ISE 1.2 Patch 8 - Endpoints in GUI missing
I have a customer were we did a upgrade from patch 2 -> patch 8 the other day.
Now Endpoints and Endpoint Identity Groups are missing from GUI. MAB is still working so Its probably only GUI related.
This is for both AD users and the admin user.
We also tried to create an new user with new access and menu policies to force/jump start access to the GUI but with no luck.
Anyone seen this?
can you confirm , if you are able to see 'endpoints/ endpoint groups " in the conditions while creating authorization profiles?
Similar Messages
-
ISE 1.2 Patch 8 - Wired CoA Bug
Hi all,
Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?CoA Not Initiating on Client Machine
Symptoms or
Issue
Cisco ISE is not able to identify the specified Network Access Device (NAD).
Conditions Click the magnifying glass icon in Authentications to display the steps in the
Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes • The administrator did not correctly configure the Network Access Device
(NAD) type in Cisco ISE.
• Could not find the network device or the AAA Client while accessing NAS by
IP during authentication.
Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
• Verify whether the Network Device or AAA client is correctly configured in
Administration > Network Resources > Network Devices
Symptoms or
Issue
Users logging into the Cisco ISE network are not experiencing the required Change
of Authorization (CoA).
Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
supported network devices.
Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
commands, may be assigning the wrong port (for example, a port other than 1700),
or have an incorrect or incorrectly entered key.
Resolution Ensure the following commands are present in the switch configuration file (required
on switch to activate CoA and configure the switch):
aaa server radius dynamic-author
client <Monitoring_node_IP_address> server-key <radius_key> -
Hi all,
I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
"5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
Any info out there about 5441 before I log a TAC?????
Thanks.Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
Event
5400 Authentication failed
Failure Reason
12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
Resolution
Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root cause
Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late. -
ISE 1.2 patch 4 not retrieving groups
Since the update to ISE 1.2 patch 4 it isn't possible anymore to retrieve groups or attributes from the active directory. It keeps loading.
Anyone else experiencing this issue?
Regards,
MathieuThe issue you are referring to is documented in the following CDETS:
CSCul84544: Retrieval of AD groups or attributes is failing
This is not yet resolved. May be resolved in a future patch
The workaround given in the CDETS is
Fix the DNS server so that the reverse DNS lookup matches
I believe there are other steps that can be taken to mitigate this but would need intervention from TAC -
ISE 1.2 Patch 7 possible guest CWA bug
Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.Hi,
I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7. -
Our ISE Deployment for wireless only is operating on 1.2.0.899 Patch 3. We are looking to upgrade to Patch 8. We plan on testing in a Dev envioronment first, but I was curious what others experience had been with stability in Patch 8?
So far I have not had serious issues with patch 8 versus previous patches which caused me bother in certain areas. I think with all ISE patches you need to read the release notes and read the caveats to see what issues may or may not affect you. If you are on a production system I would also make sure you have your rollback option in place aswell. For what it is worth I am always keen to stay on the most recent patch of ISE due to patches generally fixing more than they break. Just make sure you run through your original system test plans and user test plans and all should be well.
-
ISE 1.2 disable endpoints with certain mac address
Hi All,
We have an AD to authenticate for wireless users. In AD, we have specified to block the user if the password is entered wrongly for more than 3 times. The problem is some of them are using other user ID and locking the accounts. I have gotten the MAC address of the user. Can anyone please advise how to block the request from this MAC from even reaching the AD.
ThanksYou have two options from ISE and one option from the WLC:
The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.
Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.
From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint: -
Once I connected my new server to my farm's config db, it returned all of the following missing locally. I stripped out any redundancies and Headings, and I'm left with 43. I'm looking for a efficient strategy. Should I start with the lowest version number
and work my way up? Current DB version is 14.0.7015.1000. IIRC, SP2 is cumulative, so can I ignore the first two (SP1 and Hotfix), install SP2, and then the Language packs and etc on top?
