ISE 1.2 Patch 12

Hi all,
I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
"5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
Any info out there about 5441 before I log a TAC?????
Thanks.

Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
Event
5400 Authentication failed
Failure Reason
12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
Resolution
Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root cause
Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

Similar Messages

ISE 1.2 patch 4 not retrieving groups

Since the update to ISE 1.2 patch 4 it isn't possible anymore to retrieve groups or attributes from the active directory. It keeps loading.
Anyone else experiencing this issue?
Regards,
Mathieu

The issue you are referring to is documented in the following CDETS:
CSCul84544: Retrieval of AD groups or attributes is failing
This is not yet resolved. May be resolved in a future patch
The workaround given in the CDETS is
Fix the DNS server so that the reverse DNS lookup matches
I believe there are other steps that can be taken to mitigate this but would need intervention from TAC

ISE 1.2 Patch 7 possible guest CWA bug

Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.

Hi,
I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7.

ISE 1.2 Patch 8

Our ISE Deployment for wireless only is operating on 1.2.0.899 Patch 3. We are looking to upgrade to Patch 8. We plan on testing in a Dev envioronment first, but I was curious what others experience had been with stability in Patch 8?

So far I have not had serious issues with patch 8 versus previous patches which caused me bother in certain areas. I think with all ISE patches you need to read the release notes and read the caveats to see what issues may or may not affect you. If you are on a production system I would also make sure you have your rollback option in place aswell. For what it is worth I am always keen to stay on the most recent patch of ISE due to patches generally fixing more than they break. Just make sure you run through your original system test plans and user test plans and all should be well.

ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

Hi community,
We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
Anybody else come across this??
All helpful comments rated!
Many thanks, Ash.

I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
~BR
Jatin Katyal
**Do rate helpful posts**

ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"

We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
Personas:
Administration
Role:
PRIMARY(A)
System Time:
Apr 24 2014 08:26:58 AM America/New_York
FIPS Mode:
Disabled
Version:
1.2.0.899
Patch Information:
7,1,3
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
12300
Prepared EAP-Request proposing PEAP with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12318
Successfully negotiated PEAP version 0
12812
Extracted TLS ClientKeyExchange message
12804
Extracted TLS Finished message
12801
Prepared TLS ChangeCipherSpec message
12802
Prepared TLS Finished message
12816
TLS handshake succeeded
12310
PEAP full handshake finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12313
PEAP inner method started
11521
Prepared EAP-Request/Identity for inner EAP method
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11522
Extracted EAP-Response/Identity for inner EAP method
11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041
Evaluating Identity Policy
15006
Matched Default Rule
15013
Selected Identity Source - *****
24431
Authenticating machine against Active Directory
24470
Machine authentication against Active Directory is successful
22037
Authentication Passed
11824
EAP-MSCHAP authentication attempt passed
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814
Inner EAP-MSCHAP authentication succeeded
11519
Prepared EAP-Success for inner EAP method
12314
PEAP inner method finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
15036
Evaluating Authorization Policy
24433
Looking up machine in Active Directory - host/*****
24435
Machine Groups retrieval from Active Directory succeeded
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule - Default
15016
Selected Authorization Profile - DenyAccess
15039
Rejected per authorization profile
12306
PEAP authentication succeeded
11503
Prepared EAP-Success
11003
Returned RADIUS Access-Reject

salodh,
Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly.
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
Name
Wired-******-PC
Conditions
Radius:Service-Type EQUALS Framed
AND
Radius:NAS-Port-Type EQUALS Ethernet
AND
*******:ExternalGroups EQUALS **********/Users/Domain Computers
AND
Network Access:EapAuthentication EQUALS EAP-TLS
Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
Thanks again, sir.
Andrew

ISE 1.2 Patch 8 - Wired CoA Bug

Hi all,
Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?

