ISE 1.2.0.899 Patch 7

Similar Messages

• ISE 1.2.0.899 patch 1,2,3,4 with blackberry 9700

                     Hi, I'm using ISE 1.2.0.899 patch 1,2,3,4, and I am trying to use guest portal on blackberry 9700.
  I verified that I am able to do 802.1x with blackberry.
  I associated to ssid, and opened web browser, and I can see the guest portal.
  However, when I clicked on "don't have account?" to creating guest ID, I could not go any further.
  does anyone know if it's supported or not ? if it's working or not ?
  I know in the network compatibility document for 1.2, there is no mention about blackberry.
  does anyone know about this ?

  Saurav Lodh, I did check the default time profile that is being used the sponsor. I even created a custom time profile to rule out any timeout on the Guest account, but even with the custom profile time the Guest account times out between 7 to 10 minutes and asks to re-authenticate again. I don't know if there is another place to look out for any timeouts, or is it maybe a bug with this version of ISE, but I couldn't find anybody else having this same issue which makes me think that it has to be a setting that is causing this problem.

• Applying Patches to ISE 1.2.0.899

  I am running ISE 1.2.0.899 Patch level 2. 
  I want to upgrade to patch level 6. 
  I understand that the ptaches are supposed to be cumulative and not incremental...but I want to make sure as I am 4 levels behind...Is there anything special I have to do? Do I just apply patch 6 from the Primary Admin node and it brings me straight to patch 6?
  Didn't note anything in the release notes, but I don't want to run into any surprises.
  Thanks, 
  Phill

  Well,
  I upgraded to patch 6. The patch did not replicate over to the other two nodes as I expected.
  I called TAC and was told to accomplish this manually, which I did on the secondary node.
  I did not have FTP access to the one in my DMZ, so I had to put that one off until the evening (had to get the firewall guy to give me access...then wait until after production hours). Anyhow, we noted a large increase in traffic between the primary ISE node and the Policy Service node in our DMZ...traffic flow seemed to be around 40 megs. This flow ceased when I manually upgraded the DMZ Policy Service Node.

• Ise 1.2.0.899 CWA Windows AD based

  Hi, I'm running ISE 1.2.0.899 patch 6
  When a use a internal ISE user which in the Identity Group "Onboard". The guest authentication, self registration and profiling are going just great (see picture) . But when I use a AD created user which on AD is in the same "Onboard"  security group, it is authenticated but further than that I got the message" The system admin has either not configured or enabled a policy for your device". Furthermore I can see in the log that the AD user is authenticatd with Identity Group "Any".  I tried several things in the authorization in matching the memberof/ external group based on "Onboard" with or without the guest flow specified.  If I manage to get the device to registered in the Identity Endpoint and I try to match on a AD group I see that is working.
  So to bottom line of this question is; if the BYOD/CYOD is not registered in the ISE ( Identity Endpoint)  which policy rule can I make so it will profile it as a android and put it as a registered device?
  Does anyone know how this can be configured?  Any help is appreciated.
  Thanks in advance,
  Kind regards, 
  Michel

  Hi Neno,
  I was mislead by the d0t1x AuthN in my first statement, if a connection is made on d0t1x with PEAP (mschapv2) then the AuthN check in the identity source sequence (first AD ) if the user exist. This is the case so this connection is allowed by AuthZ rule: BYOD_AD_D0t1x
  1. What do you have configured under: Administration > System > Settings > Profiling > CoA?
  currently it is configured for: "no COA"
  as the cisco documentation said:
  Exemptions for Issuing a Change of Authorization:
  An Endpoint Created through Guest Device Registration flow—When endpoints are created through device registration for the guests. Even though CoA is enabled globally in Cisco ISE, the profiling service does not issue a CoA so that the device registration flow is not affected. In particular, the PortBounce CoA global configuration breaks the flow of the connecting endpoint.

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Inactive Windows 7 supplicant tries to reauthenticate every 4 to 10 minutes in Cisco ISE 1.2.1.899

  Hi,
  We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.
  What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.
  Swith port configuration looks likt this:
  interface FastEthernet0/31
  description 802.1x Poort
  switchport access vlan xxx
  switchport mode access
  switchport nonegotiate
  switchport voice vlan xxx
  no logging event link-status
  priority-queue out
  authentication control-direction in
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer inactivity 120
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout quiet-period 300
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 300
  dot1x max-reauth-req 3
  dot1x timeout held-period 300
  dot1x timeout auth-period 3
  no mdix auto
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  no cdp enable
  spanning-tree portfast
  service-policy input xxxx
  end
  Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?
  ISE Version: 1.2.0.899
  Patch Information: 5,6,8
  Help would be much appreciated

  Hi Jan,
  Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.
  "authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.
  We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).
  And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore.