Sorted by version:
Microsoft SharePoint 2010 Service Pack 1 (SP1) (14.0.6029.1000)
Hotfix for Microsoft SharePoint Server 2010 (KB2775353) 64-Bit Edition (14.0.6105.5000)
Service Pack 2 for Microsoft SharePoint 2010 (KB2687453) 64-Bit Edition (14.0.7015.1000)
Service Pack 2 for Microsoft 2010 Server Language Pack (KB2687462) 64-Bit Edition (14.0.7015.1000)
Microsoft Office Server Proof (English) 2010 (14.0.7015.1000)
Microsoft Office Server Proof (French) 2010 (14.0.7015.1000)
Microsoft Office Server Proof (Russian) 2010 (14.0.7015.1000)
Microsoft Office Server Proof (Spanish) 2010 (14.0.7015.1000)
Microsoft SharePoint Portal (14.0.7015.1000)
Microsoft User Profiles (14.0.7015.1000)
Microsoft SharePoint Portal English Language Pack (14.0.7015.1000)
Microsoft Shared Components (14.0.7015.1000)
Microsoft Shared Coms English Language Pack (14.0.7015.1000)
Microsoft Slide Library (14.0.7015.1000)
Microsoft InfoPath Forms Services (14.0.7015.1000)
Microsoft InfoPath Form Services English Language Pack (14.0.7015.1000)
Microsoft Word Server (14.0.7015.1000)
Microsoft Word Server English Language Pack (14.0.7015.1000)
PerformancePoint Services for SharePoint (14.0.7015.1000)
PerformancePoint Services in SharePoint 1033 Language Pack (14.0.7015.1000)
Microsoft Visio Services English Language Pack (14.0.7015.1000)
Microsoft Visio Services Web Front End Components (14.0.7015.1000)
Microsoft Excel Services Components (14.0.7015.1000)
Microsoft Document Lifecycle Components (14.0.7015.1000)
Microsoft Excel Services English Language Pack (14.0.7015.1000)
Microsoft Search Server 2010 Core (14.0.7015.1000)
Microsoft Search Server 2010 English Language Pack (14.0.7015.1000)
Microsoft Document Lifecycle Components English Language Pack (14.0.7015.1000)
Microsoft Slide Library English Language Pack (14.0.7015.1000)
Microsoft SharePoint Server 2010 (14.0.7015.1000)
Microsoft Access Services Server (14.0.7015.1000)
Microsoft Access Services English Language Pack (14.0.7015.1000)
Microsoft Web Analytics Web Front End Components (14.0.7015.1000)
Microsoft Web Analytics English Language Pack (14.0.7015.1000)
Microsoft Excel Mobile Viewer Components (14.0.7015.1000)
Recommendations?
Thanks,
ScottThanks guys. I was able to get through all of the patches except for
Language Pack for SharePoint, Project Server and Office Web Apps 2010 - English missing locally
Language Pack for SharePoint, Project Server and Office Web Apps 2010 -
Spanish/Español missing locally
This was my process:
Config Wizard:
Adding Index server to existing farm, "Server Farm Product and Patch Status" returned 34 Missing Locally required products and patches.
SKIP installing the following two, as SP2 is cumulative
Microsoft SharePoint 2010 Service Pack 1 (SP1) (14.0.6029.1000) (officeserver2010sp1-kb2460045-x64-fullfile-en-us.exe)
Hotfix for Microsoft SharePoint Server 2010 (KB2775353) 64-Bit Edition (14.0.6105.5000)
install SP2 oserversp2010-kb2687453-fullfile-x64-en-us.exe
install oslpksp2010-kb2687462-fullfile-x64-en-us.exe
Got "There are no products affected by this package installed on this system."
SO!
Uninstalled Sharepoint 2010 Server
WIll try to install again, without skipping #2, and reorder installation of oslpksp2010-kb2687462-fullfile-x64-en-us.exe
Retry (the long way):
Run SharePointServer.exe, get Missing Locally...
Install oslpksp2010-kb2687462-fullfile-x64-en-us.exe SUCCESSFUL
Install officeserver2010sp1-kb2460045-x64-fullfile-en-us.exe SUCCESSFUL
Reboot
Install oserversp2010-kb2687453-fullfile-x64-en-us.exe SUCCESSFUL
Rerun Config
STILL MISSING
Download oslpksp2010-kb2687462-fullfile-x64-es-es.exe, run, "there are no products affected..."
Uninstall.
Re-retried, only got through the first couple:
Run SharePointServer.exe, get Missing Locally...
Install SP1 officeserver2010sp1-kb2460045-x64-fullfile-en-us.exe, SUCCESSFUL
Install English Lang Pack oslpksp2010-kb2687462-fullfile-x64-en-us.exe, "There are no products affected by this package installed on this system."
Install Spanish Lang Pack oslpksp2010-kb2687462-fullfile-x64-es-es.exe,
Install SP2 oserversp2010-kb2687453-fullfile-x64-en-us.exe, run Config Wizard
I'm now downloading 462150_intl_x64_zip.exe, going to try and install it as step three.
Any suggestions greatly appreciated.
Thanks,
Scott -
Patch manager for sol9 missing some recommended patches
I just tried cross checking a machine that was completely up to date according to patch manager with the Sol 9 recommended patch set.
The recommended patch set included the following patches that patch manager doesnt appear to distribute.
114049, 111711, 111712, 119211.
I would have thought anything that was important enough to be included in the recommended patch set was worth distributing through patch manager.
In particular, 114049 and 119211 appear to have security implications.Hi Robert,
This forum is for Sun update Connection problems on Solaris 10 only.
I cannot give you reply as to why Patch manager for sol9 missing is some recommended patches. I will email an internal email alias and try to find out.
Regards,
Scott -
ISE 1.2 Patch 8 Endpoint icon Missing
Hi,
Has anyone seen an issue where the Endpoint icon under Identity just disappears.
I upgraded to Patch 8 yesterday and all seemed fine but sometime this morning between adding enpoints the icon has gone.
Very strange.I recall seeing this as a bug with Patch 8. v1.2.1 addresses and fixes this.
