ISE 1.2 CRL

Hello,
Quick one this time...
What box is requesting the CRL? the ADM or the PSN?
am right to assum that the port 80 need to be open on the FW from ADM or PSN to the CRL location
Thx

ISE supports two ways of checking the revocation status of a client or server certificate that is issued by a particular CA. The first is to validate the certificate using the Online Certificate Status Protocol (OCSP), which makes a request to an OCSP service maintained by the CA. The second is to validate the certificate against a Certificate Revocation List (CRL) which is downloaded from the CA into ISE. Both of these methods can be enabled, in which case OCSP is used first, and only if a status determination cannot be made then the CRL is used.
Please check the below links which can be helpful in configurations:
Link-1
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

Similar Messages

Cannot download CRL to my ISE

Hello,
I have ise 1.2, i have configured everything normally and i can browse to my CRL from any windows pc that is ok, but still my ise cannot download the CRL, i get the following error on my ISE. please help me im totally stuck in this. i have standalone CA
ise error msg>>>
Alarms: CRL Retrieval Failed
Description:
Unable to retrieve CRL from the server. This could occur if the specified url is unavailable.
Suggested Actions:
Please ensure that the download url is correct and is available for the service
Could not download Certificate Revocation List for certificate with CN=TrustedCA

Certificate Revocation List Configuration area, do the following:
a. Check the Download CRL check box for the Cisco ISE to download a CRL.
b. Enter the URL to download the CRL from a CA in the URL Distribution text box. This field will be automatically populated if it is specified in the certificate authority certificate. The URL must begin with "http" or "https."
The CRL can be downloaded automatically or periodically.
c. You can configure the time interval between downloads in minutes, hours, days, or weeks if you want the CRL to be downloaded automatically before the previous CRL update expires.
d. Configure the time interval in minutes, hours, days, or weeks to wait before the Cisco ISE tries to download the CRL again.
e. If you uncheck the Bypass CRL Verification if CRL is not Received check box, all client requests that use certificates signed by the selected CA will be rejected until Cisco ISE receives the CRL file. If you check this check box, the client requests will be accepted before the CRL is received.
f. If you uncheck the Ignore CRL that is not yet valid or expired check box, Cisco ISE checks the CRL file for the start date in the Effective Date field and the expiration date in the Next Update field. If the CRL is not yet active or has expired, all authentications that use certificates signed by this CA are rejected. If you check this check box, Cisco ISE ignores the start date and expiration date and continues to use the not yet active or expired CRL and permits or rejects the EAP-TLS authentications based on the contents of the CRL.
For complete configuration, please check the below link.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

Cisco ISE 1.1.2 and Certfication Revocation List (CRL) checking

All,
I have 4 ISE appliances version 1.1.2 running in my networ called nodeA, nodeB, nodeC and nodeD.
- NodeA is Primary Admin and Secondary Monitoring,
- NodeB is Secondary Admin and Primary Monitoring,
- NodeC is Policy node,
- NodeD is Policy node,
The ISE environment is tightly integrated with the company Microsoft Active Directory Windows 2008R2. We import the company issue cert into the ISE for PEAP and CRL checking
Question: How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server?
I also have an ACS environment that also tightly integrated with Microsoft AD.   How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?
What will happen to the ISE and ACS environment if the CA Server becomes un-available?
I can't seem to find this question in either ISE or ACS documentation anywhere.
Thank you.

How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server?
          ISE checks CRL based on how you configure it. Admin > Certificates > Cert Store Select your CA. From there you'll be able to edit the cert info. The last option is the CRL Configuration. You can set the download frequency.
How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?
         System Config > ACS Cert Setup > CRL    from there you'll be able to see/edit
What will happen to the ISE and ACS environment if the CA Server becomes un-available?
         Most likely the end of the world, but to be honest I'm not really sure. My assumption is If both the client and the ISE/ACS server already have their respective certs, they should still be able to work. Just no new certs or CRLs would be issued.
Documentation Sources:
ACS: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/sau.html
ISE: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html
HTH

ISE 1.1 - 24492 Machine authentication against AD has failed

We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:

Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

IOS CWA Redirect - ISE - Safari

I do not believe I can be the only one with this issue, not when I have it at two sites and with the original installs being done by different people.
Is anyone else having issues with Safari properly being redirected to ISE CWA by IOS redirection?
I have this issue on 3750X for wired clients, and on a 3850 NGWC for wireless clients. What makes this unique is that the only thing similar to this deployment is the Macbooks running with Safari.
My troubleshooting seems to point at an issue with Safari not liking the redirect based upon the switch(3850,3750X) certificate. Firefox and Chrome both work without issues on the test Macbooks. I'm unable to find anything in the Bugtoolkit about it.
If using Safari on Cisco switch for CWA is unsupported, please provide a link to Cisco document detailing it.