• ISE version 1.1.2 patch-5 or 1.1.3

  I am about to deploy ISE in a new environment.  My plan is to go with ISE 1.1.2 with patch-5 or with 1.1.3
  My problem with 1.1.3 is that it is new and no patch.  While there are new features in 1.1.3 but it also comes with unknown issues and bugs that will not be resolved until patch-1 in 1.1.3.  Therefore, I plan on staying at 1.1.2 patch-5.
  What do  you think?

  Hello David-
  With any new products, such as ISE (version 1.x), I tend to always go with the latest release as there are constantly more and more bugs that are being fixed along with new features. I have one deployment running on 1.1.3 and I have not had/heard any issues.
  Also, there is a nasty bug with 1.1.2 where if you use automatic backups your EAP-TLS authentications start to fail and can only be resolved by a reload. (CSCud00831). So if you are planning to use EAP-TLS type authentications then I would strongly recommend that you go with 1.1.3
  Thank you for rating!

• ISE 1.1.2.145 patch-3 and CLI password disable

  I am running ISE 1.1.2.145 patch-3 on VMWare ESXi 4.1  The ISE is running fine without any issues.
  During the initial setup of the ISE, I create an account called "admin" so that I can ssh into the ISE.  According to Cisco, the CLI password does NOT expire and does NOT lock out.  However, when I ssh into the ISE and "intentionally" entered the wrong password 5 times.  After that, I can no longer ssh or console in the ISE with the "admin" account.  The only way to fix this is to do "password recovery" with the DVD.
  I notice the same issue with ISE version 1.1.1.268 patch-5 as well.
  Is this a "known" issue with ISE or bug?

  There looks like there was a bug fixed for this issue in 1.1.1, you may need to open a tac case and see if the bug has resurfaced.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  CSCub89895
  SNMP process stops randomly due to an issue in netsnmp
  The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of  the Cisco ISE node to fail until the daemon is restarted. This issue  has been observed in Cisco ISE, Release 1.1.1.
  Workaround   Remove all SNMP commands and re-add them to start the daemon again or restart the ISE node.
  For more information, see: http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=12694&atid=112694
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.2.1.198 patch 5 - Operations Authentications not loading or displaying

  Is anyone else having an issue with getting Authentications to display under operations? We were running 1.2.0.899 and started to run into a couple bugs so we upgraded to 1.2.1.198. Ever since then the Operations - Authentications have not been working right. I may occasionally see and actual authentication but not as many as I should. Most of the messages I saw yesterday pertained to radius processes already in progress from endpoint which was my wireless controller. Today I just get a loading data message at the bottom of the screen. It does not seem to be affecting system operation as users are still properly authenticating but I am unable to monitor the process or troubleshoot a users if they were to have an issue. We are on the edge of moving this into full production but really cannot until I get this resolved.
  I have a case open with tac and their comment was that the issue of authentications not displaying was fixed in 1.2.1 and not sure what may be happening. We went ahead and applied patch 5 just in case there was something else going on. That did not fix things and it now seens to be getting worse.
  I just wanted to see if anyone else had seen this and could possible shed some light on a resolution.
  I am running a cluster containing the following. Primary admin on a VM - two policy Services servers both on VMs - secondary admin on retired ACS 2111 appliance. All three VMs are on the same physical server. Memory utilization on the admin server is just under 50% with the Policy servers both in the 30% range. I do have one policy server that is showing authentications in the 10-12ms latency but do not think that should affect anything. The ISE cluster is also tied into our 5508 wireless controller for support of the wireless networks. I have two SSIDs in production here at corporate and trying to figure out FlexConnect for the remote locations so we can centralize everything.
  Brent

  TAC recommendation was to install patch 5 which should include patch 4 plus other things. They took logs from my servers and asked to give them a day or so to look at the issue. Today is day three with no update.
  I am going to reboot all the servers in the cluster tonight. I do not have console access to the VMs so am hoping that I can reload from the CLI and accomplish the same thing rather than just reload the services.
  I tried a wired connection this morning and it popped into the authentications report but will have to test to make sure it repeats.
  What is mostly in the log is simply the reports of the supplicant stopped responding to ISE. I know thought that I have at least 5 people that are connected via wireless. Here is a sample of what is in the log.

• CISCO ISE 1.2.0.899 - Self registration email address field Limit

  Hi
  I was wondering if someone out there can resolve an issue I am seeing, when a user goes to the self registration portal and enters an email address it only allows 24 characters to be entered, in the documentation it states that up to 48 characters can be entered. Is there a setting that i need to change to increase the character limit to above 24.
  Thanks
  John

  Hi Anas
  That is not true, I had the same problem with ISE in our Network.
  We are running 1.2.0.899, after all the troubleshooting I decided to upgrade the Patch on the ISE.
  As part of that I have deployed patch 5, which has resolved the issue.
  So please just download patch 5 for the solution.
  Regards
  Sandy

• ISE 1.2.0.899 and large number of alerts

  Hey,
  I have been in touch with our Cisco Partner about this, but I didn't get anywhere and the case was closed without a resolution..
  It turns out that you cannot clear more than 1000 alerts at once in ISE.
  This is a huge issue for me, because we have over 10k configuration change alerts that was generated when a user mistakenly created a few too many guest accounts through the sponsor portal.
  I am hoping there is a way I can clear up all these old alerts without having to click 9k of them one at a time to clear them..
  I considered automating the clicking through javascript in my browser, but of course the alert list was a flash object, so I couldn't do that either..
  -- Regards, Morten

  Hi Morten,
  This is a known issue - https://tools.cisco.com/bugsearch/bug/CSCul58094/?reffering_site=dumpcr
  This will be fixed in ISE 1.3 However, you can delete all the alerts in one go using root patch and sql cmds.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE 1.2.0.899 vulnerable to Shellshock?

