ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"

Similar Messages

• Native Supplicant "NAK requesting to use PEAP instead"

  Hello,
  We have a Cisco ISE infrastructure in place and we're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the native Windows supplicant to use EAP only?
  "Microsoft: Smart Card or other certificate" is selected under network authentication method, by group policy, and I thought that wouldn't allow PEAP, but our ISE logs show "NAK requesting to use PEAP instead", after which authorization
  fails because we're not using PEAP.
  For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or
  a supplicant problem, but I'm leaning towards supplicant.
  Thanks,
  Andrew

  Hi,
  About this issue, please contact Cisco Tech Support for help.
  Karen Hu
  TechNet Community Support
  I've already been in contact with them and they've verified our configuration. All that can be done on the Cisco side is to "propose" the client to go through EAP-TLS as the first option, which we are doing. This will not block any clients trying to connect
  using other protocols, and, though this will propose EAP-TLS, there is now way to enforce it at the supplicant level. This will be a client decision always. From Cisco: 
  Please monitor this after the  change we applied,   but if the issue persists,   since we are dealing with windows supplicant,   it would be a good idea to involve the native supplicant support.

• Parameters into request-uri using POST instead of GET.

  I wrote some servlets that send parameters each other.
  The request came from an HTML form, and I used JavaScript to submit it.
  Example:
  <script language="JavaScript">
  function doMyPost(idparam)
  document.myform.action=document.myform.action+"?id="+idparam;
  document.myform.submit();
  </script>
  <form name="myform" action="myservlet" method="post">
  ... <!-- NO INPUT ELEMENTS -->
  </form>
  In this case the servlet method "myservlet.doPost()" could not find "id" parameter.
  Writing:
  <form name="myform" action="myservlet" method="post">
  <input type="hidden" name="foo" value=""/>
  </form>
  Now the servlet method doPost() found "id".
  I know that a correct submit with "post" and with an input named "id" would not generate errors (my HTML is very unconventional...), but I wrote "myservlet" to accept only post request, and was easy to build a list of anchors (XSL) which call my script with different values of "id" ...
  Why this behaviour? (is due to servlet, or web server Websphere, or browser IE ?).
  I found nothing about this in the HTTP/1.1 specification, but I can't exclude some protocol intervention...
  Bye,
  Mauro

  As I recall, this is in the specification, but it's in the part describing the functionality of a form post.
  When the method is POST, the receiving page reads the information from the form-content only, which has been MIME-encoded and appended to the submission. Any parameters added to the URL do get passed along but they are ignored by the POST processing.
  You'd be better off adding a hidden field to your form:<script>
  function docPost(idparam){
     //document.myform.action=document.myform.action+"?id="+idparam;
     document.myform.id.value = idparam;
     document.myform.submit();
  </script>
  <input type="hidden" name="id" value="">

• ISE 1.2 Patch 12

  Hi all,
  I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
  None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
  "5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
  Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
  I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
  Any info out there about 5441 before I log a TAC?????
  Thanks.

  Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
  It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
  Event
  5400 Authentication failed
  Failure Reason
  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
  Resolution
  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
  Root cause
  Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

• ISE 1.2 patch 4 not retrieving groups

  Since the update to ISE 1.2 patch 4 it isn't possible anymore to retrieve groups or attributes from the active directory. It keeps loading.
  Anyone else experiencing this issue?           
  Regards,
  Mathieu

  The issue you are referring to is documented in the following CDETS:
  CSCul84544: Retrieval of AD groups or attributes is failing
  This is not yet resolved. May be resolved in a future patch
  The workaround given in the CDETS is
  Fix the DNS server so that the reverse DNS lookup matches
  I believe there are other steps that can be taken to mitigate this but would need intervention from TAC

• ISE 1.2 Patch 7 possible guest CWA bug

  Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
  In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
  If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.

  Hi,
  I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
  The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7.

• ISE 1.2 Patch 8

  Our ISE Deployment for wireless only is operating on 1.2.0.899 Patch 3.  We are looking to upgrade to Patch 8.  We plan on testing in a Dev envioronment first, but I was curious what others experience had been with stability in Patch 8?

  So far I have not had serious issues with patch 8 versus previous patches which caused me bother in certain areas. I think with all ISE patches you need to read the release notes and read the caveats to see what issues may or may not affect you. If you are on a production system I would also make sure you have your rollback option in place aswell. For what it is worth I am always keen to stay on the most recent patch of ISE due to patches generally fixing more than they break. Just make sure you run through your original system test plans and user test plans and all should be well.

• How to Submit a Concurrent Request Set Using a Self-Service Page

  Hi all,
  I would like to know how to Run/Submit a Concurrent Request Set Using a Self-Service Page
  Thanks.
  Bench

  Hi all,
  I would like to know how to Run/Submit a Concurrent Request Set Using a Self-Service Page
  Thanks.
  Bench

• How to create software request form using Info path functionality?

