ISE 1.2 Patch 8 - Endpoints in GUI missing

I have a customer were we did a upgrade from patch 2 -> patch 8 the other day.
Now Endpoints and Endpoint Identity Groups are missing from GUI. MAB is still working so Its probably only GUI related.
This is for both AD users and the admin user.
We also tried to create an new user with new access and menu policies to force/jump start access to the GUI but with no luck.
Anyone seen this?

can you confirm , if you are able to see 'endpoints/ endpoint groups " in the conditions while creating authorization profiles?

Similar Messages

  • ISE 1.2 Patch 8 - Wired CoA Bug

    Hi all,
    Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
    I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
    So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?

    CoA Not Initiating on Client Machine
    Symptoms or
    Issue
    Cisco ISE is not able to identify the specified Network Access Device (NAD).
    Conditions Click the magnifying glass icon in Authentications to display the steps in the
    Authentication Report. The logs display the following error message:
    • 11007 Could not locate Network Device or AAA Client Resolution
    Possible Causes • The administrator did not correctly configure the Network Access Device
    (NAD) type in Cisco ISE.
    • Could not find the network device or the AAA Client while accessing NAS by
    IP during authentication.
    Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
    • Verify whether the Network Device or AAA client is correctly configured in
    Administration > Network Resources > Network Devices
    Symptoms or
    Issue
    Users logging into the Cisco ISE network are not experiencing the required Change
    of Authorization (CoA).
    Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
    supported network devices.
    Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
    commands, may be assigning the wrong port (for example, a port other than 1700),
    or have an incorrect or incorrectly entered key.
    Resolution Ensure the following commands are present in the switch configuration file (required
    on switch to activate CoA and configure the switch):
    aaa server radius dynamic-author
    client <Monitoring_node_IP_address> server-key <radius_key>

  • ISE 1.2 Patch 12

    Hi all,
    I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
    None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
    "5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
    Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
    I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
    Any info out there about 5441 before I log a TAC?????
    Thanks.

    Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
    It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
    Event
    5400 Authentication failed
    Failure Reason
    12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
    Resolution
    Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
    Root cause
    Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

  • ISE 1.2 patch 4 not retrieving groups

    Since the update to ISE 1.2 patch 4 it isn't possible anymore to retrieve groups or attributes from the active directory. It keeps loading.
    Anyone else experiencing this issue?           
    Regards,
    Mathieu

    The issue you are referring to is documented in the following CDETS:
    CSCul84544: Retrieval of AD groups or attributes is failing
    This is not yet resolved. May be resolved in a future patch
    The workaround given in the CDETS is
    Fix the DNS server so that the reverse DNS lookup matches
    I believe there are other steps that can be taken to mitigate this but would need intervention from TAC

  • ISE 1.2 Patch 7 possible guest CWA bug

    Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
    In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
    If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.

    Hi,
    I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
    The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7.

  • ISE 1.2 Patch 8

    Our ISE Deployment for wireless only is operating on 1.2.0.899 Patch 3.  We are looking to upgrade to Patch 8.  We plan on testing in a Dev envioronment first, but I was curious what others experience had been with stability in Patch 8?

    So far I have not had serious issues with patch 8 versus previous patches which caused me bother in certain areas. I think with all ISE patches you need to read the release notes and read the caveats to see what issues may or may not affect you. If you are on a production system I would also make sure you have your rollback option in place aswell. For what it is worth I am always keen to stay on the most recent patch of ISE due to patches generally fixing more than they break. Just make sure you run through your original system test plans and user test plans and all should be well.

  • ISE 1.2 disable endpoints with certain mac address

    Hi All,
    We have an AD to authenticate for wireless users. In AD, we have specified to block the user if the password is entered wrongly for more than 3 times. The problem is some of them are using other user ID and locking the accounts. I have gotten the MAC address of the user. Can anyone please advise how to block the request from this MAC from even reaching the AD.
    Thanks

    You have two options from ISE and one option from the WLC:
    The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.
    Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.
    From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:

  • Adding Index server to existing farm, "Server Farm Product and Patch Status" returned 34 Missing Locally required products and patches

