ISE 1.2.0.899 vulnerable to Shellshock?

Similar Messages

• ISE 1.2.0.899 patch 1,2,3,4 with blackberry 9700

                     Hi, I'm using ISE 1.2.0.899 patch 1,2,3,4, and I am trying to use guest portal on blackberry 9700.
  I verified that I am able to do 802.1x with blackberry.
  I associated to ssid, and opened web browser, and I can see the guest portal.
  However, when I clicked on "don't have account?" to creating guest ID, I could not go any further.
  does anyone know if it's supported or not ? if it's working or not ?
  I know in the network compatibility document for 1.2, there is no mention about blackberry.
  does anyone know about this ?

  Saurav Lodh, I did check the default time profile that is being used the sponsor. I even created a custom time profile to rule out any timeout on the Guest account, but even with the custom profile time the Guest account times out between 7 to 10 minutes and asks to re-authenticate again. I don't know if there is another place to look out for any timeouts, or is it maybe a bug with this version of ISE, but I couldn't find anybody else having this same issue which makes me think that it has to be a setting that is causing this problem.

• Ise 1.2.0.899 CWA Windows AD based

  Hi, I'm running ISE 1.2.0.899 patch 6
  When a use a internal ISE user which in the Identity Group "Onboard". The guest authentication, self registration and profiling are going just great (see picture) . But when I use a AD created user which on AD is in the same "Onboard"  security group, it is authenticated but further than that I got the message" The system admin has either not configured or enabled a policy for your device". Furthermore I can see in the log that the AD user is authenticatd with Identity Group "Any".  I tried several things in the authorization in matching the memberof/ external group based on "Onboard" with or without the guest flow specified.  If I manage to get the device to registered in the Identity Endpoint and I try to match on a AD group I see that is working.
  So to bottom line of this question is; if the BYOD/CYOD is not registered in the ISE ( Identity Endpoint)  which policy rule can I make so it will profile it as a android and put it as a registered device?
  Does anyone know how this can be configured?  Any help is appreciated.
  Thanks in advance,
  Kind regards, 
  Michel

  Hi Neno,
  I was mislead by the d0t1x AuthN in my first statement, if a connection is made on d0t1x with PEAP (mschapv2) then the AuthN check in the identity source sequence (first AD ) if the user exist. This is the case so this connection is allowed by AuthZ rule: BYOD_AD_D0t1x
  1. What do you have configured under: Administration > System > Settings > Profiling > CoA?
  currently it is configured for: "no COA"
  as the cisco documentation said:
  Exemptions for Issuing a Change of Authorization:
  An Endpoint Created through Guest Device Registration flow—When endpoints are created through device registration for the guests. Even though CoA is enabled globally in Cisco ISE, the profiling service does not issue a CoA so that the device registration flow is not affected. In particular, the PortBounce CoA global configuration breaks the flow of the connecting endpoint.

• ISE 1.2.0.899 Patch 7

  Hey guys I have ISE 1.2.0.899 with patch 7 installed in my environment, also I have a WLC 5508 running version 7.4.121.0. We are authenticating our user with ISE. We are having an issue with our Guest WLAN, after we create an account with the sponsor portal for our guests, they can log in and get to the internet, but after 7 to 10 minutes the guest user is ask to re-authenticate again. I check in the WLC to see if there is any timeout for our Guest WLAN, but there not. At this point we don't know what is causing this problem since it only happens with the Guest WLAN, the other WLAN for Users that authenticate with AD credentials works without any problems. Is anybody experiencing this same issue? 

  Saurav Lodh, I did check the default time profile that is being used the sponsor. I even created a custom time profile to rule out any timeout on the Guest account, but even with the custom profile time the Guest account times out between 7 to 10 minutes and asks to re-authenticate again. I don't know if there is another place to look out for any timeouts, or is it maybe a bug with this version of ISE, but I couldn't find anybody else having this same issue which makes me think that it has to be a setting that is causing this problem.

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Applying Patches to ISE 1.2.0.899

  I am running ISE 1.2.0.899 Patch level 2. 
  I want to upgrade to patch level 6. 
  I understand that the ptaches are supposed to be cumulative and not incremental...but I want to make sure as I am 4 levels behind...Is there anything special I have to do? Do I just apply patch 6 from the Primary Admin node and it brings me straight to patch 6?
  Didn't note anything in the release notes, but I don't want to run into any surprises.
  Thanks, 
  Phill

  Well,
  I upgraded to patch 6. The patch did not replicate over to the other two nodes as I expected.
  I called TAC and was told to accomplish this manually, which I did on the secondary node.
  I did not have FTP access to the one in my DMZ, so I had to put that one off until the evening (had to get the firewall guy to give me access...then wait until after production hours). Anyhow, we noted a large increase in traffic between the primary ISE node and the Policy Service node in our DMZ...traffic flow seemed to be around 40 megs. This flow ceased when I manually upgraded the DMZ Policy Service Node.