CoA Not Initiating on Client Machine
Symptoms or
Issue
Cisco ISE is not able to identify the specified Network Access Device (NAD).
Conditions Click the magnifying glass icon in Authentications to display the steps in the
Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes • The administrator did not correctly configure the Network Access Device
(NAD) type in Cisco ISE.
• Could not find the network device or the AAA Client while accessing NAS by
IP during authentication.
Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
• Verify whether the Network Device or AAA client is correctly configured in
Administration > Network Resources > Network Devices
Symptoms or
Issue
Users logging into the Cisco ISE network are not experiencing the required Change
of Authorization (CoA).
Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
supported network devices.
Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
commands, may be assigning the wrong port (for example, a port other than 1700),
or have an incorrect or incorrectly entered key.
Resolution Ensure the following commands are present in the switch configuration file (required
on switch to activate CoA and configure the switch):
aaa server radius dynamic-author
client <Monitoring_node_IP_address> server-key <radius_key>

Cisco ISE 1.2 Patch 6 -- 8 Update failed

Hi all,
I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
Important notice : I though that this error could be an unlucky try but i've tested the update two time.
Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
The symptoms after this error are :
- Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
- The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
- GUI Unavailable
- MAB Auth is working
- Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
- Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
Thanks for your help.

This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
2014-05-28T10:26:30.023223+00:00 XXXXXXX logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
2014-05-28T10:26:30.311676+00:00 XXXXXXX logger: Loading PKCS11 ...
2014-05-28T10:26:30.978432+00:00 XXXXXXX logger: SLF4J: Class path contains multiple SLF4J bindings.
2014-05-28T10:26:30.978454+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
pl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978502+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978509+00:00 XXXXXXX logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
2014-05-28T10:26:31.638970+00:00 XXXXXXX logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

Cisco ISE 1.2 Patch 8 with Roaming User Profiles

ISE 1.2 with patch 8 has been installed and Works fine.
Using AnyConnect Secure Mobility Client (NAM) 3.1.04072 and Cisco NAC Agent version 4.9.1013
Scenario is EAP Chaining which does machine authentication + User Authentication
After NAC Agent Pops up and Posture Assessment is successful, Users cannot see their Home drives and few other Network Drives.
Sometimes during login we get the Error Message "User Profile cannot be loaded" and "User cannot Logon"
Also while logging off We get the screen "Your Roaming Profile was not synchronized"
All the Home Drives and Network Shared drives IP addresses are already added in the Downloadable ACL's.
Any other Workaround to overcome these errors.
Regards,
Ramkumar.B

This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
2014-05-28T10:26:30.023223+00:00 XXXXXXX logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
2014-05-28T10:26:30.311676+00:00 XXXXXXX logger: Loading PKCS11 ...
2014-05-28T10:26:30.978432+00:00 XXXXXXX logger: SLF4J: Class path contains multiple SLF4J bindings.
2014-05-28T10:26:30.978454+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
pl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978502+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978509+00:00 XXXXXXX logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
2014-05-28T10:26:31.638970+00:00 XXXXXXX logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

ISE 1.2 patch 5 My devices portal not showing regsitered devices

Hello Guys,
I am running ISE 1.2 with all recent patches installed. I have a weird issue where AD users login to mydevices portal and are not able to view any of their registered devices. even thou the devices were successfully registered and onboarded.

Check your synchronization between your ise nodes, i had a similar issue, that was because ntp had been down for a while, and then the nodes didn't sync the device registrations, and guest users between the nodes.

ISE 1.2 Patch 8 - Endpoints in GUI missing

I have a customer were we did a upgrade from patch 2 -> patch 8 the other day.
Now Endpoints and Endpoint Identity Groups are missing from GUI. MAB is still working so Its probably only GUI related.
This is for both AD users and the admin user.
We also tried to create an new user with new access and menu policies to force/jump start access to the GUI but with no luck.
Anyone seen this?

can you confirm , if you are able to see 'endpoints/ endpoint groups " in the conditions while creating authorization profiles?