    Once I connected my new server to my farm's config db, it returned all of the following missing locally. I stripped out any redundancies and Headings, and I'm left with 43. I'm looking for a efficient strategy. Should I start with the lowest version number
    and work my way up? Current DB version is 14.0.7015.1000. IIRC, SP2 is cumulative, so can I ignore the first two (SP1 and Hotfix), install SP2, and then the Language packs and etc on top?
    Sorted by version:
    Microsoft SharePoint 2010 Service Pack 1 (SP1) (14.0.6029.1000)
    Hotfix for Microsoft SharePoint Server 2010 (KB2775353) 64-Bit Edition (14.0.6105.5000)
    Service Pack 2 for Microsoft SharePoint 2010 (KB2687453) 64-Bit Edition (14.0.7015.1000)
    Service Pack 2 for Microsoft 2010 Server Language Pack (KB2687462) 64-Bit Edition (14.0.7015.1000)
    Microsoft Office Server Proof (English) 2010 (14.0.7015.1000)
    Microsoft Office Server Proof (French) 2010 (14.0.7015.1000)
    Microsoft Office Server Proof (Russian) 2010 (14.0.7015.1000)
    Microsoft Office Server Proof (Spanish) 2010 (14.0.7015.1000)
    Microsoft SharePoint Portal (14.0.7015.1000)
    Microsoft User Profiles (14.0.7015.1000)
    Microsoft SharePoint Portal English Language Pack (14.0.7015.1000)
    Microsoft Shared Components (14.0.7015.1000)
    Microsoft Shared Coms English Language Pack (14.0.7015.1000)
    Microsoft Slide Library (14.0.7015.1000)
    Microsoft InfoPath Forms Services (14.0.7015.1000)
    Microsoft InfoPath Form Services English Language Pack (14.0.7015.1000)
    Microsoft Word Server (14.0.7015.1000)
    Microsoft Word Server English Language Pack (14.0.7015.1000)
    PerformancePoint Services for SharePoint (14.0.7015.1000)
    PerformancePoint Services in SharePoint 1033 Language Pack (14.0.7015.1000)
    Microsoft Visio Services English Language Pack (14.0.7015.1000)
    Microsoft Visio Services Web Front End Components (14.0.7015.1000)
    Microsoft Excel Services Components (14.0.7015.1000)
    Microsoft Document Lifecycle Components (14.0.7015.1000)
    Microsoft Excel Services English Language Pack (14.0.7015.1000)
    Microsoft Search Server 2010 Core (14.0.7015.1000)
    Microsoft Search Server 2010 English Language Pack (14.0.7015.1000)
    Microsoft Document Lifecycle Components English Language Pack (14.0.7015.1000)
    Microsoft Slide Library English Language Pack (14.0.7015.1000)
    Microsoft SharePoint Server 2010 (14.0.7015.1000)
    Microsoft Access Services Server (14.0.7015.1000)
    Microsoft Access Services English Language Pack (14.0.7015.1000)
    Microsoft Web Analytics Web Front End Components (14.0.7015.1000)
    Microsoft Web Analytics English Language Pack (14.0.7015.1000)
    Microsoft Excel Mobile Viewer Components (14.0.7015.1000)
    Recommendations?
    Thanks,
    Scott

    Thanks guys. I was able to get through all of the patches except for
    Language Pack for SharePoint, Project Server and Office Web Apps 2010 - English   missing locally
    Language Pack for SharePoint, Project Server and Office Web Apps 2010 -
    Spanish/Español missing locally
    This was my process:
    Config Wizard:
    Adding Index server to existing farm, "Server Farm Product and Patch Status" returned 34 Missing Locally required products and patches.
    SKIP installing the following two, as SP2 is cumulative
    Microsoft SharePoint 2010 Service Pack 1 (SP1) (14.0.6029.1000) (officeserver2010sp1-kb2460045-x64-fullfile-en-us.exe)
    Hotfix for Microsoft SharePoint Server 2010 (KB2775353) 64-Bit Edition (14.0.6105.5000)
    install SP2 oserversp2010-kb2687453-fullfile-x64-en-us.exe
    install oslpksp2010-kb2687462-fullfile-x64-en-us.exe
    Got "There are no products affected by this package installed on this system."
    SO!
    Uninstalled Sharepoint 2010 Server
    WIll try to install again, without skipping #2, and reorder installation of oslpksp2010-kb2687462-fullfile-x64-en-us.exe
    Retry (the long way):
    Run SharePointServer.exe, get Missing Locally...
    Install oslpksp2010-kb2687462-fullfile-x64-en-us.exe SUCCESSFUL
    Install officeserver2010sp1-kb2460045-x64-fullfile-en-us.exe SUCCESSFUL
    Reboot
    Install oserversp2010-kb2687453-fullfile-x64-en-us.exe SUCCESSFUL
    Rerun Config
    STILL MISSING
    Download oslpksp2010-kb2687462-fullfile-x64-es-es.exe, run, "there are no products affected..."
    Uninstall.
    Re-retried, only got through the first couple:
    Run SharePointServer.exe, get Missing Locally...
    Install SP1 officeserver2010sp1-kb2460045-x64-fullfile-en-us.exe, SUCCESSFUL
    Install English Lang Pack oslpksp2010-kb2687462-fullfile-x64-en-us.exe, "There are no products affected by this package installed on this system."
    Install Spanish Lang Pack oslpksp2010-kb2687462-fullfile-x64-es-es.exe,
    Install SP2 oserversp2010-kb2687453-fullfile-x64-en-us.exe, run Config Wizard
    I'm now downloading 462150_intl_x64_zip.exe, going to try and install it as step three.
    Any suggestions greatly appreciated.
    Thanks,
    Scott