• IMac is vulnerable to Shellshock

  Hi,
  My iMac has is vulnerable to Shellshock.  See test and results below.  Please advise.
  Test:
  Is my machine vulnerable?
  Shellshocker.net provides two tests, one for each vulnerability, (CVE-2014-6271) and (CVE-2014-7169). On a Mac, open the Terminal program and type:
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  If you see "vulnerable" echoed in the response, your version of Bash is affected. Then type:
  env X='() { (a)=>\' bash -c "echo date"; cat echo
  If you see today's date (alongside any errors), your version of Bash is vulnerable.
  Results:
  Last login: Sun Sep 28 11:30:39 on console
  Daryls-iMac-2:~ darylkennedy$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  vulnerable
  this is a test
  Daryls-iMac-2:~ darylkennedy$
  Daryls-iMac-2:~ darylkennedy$ env X='() { (a)=>\' bash -c "echo date"; cat echo
  bash: X: line 1: syntax error near unexpected token `='
  bash: X: line 1: `'
  bash: error importing function definition for `X'
  Sun Sep 28 11:36:27 EDT 2014
  Daryls-iMac-2:~ darylkennedy$

  d-nc wrote:
  Hi,
  My iMac has is vulnerable to Shellshock.  See test and results below.  Please advise.
  Don't run a web server and don't allow remote access. But, I imagine that is true already.
  Unless you are using an Airport Extreme, your router is likely the biggest vulnerability. The others are generally configured through a web server.
  See the other posts Esquared linked.

• Is ESX v3.0 / 3.5 vulnerable to Shellshock?

  Greetings,
  Is ESX v3.0 / 3.5 vulnerable to Shellshock? - I have searched all over and cannot find this answer. I tried finding out the linux shell version as well, but did not locate that. I thought Google would answer this in 2 minutes
  Any help is appreciated.
  Thanks,
  Rick

  It should be as ESX 4 is vulnerable as well, with the difference being there is a patch available for ESX 4. I think the recommendation would be to upgrade to atleast ver 4 and apply the patch.
  Security advisory located at
  VMSA-2014-0010.4 | United States
  Regards
  Girish

• Inactive Windows 7 supplicant tries to reauthenticate every 4 to 10 minutes in Cisco ISE 1.2.1.899

  Hi,
  We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.
  What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.
  Swith port configuration looks likt this:
  interface FastEthernet0/31
  description 802.1x Poort
  switchport access vlan xxx
  switchport mode access
  switchport nonegotiate
  switchport voice vlan xxx
  no logging event link-status
  priority-queue out
  authentication control-direction in
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer inactivity 120
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout quiet-period 300
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 300
  dot1x max-reauth-req 3
  dot1x timeout held-period 300
  dot1x timeout auth-period 3
  no mdix auto
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  no cdp enable
  spanning-tree portfast
  service-policy input xxxx
  end
  Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?
  ISE Version: 1.2.0.899
  Patch Information: 5,6,8
  Help would be much appreciated

  Hi Jan,
  Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.
  "authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.
  We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).
  And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore.

• CISCO ISE 1.2.0.899 - Self registration email address field Limit

  Hi
  I was wondering if someone out there can resolve an issue I am seeing, when a user goes to the self registration portal and enters an email address it only allows 24 characters to be entered, in the documentation it states that up to 48 characters can be entered. Is there a setting that i need to change to increase the character limit to above 24.
  Thanks
  John

  Hi Anas
  That is not true, I had the same problem with ISE in our Network.
  We are running 1.2.0.899, after all the troubleshooting I decided to upgrade the Patch on the ISE.
  As part of that I have deployed patch 5, which has resolved the issue.
  So please just download patch 5 for the solution.
  Regards
  Sandy

• ISE 1.2.0.899 and large number of alerts

  Hey,
  I have been in touch with our Cisco Partner about this, but I didn't get anywhere and the case was closed without a resolution..
  It turns out that you cannot clear more than 1000 alerts at once in ISE.
  This is a huge issue for me, because we have over 10k configuration change alerts that was generated when a user mistakenly created a few too many guest accounts through the sponsor portal.
  I am hoping there is a way I can clear up all these old alerts without having to click 9k of them one at a time to clear them..
  I considered automating the clicking through javascript in my browser, but of course the alert list was a flash object, so I couldn't do that either..
  -- Regards, Morten

  Hi Morten,
  This is a known issue - https://tools.cisco.com/bugsearch/bug/CSCul58094/?reffering_site=dumpcr
  This will be fixed in ISE 1.3 However, you can delete all the alerts in one go using root patch and sql cmds.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• HP hardware vulnerable to ShellShock bug?