ISE 1.2 patch 3 - Sponsor Portal default timezone changed to non-existant ECT

Hi everybody,
We've applied patch3 to our ISE 1.2 cluster and after the upgrade all the sponsor accounts (externally autenticated on Active Directory) now have GMT +01:00 Europe/ECT as default Time Zone. Thus all the guest account created have the same time zone and guest authentication fails.
This is the error from ise-console.log:
guest:- com.cisco.cpm.guest.exceptions.PortalUserException: java.lang.IllegalArgumentException: The datetime zone id 'ECT' is not recognised
guest:- at com.cisco.cpm.guest.edf.GuestUserAdaptor.isAcctValid(GuestUserAdaptor.java:489)
I checked the admin interface and the 1.2 documentation but could not find any default setting for sponsor users Time Zone
Time zone for the 3315 is CET:
clock timezone CET
A workaround is to have each sponsor user update its Time Zone setting on the Sponsor Portal, but this is impratical.
Did anybody experience the same issue?
Regards,

Hi Luigi Gangitano,
From when are you experiencing this issue? I suspect this would have been an issue when the server timezones are changed from CEST timezone to CET timezone.
To further figure out where exactly the issue is ,
1.Can you please let us know what is the timezone in the UI on the top most right corner in the server information section is ?
2.Similarly can you please check the timezone in the CLI of Primary ISE node.
If the above two locations are displaying correct timezone then we have to suspect with the sponsor portal.

ISE 1.2 patch 6 - All Authentications begin failing after about 20 minutes

Hi all,
Another strange one I am throwing out to the forum. Basically I have a 5 node deployment (1 x Primary Admin, 1 x Primary Monitoring, 1 x Secondary Admin/Monitoring and 2 x Policy Nodes). The primary authentication method is EAP-TLS or PEAP for wireless only. The deployment in question has been in pilot for about 3 weeks with no issues what so ever.
As of this morning we rolled into production and all seemed well - about 100 users successfully authed against PSN1 (PSN2 is configured in the WLC as a secondary radius). About 30 minutes after the production rollout authentications began failing for the exact same reason (see attached radius log). I checked all of the certificates as recommended in the log but this was a matter of course in that everything is as it should be.
My next step was to essentially stop PSN1 (application stop ise) to see if the issue was a problem on the second PSN. All authentications were now succeeding via PSN2. I left it this way for 30 minutes with no drama. I started PSN1 again and authentications began to work....20 minutes later the issue was back. I replicated this issue again to be sure.
At this point I decided to deregister PSN1 and application reset the node before rejoining with the ISE deployment. Authentications worked well until about 30 minutes later when the issue reappeared. At this point I reloaded all nodes in the ISE deployment to see if this made a difference but the issue still remained.
Currently I have PSN1 shutdown and all is functioning well - anyone have any ideas??

I got this fixed via TAC. Basically the following is the bug but it is worth noting that this deployment was a fresh build of 1.2
https://tools.cisco.com/bugsearch/bug/CSCuj17272/?reffering_site=dumpcr
Symptom:
all auth fails when using the existing identity source sequences after upgrade from 1.1.3 to 1.2.
Conditions:
upgrade from 1.1.3 to 1.2 build 899 breaks all auth using identity sequences.
Basically the fix was to recreate my ID sequences and reapply to the authentication policy. This fixed the issue on the policy node in question.

ISE 1.2 Patch 8 Endpoint icon Missing

Hi,
Has anyone seen an issue where the Endpoint icon under Identity just disappears.
I upgraded to Patch 8 yesterday and all seemed fine but sometime this morning between adding enpoints the icon has gone.
Very strange.

I recall seeing this as a bug with Patch 8. v1.2.1 addresses and fixes this.

Cisco ISE 1.1 patch 3

I am installing patch 3 on version 1.1. and just noticed that the admin password had reverted back to the prevoius version. In case any one has any issues logging in try that. I am going to open a TAC case once the patch finishes installing on the other 4 nodes.
Thanks,
Tarik Admani

I suspect the below listed defect here:
CSCue41912 Posture : NAC agent not triggering on WIN8.
~BR
Jatin Katyal
**Do rate helpful posts**

ISE 1.2 Patch 12

Similar Messages

Maybe you are looking for