  • Patch manager for sol9 missing some recommended patches

    I just tried cross checking a machine that was completely up to date according to patch manager with the Sol 9 recommended patch set.
    The recommended patch set included the following patches that patch manager doesnt appear to distribute.
    114049, 111711, 111712, 119211.
    I would have thought anything that was important enough to be included in the recommended patch set was worth distributing through patch manager.
    In particular, 114049 and 119211 appear to have security implications.

    Hi Robert,
    This forum is for Sun update Connection problems on Solaris 10 only.
    I cannot give you reply as to why Patch manager for sol9 missing is some recommended patches. I will email an internal email alias and try to find out.
    Regards,
    Scott

  • ISE 1.2 Patch 8 Endpoint icon Missing

    Hi,
    Has anyone seen an issue where the Endpoint icon under Identity just disappears.
    I upgraded to Patch 8 yesterday and all seemed fine but sometime this morning between adding enpoints the icon has gone.
    Very strange.

    I recall seeing this as a bug with Patch 8.  v1.2.1 addresses and fixes this.

  • ISE 1.2 Patch 7 ERS API problem updating some endpoints with a new group

    Hi,
    I have a php library that i have implemented most of the ers api functions with curl requests, and it works fine, i can get all endpoints, search for a specific endpoint, delete endpoints and to some degree i can modify endpoints, but not all endpoints it seems. For some reason when i use my function on some endpoints, the static endpoint group assigment does not get updated, and the response from the ers api is just empty, whereas when it goes good, i get a list of the attributes that were updated.
    Is there some specific requirements for which information has to be sent using the update_endpoint function in the ers api ? The examples have all information in every request, however what is actually needed in the request?
    Jan

    Have now tested by sending all parameters, even though i only want to change group or description, and it works.

  • Cisco ISE 1.2 Patch 6 -- 8 Update failed

    Hi all,
    I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
    Important notice : I though that this error could be an unlucky try but i've tested the update two time.
    Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
    The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
    On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
    The symptoms after this error are :
    - Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
    - The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
    - GUI Unavailable
    - MAB Auth is working
    - Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
    - Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
    The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
    My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
    Thanks for your help.

    This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
    2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
    2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
    2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
    2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
    pl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
    8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
    2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
    2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

  • ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

    Hi community,
    We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
    Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
    To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
    Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
    Anybody else come across this??
    All helpful comments rated!
    Many thanks, Ash.

    I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"