This issue has been resolved. It turned out that the Macbook was trying to do a crl download to confirm that the certificate was valid. I am pretty sure it was becuase the cheapest GoDaddy certificate was used and the intermediate certificate isn't always found in the default Mac certificate store. Firefox works because they handle CRL checks differently.
I had two different resolutions as I had the problem at two different customers/sites.
First test was allowing access to crl.godaddy.com. After I excluded this IP address from the redirect and permitted it in the dACL - Safari was able to correctly redirect to the CWA portal page.
At another site, due to the centralized management of the Macbooks, we utilized Mac OS X Server to create a profile in Profile Manager that included the GoDaddy Intermediate certificate and pushed that out to all macbooks to resolve the issue.
In addition - and worthy of note. If you are doing posturing and the ISE certificate is not trusted on Apple, the same sort of CRL check will occur and the NAC Agent will never posture the endpoint.
tl;dr - Doublecheck Certificate trust settings on Apple because they are evil.

ISE and AD synchronization

Hi all,
Just wondering if any one would know the answer to this one...
We have ISE linked to AD...all working well, however, when a user is given a certificate, the user won't be able to connect to the (wireless) network due to certificate problems.....after 1/2 hour to an hour, the user will be able to authenticate successfuly....without any futher intervention from IT Support.
Seems like ISE to AD sync issue.....does anyone know how often does the ISE pulls AD for information....?
Thanks in advance.
UUmmmm thinking about this though, ISE should check the User "state" in AD every time the user tries to Authenticate....so could we possibly be talking about an AD replication issue here instead of ISE to AD???

If you check your Authentiction details. You will probably see no certificate found for the user. There is an issue with distributed AD environments:
In a distributed environment, a delay occurs before any domain controller has received the certificates and CRLs through Active Directory replication. The delay will vary depending on the Active Directory environment configuration.
So I'd ask the AD guys, what replication type and schedule are they running? This can be troubleshot watching the Published Certificates tab of the user record. Open and close the record while enrolling and after to see when it shows up.
What you should see is something like this in ISE record details, Steps section:
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
22037 Authentication Passed
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
As far as your question:
does anyone know how often does the ISE pulls AD for information....?
It only "Pulls" information when you populate the AD dictionary (Groups and/or User attributes) in External Identities.
As far as how often if performs a lookup. It performs a lookup for every authentication as required and every processing of an Authorization Policy rule that requires a reference to that specifc rule. (think of multiple situations for processing rules which in turn would result in CoA processings for the session)
So your comment:
UUmmmm thinking about this though, ISE should check the User "state" in AD every time the user tries to Authenticate....so could we possibly be talking about an AD replication issue here instead of ISE to AD???
good troubleshooting /thinking!
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Please rate post you consider useful.
-James

ISE bp tcpdump: unstoppable

Hi all,
anyone see somethig like this
ISE bp tcpdump: unstoppable
• custoemr ran cpdump to understand bp CRLhe has. Then he wanted to stop it but he was not able to
o click on the stop button
under diag tools TCP dump
Status : Monitoring...(approcimate file size)
host name : <host name>
Netowrk interface : g0
promisuous mode : on
fileter : host x.x.x.x
o Tthen the following message appears
Status : Monitoring...(Cleaning up)
host name : <host name>
Netowrk interface : g0
promisuous mode : on
fileter : host x.x.x.x
o Then nothing. If he wait a long time he gets an error message but then left with an active trace
• ISE bp CRL retrieval
o I looked at the server logs of certificates: ISE servers are properly search the file
o I did capture this correspodant recovery of the CRL server: CRL is transmitted
ERROR
Could not download Certificate Revocation List
CISE_Internal_Operations_Diagnostics
33402
ConfigVersionId=100
LastErrorMessage=Failed performing
HTTP GET with error: (52) Server
returned nothing (no headers
no data)
Certificate Revocation list Url=http://
x.x.x.x/CertEnroll/xxxxxxxxxxxx.crl
any advice?
thanks in advance
Lance

Kindly try the second option as it might be enabled by you.
tcpdump
explains, that -W will use up the maximum number of files, then start all over with the first one.
You can stop this by pressing +.
To have it run even after logging out, I would use screen
screen
tcpdump port 80 -n -w packettrace.out -C 50 -W 100
+,

Logical Profiles in ISE 1.2.1

I´m having trouble understanding the Logical Profiles.
What I understand from the user guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#58510
for those to lazy to read:
You can use the logical profile in an authorization policy condition to help create an overall network access policy for a category of profiles. You can create a simple condition for authorization, which can be included in the authorization rule. The attribute-value pair that you can use in the authorization condition is the logical profile (attribute) and the name of the logical profile (value), which can be found in the EndPoints systems dictionary.
so I thought that meant that I can group Different Profiles (Apple Iphone, Ipad, Ipod) together into a logical group e.g. "BYOD_Idevice" and use this logical profile in the Authorization.
But I can´t choose this freshly created Logical Group in the Authorization Condition. As for the fact, I can´t choose this logical group ANYWHERE.
Leaning back and thinking about it - it somehow makes sense. In the Authorization, you don´t pick Profiles, you choose Identity endpoints. So whats the point about the logical profiles? I was hoping to clean/lean up my authorization rules with them. But for what would I use them else?
Or is this a bug in ise 1.2.1? Not sure if I should call tac about this, or if I´m just not getting it :D
Thanks alot for your help!

