5508 wireless controller for support of the wireless networks. I have two SSIDs in production here at corporate and trying to figure out FlexConnect for the remote locations so we can centralize everything.
  Brent

  TAC recommendation was to install patch 5 which should include patch 4 plus other things. They took logs from my servers and asked to give them a day or so to look at the issue. Today is day three with no update.
  I am going to reboot all the servers in the cluster tonight. I do not have console access to the VMs so am hoping that I can reload from the CLI and accomplish the same thing rather than just reload the services.
  I tried a wired connection this morning and it popped into the authentications report but will have to test to make sure it repeats.
  What is mostly in the log is simply the reports of the supplicant stopped responding to ISE. I know thought that I have at least 5 people that are connected via wireless. Here is a sample of what is in the log.

• CISCO ISE 1.2.0.899 - Self registration email address field Limit

  Hi
  I was wondering if someone out there can resolve an issue I am seeing, when a user goes to the self registration portal and enters an email address it only allows 24 characters to be entered, in the documentation it states that up to 48 characters can be entered. Is there a setting that i need to change to increase the character limit to above 24.
  Thanks
  John

  Hi Anas
  That is not true, I had the same problem with ISE in our Network.
  We are running 1.2.0.899, after all the troubleshooting I decided to upgrade the Patch on the ISE.
  As part of that I have deployed patch 5, which has resolved the issue.
  So please just download patch 5 for the solution.
  Regards
  Sandy

• ISE version 1.1.2 patch-5 or 1.1.3

  I am about to deploy ISE in a new environment.  My plan is to go with ISE 1.1.2 with patch-5 or with 1.1.3
  My problem with 1.1.3 is that it is new and no patch.  While there are new features in 1.1.3 but it also comes with unknown issues and bugs that will not be resolved until patch-1 in 1.1.3.  Therefore, I plan on staying at 1.1.2 patch-5.
  What do  you think?

  Hello David-
  With any new products, such as ISE (version 1.x), I tend to always go with the latest release as there are constantly more and more bugs that are being fixed along with new features. I have one deployment running on 1.1.3 and I have not had/heard any issues.
  Also, there is a nasty bug with 1.1.2 where if you use automatic backups your EAP-TLS authentications start to fail and can only be resolved by a reload. (CSCud00831). So if you are planning to use EAP-TLS type authentications then I would strongly recommend that you go with 1.1.3
  Thank you for rating!

• ISE 1.2.0.899 and large number of alerts

  Hey,
  I have been in touch with our Cisco Partner about this, but I didn't get anywhere and the case was closed without a resolution..
  It turns out that you cannot clear more than 1000 alerts at once in ISE.
  This is a huge issue for me, because we have over 10k configuration change alerts that was generated when a user mistakenly created a few too many guest accounts through the sponsor portal.
  I am hoping there is a way I can clear up all these old alerts without having to click 9k of them one at a time to clear them..
  I considered automating the clicking through javascript in my browser, but of course the alert list was a flash object, so I couldn't do that either..
  -- Regards, Morten

  Hi Morten,
  This is a known issue - https://tools.cisco.com/bugsearch/bug/CSCul58094/?reffering_site=dumpcr
  This will be fixed in ISE 1.3 However, you can delete all the alerts in one go using root patch and sql cmds.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE 1.2.0.899 vulnerable to Shellshock?

  Hi, I just saw that version 1.2(0.747) is vulnerable. How about 1.2.0.899?
  https://tools.cisco.com/bugsearch/bug/CSCur00532
  KR

  I've asked the PSIRT Team and they confirmed that ISE is vulnerable.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  (Prime Infrastructure is vulnerable as well but is not yet mentioned in the advisory.  It will be added in an upcoming revision.)

• Snmp stops working on ISE 1.1.2(145) patch 10

  I have a Primary Admin/Primary Monitoring, Secondary Admin/Monitoring and two PSN nodes, distributed mode
  A few days ago, the primary Admin/Monitoring node snmpd daemon just stopped working.  I had to remove the snmp community string and re-add it back and snmpd starts working again.
  Yesterday, the secondary admin/monitoring node snmpd daemon also stopped working and had to do the same thing (remove and re-add snmp community string) for snmp to work again.
  Is this a bug in ISE?

  There looks like there was a bug fixed for this issue in 1.1.1, you may need to open a tac case and see if the bug has resurfaced.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  CSCub89895
  SNMP process stops randomly due to an issue in netsnmp
  The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of  the Cisco ISE node to fail until the daemon is restarted. This issue  has been observed in Cisco ISE, Release 1.1.1.
  Workaround   Remove all SNMP commands and re-add them to start the daemon again or restart the ISE node.
  For more information, see: http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=12694&atid=112694
  Tarik Admani
  *Please rate helpful posts*