    We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
    For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
    Personas:
    Administration
    Role:
    PRIMARY(A)
    System Time:
    Apr 24 2014 08:26:58 AM America/New_York
    FIPS Mode:
    Disabled
    Version:
    1.2.0.899
    Patch Information:
    7,1,3
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    11507
    Extracted EAP-Response/Identity
    12500
    Prepared EAP-Request proposing EAP-TLS with challenge
    12625
    Valid EAP-Key-Name attribute received
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12301
    Extracted EAP-Response/NAK requesting to use PEAP instead
    12300
    Prepared EAP-Request proposing PEAP with challenge
    12625
    Valid EAP-Key-Name attribute received
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12302
    Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318
    Successfully negotiated PEAP version 0
    12800
    Extracted first TLS record; TLS handshake started
    12805
    Extracted TLS ClientHello message
    12806
    Prepared TLS ServerHello message
    12807
    Prepared TLS Certificate message
    12810
    Prepared TLS ServerDone message
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12318
    Successfully negotiated PEAP version 0
    12812
    Extracted TLS ClientKeyExchange message
    12804
    Extracted TLS Finished message
    12801
    Prepared TLS ChangeCipherSpec message
    12802
    Prepared TLS Finished message
    12816
    TLS handshake succeeded
    12310
    PEAP full handshake finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12313
    PEAP inner method started
    11521
    Prepared EAP-Request/Identity for inner EAP method
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11522
    Extracted EAP-Response/Identity for inner EAP method
    11806
    Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11808
    Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - *****
    24431
    Authenticating machine against Active Directory
    24470
    Machine authentication against Active Directory is successful
    22037
    Authentication Passed
    11824
    EAP-MSCHAP authentication attempt passed
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11810
    Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814
    Inner EAP-MSCHAP authentication succeeded
    11519
    Prepared EAP-Success for inner EAP method
    12314
    PEAP inner method finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    15036
    Evaluating Authorization Policy
    24433
    Looking up machine in Active Directory - host/*****
    24435
    Machine Groups retrieval from Active Directory succeeded
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - Default
    15016
    Selected Authorization Profile - DenyAccess
    15039
    Rejected per authorization profile
    12306
    PEAP authentication succeeded
    11503
    Prepared EAP-Success
    11003
    Returned RADIUS Access-Reject 

    salodh,
    Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly. 
    12500
    Prepared EAP-Request proposing EAP-TLS with challenge
    12625
    Valid EAP-Key-Name attribute received
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12301
    Extracted EAP-Response/NAK requesting to use PEAP instead 
    If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
    Name
    Wired-******-PC
     Conditions
    Radius:Service-Type EQUALS Framed
    AND
    Radius:NAS-Port-Type EQUALS Ethernet
    AND
    *******:ExternalGroups EQUALS **********/Users/Domain Computers
    AND
    Network Access:EapAuthentication EQUALS EAP-TLS
    Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
    Thanks again, sir.
    Andrew

  • Cisco ISE 1.2 Patch 8 with Roaming User Profiles

    ISE 1.2 with patch 8 has been installed and Works fine.
    Using AnyConnect Secure Mobility Client (NAM) 3.1.04072 and Cisco NAC Agent version 4.9.1013
    Scenario is EAP Chaining which does machine authentication + User Authentication
    After NAC Agent Pops up and Posture Assessment is successful, Users cannot see their Home drives and few other Network Drives.
    Sometimes during login we get the Error Message "User Profile cannot be loaded" and "User cannot Logon"
    Also while logging off We get the screen "Your Roaming Profile was not synchronized"
    All the Home Drives and Network Shared drives IP addresses are already added in the Downloadable ACL's.
    Any other Workaround to overcome these errors.
    Regards,
    Ramkumar.B

    This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
    2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
    2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
    2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
    2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
    pl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
    8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
    2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
    2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

Maybe you are looking for

  • The string '' is not a valid XsdDateTime value

    I have the TSQL code displayed below, trying to generate the following XML: <Provider xmlns="http://www.tn.gov/mental/Schemas/CrisisAssessment" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.tn.gov/mental/Schemas

  • BPM Application: Task access related issue

    Hi Gurus, I have one secure (using ADF security) Application(Simple ADF Application), which will write data in XML format into a JMS Queue.After login to application,user can use that functionality. Then that message is fetched by one BPM Application

  • BAPI  or  IDOC

    Hi friends,                   We have the Requirement of taking customer data from Legacy to ECC through PI. The Client has 167 fields in his customer database . But ECC needs Only 25-30 fields . BI needs all fields. So my PI consultant has create on

  • Asset history sheet version is not complete

    Hi Guru, I have implemented a new Asset history sheet version. When I run the Completion check I have the message "Asset history sheet version is not complete". This message I see it when I run the transaction code S_ALR_87011990 - Asset History Shee

  • Error when I executed my JSP page

    Hello, I have installed in my machine o OracleAS e o OracleDS. I created a JSP page using Reports Builder. When I try run my page, after some time, the following error message is displayed in the browser: Reports Error Page Wed Jun 19 10:08:29 BRT 20