Nice username! :)
So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile
Hope this helps!
Thank you for rating helpful posts!

Can't install the software for the Brother MFC-9440CN because it is not currently available from the Software Update server....how do I get the driver then..it ised to work in my old mac..but cant print to it in my new unit

Can't install the software for the Brother MFC-9440CN because it is not currently available from the Software Update server....how do I get the driver then..it ised to work in my old mac..but cant print to it in my new unit

Download the Brother Mountain Lion drivers here.

Caching credentials for webauth in ISE 1.2?

We are providing internet access through a Guest portal. The portal is provided by the ISE through webauth and the user is created through the ISE Sponsor Portal.
When an account is created and the enduser logs in to it, I would like for the ISE to cache the credentials for that user for a period of time; at least 1 or more days before it prompts them to log back in again. Right now, if a user disconnects for a short period and then goes to reconnet, it prompts for the username/password again.
Where (and how) in the ISE do you configure that?
Thank you.

Thanks for the quick reply Charles. I am reading through the details of it now.
It looks like DRW basically registers the MAC of a connecting device in an identity store and then allows that device to connect. Does it still match the MAC to a guest user so that we can set time profiles against it and does it expire like the guest accounts do?
Any ETA on the release of ISE 1.3?

Intermittent AD Authentication failures in ISE 1.2

Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal? Any ideas?
Thanks
Jef

Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
When you say Multicast to you AD...how did you check that? We do use multicast.

Double lookup possible in ISE 1.2 ?

I want to do MAB on a certain SSID and authenticate and register devices used in the SSID.
I managed to do that. If not "RegisteredDevice" then redirect to a portal where users can login with AD account and register there devices.
After registration, the device MAC is added to "RegisteredDevices" and the endpoint is profiled.
The ISE database contains an endpoint profile and this profile contains the propertie "BYODRegistration" = yes and "PortalUser" = the AD account xxx@ADdomain.
Now i want to link the state of the AD account to the database. When the user account is locked/expired/disabled, the device should be refused.
I wonder if it is possible to do the following:
MAB authentication occurs -> lookup MAC address in Registered Devices (=OK), lookup "Portal User" of device -> Query AD for this user, get property "UserAccountControl". Based on this property, i can determine if account is still active. If yes -> allow access. If not -> refuse access, even if device is in "RegisteredDevices".
When i troubleshoot however, i notice that -when using MAB- ISE is trying the MAC address as username against AD and gets returned: "Unknown User", of course. Is there a way to use the linked "PortalUser" as username against AD instead of MAC address ?
[NOTE: i am fully aware that the proper way of doing this is through Client Provisioning and Certificates with a second SSID using 802.1x to authenticate certificates, but for now, i want to prevent pushing anything to the clients.......]

Too bad.
I wish Cisco had implemented a property like this: RegisteredDevices:PortalUser:IdentityAccessRestricted
(i am assuming PortalUser is an AD account here). Maybe a PER can help.....

Max authz rules in ISE 1.2 ?

Hi All,
Is there any doco on what the current limit is on Auth Z rules in ISE 1.2
I have read 1.1.x had a limit of 140 authz rules.
I am also considering using policy sets if that increases the total authZ rules.
Cheers

Peter,
Here are the numbers for both 1.1.x and 1.2. Hope this helps.
* ISE 1.1.x
# ISE 1.2
Authentication Policy Rules
* 50
# 400
Conditions Per AuthC Policy Rule
* 3
# 8
Authorization Policy Rules
*140
# 600
Authorization Identity Groups
* 20
# 1000
Conditions per AuthZ Policy Rule
*6
# 8
Authorization Profiles
* 30
# 600
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton

Bug CSCup27305 in ISE 1.2.1.198 patch3

Hi guys,
I´m hitting bug CSCup27305 in version ISE 1.2.1.198 patch3 but cant find a fix version.
Do you know what version can be applied, so DACL can start with permit IP Host 2.2.2.2 Host 1.1.1.1 = is NOT ok!
Thanks a lot for your help.
Erick Flamenco

It is not resolved in any shipping version and will currently be in first release that ships post 1.3
Note that this issue impacts DACL validator functionality in that does not detect the invalid DACL as it should but does not impact any end to end functionality and so may not get priortized for any earlier patch

Authentication Combination in ISE 1.2

Is it possible to have dual authentication using workstations auth certs and Windows domain credentials for authentication in ISE 1.2?

Hi Kevin,
This would be a client side configuration.
What type of authentication is this?
VPN? wired or wireless dot1x?
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed

ISE 1.2 CRL

Similar Messages

Maybe you are looking for