  Hi, I just saw that version 1.2(0.747) is vulnerable. How about 1.2.0.899?
  https://tools.cisco.com/bugsearch/bug/CSCur00532
  KR

  I've asked the PSIRT Team and they confirmed that ISE is vulnerable.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  (Prime Infrastructure is vulnerable as well but is not yet mentioned in the advisory.  It will be added in an upcoming revision.)

• Snmp stops working on ISE 1.1.2(145) patch 10

  I have a Primary Admin/Primary Monitoring, Secondary Admin/Monitoring and two PSN nodes, distributed mode
  A few days ago, the primary Admin/Monitoring node snmpd daemon just stopped working.  I had to remove the snmp community string and re-add it back and snmpd starts working again.
  Yesterday, the secondary admin/monitoring node snmpd daemon also stopped working and had to do the same thing (remove and re-add snmp community string) for snmp to work again.
  Is this a bug in ISE?

  There looks like there was a bug fixed for this issue in 1.1.1, you may need to open a tac case and see if the bug has resurfaced.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  CSCub89895
  SNMP process stops randomly due to an issue in netsnmp
  The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of  the Cisco ISE node to fail until the daemon is restarted. This issue  has been observed in Cisco ISE, Release 1.1.1.
  Workaround   Remove all SNMP commands and re-add them to start the daemon again or restart the ISE node.
  For more information, see: http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=12694&atid=112694
  Tarik Admani
  *Please rate helpful posts*

• ISE Condition Windows with Latest Patch Installed

  Hello,
  I want to comply all the domain computer with latest windows Patch Installed. How we can create this condition under which catagry as mentioned below?
  Thanks.  

  Case Solution:
  You can deploy domain computer with latest windows Patch  Installed with Configuring WSUS Remediation.
  This example shows how to ensure that all employee computers  with Windows 7 have the latest critical
  Patches installed. Windows Server Update Services (WSUS) are  internally managed.
  Define a posture remediation action that checks for and  installs the latest Windows 7 patches.
  1. Navigate to Policy > Policy Elements > Results,  and expand the Posture folder.
  2. Expand the contents of Remediation Actions.
  Select Windows Server Update Remediation, and click Add from the right−hand pane menu.
  Enter these values, and click Submit:
  Attribute Value
  Name Install_Win_Critical_Updates
  Description Check and Install missing Critical Windows Updates
  Remediation Type Manual
  Validate Windows Updates using Severity Level
  Windows Updates Severity Level Critical
  Windows Updates Installation Source Managed Server
  Installation Wizard Interface Setting Show UI
  Note: If you want to use Cisco rules in order to  validate Windows update, create your posture
  Conditions, and define your conditions in Step 2.
  2. Click Save when finished.
  Note: If a preconfigured condition does not  display under the list of conditions, verify that the appropriate OS has  been selected for both the condition as well as the requirement rule.  Only conditions that are the same or are a subset of the OS selected for  the rule display in the conditions selection list.
  Please check below  which may be helpful for you.
  http://www.cisco.com/image/gif/paws/116143/116143-config-cise-posture-00.pdf

• Cisco ISE 1.1.1.268 patch 4 (Authorization polices for company asset & non company asset)

  Is there any way to differentiate company asset & non company asset machines as both use same AD credentials but only difference is company asset is domain joined machines & non company asset only use AD credentials.
  We want to create different authorization polices for company & non company asset machines. What condition I can use under authentication & authorization which help us to differentiate them except certificate.
  We want to do posture assetment for them as well.

  Hello Tabish-
  There are several ways you can do that. The easiest way (In my opinion) is to use PEAP machine based authentication for your domain computers while using PEAP user based authentication for non domain computers. Based on that a different authorization profile will be applied to the supplicant. For example, you can have a rule where if a computer is part of domain computers then it gets an throziation profile called Full_Access but if a domain user then apply authorization profile called Limited_Access. An important part of this solution is for your AD to be locked down where only certain users/admin's can add computers to the domain. Otherwise, by default, any domain users can add a computer to a domain. Putting some posture checks in between those would also not be a problem.
  Some other methods are to use EAP-TLS with digital certificates but this requires that you have  a PKI in place and every single domain computer is issued a digital certificate.
  Some more advanced methods are EAP-Chaining where you can perform both machine and user authentication.
  I hope this helps!
  Thank you for rating!