  Hi All,
  i am trying to create a Software Request Form using Info path functionality. Following are the steps:
  1. Users will fill out the form with all necessary fields.
  2. once they click on Submit button, it will send an email to two specific groups with a link so that they can see the form and Approve/Deny or can put comments on that.
  Thanks in advanced!

  Hi Rakib,
  There are many ways you can achieve this.
  Either by Creating a SharePoint list and then modify it using InfoPath to get all your required fields added
   or
  Use InfoPath application and select any template or blank form template to get all your required fields added and then publish it to SharePoint site
  For the second step you can create an OOTB workflow which can send email to view an approve items using Approval workflow feature
  For the advance notification you can use SPD workflows as well.
  Refer this article for more on InfoPath and SPD integration - http://gallery.technet.microsoft.com/office/Step-By-Step-build-30f84363
  Let us know if this helps, thanks
  Regards,
  Pratik Vyas | SharePoint Consultant |
  http://sharepointpratik.blogspot.com
  Posting is provided AS IS with no warranties, and confers no rights
  Please remember to click Mark As Answer if a post solves your problem or
  Vote As Helpful if it was useful.

• How do I resolve "Error processing your request", when using Download link in My Orders (photoshop 5

  How do I resolve "error processing your request" when using the download link in My Orders for photoshop 5

  As Jeff already hinted at, try a different browser. Such issues almost always are local problems on your end. Something is either changing or blocking the HTTP headers used for forwarding (could be your router, a desktop firewall or other security tools) or a JavaScript is not running/ being blocked.
  Mylenium

• What kind of transport request is used to transport custom table contents ?

  What kind of transport request is used to transport custom table contents ?
  Also what kind of transport request is used to transport SAP standard table contents ?

  Create Workbench request only.
  Because when u will transport the table from development server to quality that time table records won't transport.
  We don't have any TR type to transport table with records.
  If usefull reward points helpfull.....
  Regards,
  Rajneesh Gupta

• Errored during request submission using request see APIs

  Hi guys, this error is giving me when i call a concurrent program and do a request sumission and the request status is red(error) with the next error:
  "Errored during request submission using request see APIs "
  Im using forms 6i and EBS

  Hi,
  I am getting the exact same error.
  It appears when we run request sets!
  We have made a trigger that sends an email to our sysadmins every time a concurrent request fails. This trigger fires on insert or update of applsys.fnd_concurrent_requests when new.status_code = 'E' /*Error*/ and new.phase_code ; = 'C' /*Complete*/.
  In other words we should only get a message when the request has the status Error and is Complete.
  However for request sets we get an email saying that it has failed with the following message "Errored during request submission using request see APIs". BUT, when we query the request in the Application, it has the status Normal! This applies to several different request sets.
  So, my question is: Does anyone know if, or why, the standard request submission of request sets updates the status to Error for a short time, and then updates it to Normal afterwards?
  Thanks
  Roy

• Is there any patch available so i can use it in Oracle 9i Standard Edition

  Incremental Backup and Recovery
  Parallel DML
  Parallel Query
  Export/import Transportable Tablespace
  these features are supported by Oracle 9i Enterprise Edition but not in Oracle 9i Standard Edition
  is there any patch available so i can use it in Oracle 9i Standard Edition

  A DVD is essentially a standard definition image (DV)
  So, if you are not adding titles or compositing, simple DV/NTSC (or DV/PAL) will work.
  If you are doing compositing, ProRes LT for standard definition would be the way to go.
  x

• ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

  Hi community,
  We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
  Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
  To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
  Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
  Anybody else come across this??
  All helpful comments rated!
  Many thanks, Ash.

  I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE 1.2 Patch 8 - Wired CoA Bug

  Hi all,
  Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
  I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
  So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?

  CoA Not Initiating on Client Machine
  Symptoms or
  Issue
  Cisco ISE is not able to identify the specified Network Access Device (NAD).
  Conditions Click the magnifying glass icon in Authentications to display the steps in the
  Authentication Report. The logs display the following error message:
  • 11007 Could not locate Network Device or AAA Client Resolution
  Possible Causes • The administrator did not correctly configure the Network Access Device
  (NAD) type in Cisco ISE.
  • Could not find the network device or the AAA Client while accessing NAS by
  IP during authentication.
  Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
  • Verify whether the Network Device or AAA client is correctly configured in
  Administration > Network Resources > Network Devices
  Symptoms or
  Issue
  Users logging into the Cisco ISE network are not experiencing the required Change
  of Authorization (CoA).
  Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
  supported network devices.
  Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
  commands, may be assigning the wrong port (for example, a port other than 1700),
  or have an incorrect or incorrectly entered key.
  Resolution Ensure the following commands are present in the switch configuration file (required
  on switch to activate CoA and configure the switch):
  aaa server radius dynamic-author
  client <Monitoring_node_IP_address> server-key <radius_key>