  Hi all,
  I have been asked to check whether our HP hardware is affected in any way by the recent Bash vulnerability.
  We use the following HP hardware:
  E-MSM460 Access Point (ww)(J9591a) - Wireless Access Point
  ProCurve 2520G-24-POE (J9299A) - POE Switch
  ProCurve Switch 2510G-24 (J9279A) - Switch
  Can anyone advise whether these devices use any type of Linux or OSX based software?
  Many thanks,
  James.

  Hi,
  Please post your question on Business Support forum. HP rep at your country should tell you. I know we have many HP products in our halls (ie computer rooms) but I only talk with other vendors, not HP.
  Regards.
  BH
  **Click the KUDOS thumb up on the left to say 'Thanks'**
  Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

• Prime Infrastructure vulnerable to ShellShock?

  Hi,
  does anyone know if Prime Infrastructure version 1.2 is also affected?
  It is not in the list:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  KR

  Hi Renata,
  I'm looking for a patch for our version (and still looking) but found a list that appears to show that 1.2 is affected.
  https://tools.cisco.com/bugsearch/bug/CSCur05228
  Hope that helps.
  Jim

• ShellShock Vulnerable products

  Hello
  We have Cisci UCS blade servers B420 M3 serial : FCH1710J7JP
  and the Fabric Interconnect : UCS-FI-6248UP
  I need to know if those product are vulnerable for ShellShock 
  If they are vulnerable witch patch I need to install ? 

  Just an FYI a fix has been released (2.2(3b))......
  Fixes will be available in the following upcoming releases:
  3.0(1d) ==> ETA week of 10/13
  2.2(3b) ==> released 10/9
  2.2(2e) ==> ETA week of 10/13
  2.2(1f) ==> ETA week of 10/13
  2.1(3f) ==> ETA will be announced shortly
  2.0(5g) ==> ETA will be announced shortly
  All six CVEs, CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 CVE-2014-6278, and CVE-2014-6277 have been fixed.
  The 2.2(3b) release was published to CCO on 10/9. The other 2.2 release trains will be updated in the week of 10/13. The release schedule for the 2.0 and 2.1 release trains will be announced soon - release candidates are currently still in QA.
  https://tools.cisco.com/bugsearch/bug/CSCur01379

• ISE Config Backup Failure - Data filesystem full above threshold

  Hi,
  Both the config and operational backups were working until earlier last month. Now the config backup is failing with the following error. No configuration or repository settings were changed.
  ISE 1.2.0.899 Patch 8 - Clustered with persona Node 1 = PAN, SMN, PSN .... Node 2 = SAN, PMN, PSN
  CLI history says the same:
  The local repository (disk:/) is looking good. The "/" filesystem is taking 77% space.
  Although it may not be relevant. Data Purging is set to 30 days in the GUI and Operations -> Reports -> Data Purging Audit indicates its running daily with success i.e. threshold_space = 80GB, used_space = 3GB.
  Is there a way to clean "/" filesystem ? It is filling up by roughly 1% every 5 days ? Note: the same on Node 2 is only 24% full.
  Any ideas on how to get the config backup issue resolved ?
  P.S. If images don't appear inline, please see the attachment
  Thanks,
  Rick.

  922963 wrote:
  Hi JK,
  Thanks for response. Yes, I am worried that it may not be enough. How about if I increase memory to 32GB, ie. I have two servers, both with 32GB? Will it be sufficient in case of one physical server fail for 8GB data?
  What is the point in having the 3rd physical box if two boxes have enough memory/capacity? You know, we need to pay licence according to no of CPU.
  thanks,
  HenryHi Henry,
  actually the recommended minimum number of physical boxes is 4 so that the witness protocol participants can all be on separate machines.
  But a minimum of 3 is highly recommended for a number of reasons related to partitioning:
  1. If you have only 2, then you are much more vulnerable to split brain scenarios (should for some reason the two servers not be able to communicate with each other, it is harder to decide which half should be the winner). In short how do you decide which box is unable to communicate with the rest of the cluster if there are only 2 boxes?
  2. You can't ensure a balanced and also machine safe partition distribution if you have a mismatching number of nodes on only 2 boxes. It would either be balanced or machine safe, but you can't get both at the same time. And you will either have mismatching number of nodes at startup or have mismatching number of nodes after one node failure.
  Best regards,
  Robert