-
ISE 1.2 Patch 7 ERS API problem updating some endpoints with a new group
Hi,
I have a php library that i have implemented most of the ers api functions with curl requests, and it works fine, i can get all endpoints, search for a specific endpoint, delete endpoints and to some degree i can modify endpoints, but not all endpoints it seems. For some reason when i use my function on some endpoints, the static endpoint group assigment does not get updated, and the response from the ers api is just empty, whereas when it goes good, i get a list of the attributes that were updated.
Is there some specific requirements for which information has to be sent using the update_endpoint function in the ers api ? The examples have all information in every request, however what is actually needed in the request?
JanHave now tested by sending all parameters, even though i only want to change group or description, and it works.
-
Cisco ISE 1.2 Patch 6 -- 8 Update failed
Hi all,
I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
Important notice : I though that this error could be an unlucky try but i've tested the update two time.
Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
The symptoms after this error are :
- Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
- The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
- GUI Unavailable
- MAB Auth is working
- Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
- Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
Thanks for your help.This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
2014-05-28T10:26:30.023223+00:00 XXXXXXX logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
2014-05-28T10:26:30.311676+00:00 XXXXXXX logger: Loading PKCS11 ...
2014-05-28T10:26:30.978432+00:00 XXXXXXX logger: SLF4J: Class path contains multiple SLF4J bindings.
2014-05-28T10:26:30.978454+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
pl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978502+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978509+00:00 XXXXXXX logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
2014-05-28T10:26:31.638970+00:00 XXXXXXX logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly. -
ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?
Hi community,
We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
Anybody else come across this??
All helpful comments rated!
Many thanks, Ash.I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
~BR
Jatin Katyal
**Do rate helpful posts** -
ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"
We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
Personas:
Administration
Role:
PRIMARY(A)
System Time:
Apr 24 2014 08:26:58 AM America/New_York
FIPS Mode:
Disabled
Version:
1.2.0.899
Patch Information:
7,1,3
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
12300
Prepared EAP-Request proposing PEAP with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12318
Successfully negotiated PEAP version 0
12812
Extracted TLS ClientKeyExchange message
12804
Extracted TLS Finished message
12801
Prepared TLS ChangeCipherSpec message
12802
Prepared TLS Finished message
12816
TLS handshake succeeded
12310
PEAP full handshake finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12313
PEAP inner method started
11521
Prepared EAP-Request/Identity for inner EAP method
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11522
Extracted EAP-Response/Identity for inner EAP method
11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041
Evaluating Identity Policy
15006
Matched Default Rule
15013
Selected Identity Source - *****
24431
Authenticating machine against Active Directory
24470
Machine authentication against Active Directory is successful
22037
Authentication Passed
11824
EAP-MSCHAP authentication attempt passed
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814
Inner EAP-MSCHAP authentication succeeded
11519
Prepared EAP-Success for inner EAP method
12314
PEAP inner method finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
15036
Evaluating Authorization Policy
24433
Looking up machine in Active Directory - host/*****
24435
Machine Groups retrieval from Active Directory succeeded
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule - Default
15016
Selected Authorization Profile - DenyAccess
15039
Rejected per authorization profile
12306
PEAP authentication succeeded
11503
Prepared EAP-Success
11003
Returned RADIUS Access-Rejectsalodh,
Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly.
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
Name
Wired-******-PC
Conditions
Radius:Service-Type EQUALS Framed
AND
Radius:NAS-Port-Type EQUALS Ethernet
AND
*******:ExternalGroups EQUALS **********/Users/Domain Computers
AND
Network Access:EapAuthentication EQUALS EAP-TLS
Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
Thanks again, sir.
Andrew -
Cisco ISE 1.2 Patch 8 with Roaming User Profiles
ISE 1.2 with patch 8 has been installed and Works fine.
Using AnyConnect Secure Mobility Client (NAM) 3.1.04072 and Cisco NAC Agent version 4.9.1013
Scenario is EAP Chaining which does machine authentication + User Authentication
After NAC Agent Pops up and Posture Assessment is successful, Users cannot see their Home drives and few other Network Drives.
Sometimes during login we get the Error Message "User Profile cannot be loaded" and "User cannot Logon"
Also while logging off We get the screen "Your Roaming Profile was not synchronized"
All the Home Drives and Network Shared drives IP addresses are already added in the Downloadable ACL's.
Any other Workaround to overcome these errors.
Regards,
Ramkumar.BThis is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
2014-05-28T10:26:30.023223+00:00 XXXXXXX logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
2014-05-28T10:26:30.311676+00:00 XXXXXXX logger: Loading PKCS11 ...
2014-05-28T10:26:30.978432+00:00 XXXXXXX logger: SLF4J: Class path contains multiple SLF4J bindings.
2014-05-28T10:26:30.978454+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
pl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978502+00:00 XXXXXXX logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
2014-05-28T10:26:30.978509+00:00 XXXXXXX logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
2014-05-28T10:26:31.638970+00:00 XXXXXXX logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.
Maybe you are looking for
-
The string '' is not a valid XsdDateTime value
I have the TSQL code displayed below, trying to generate the following XML: <Provider xmlns="http://www.tn.gov/mental/Schemas/CrisisAssessment" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.tn.gov/mental/Schemas
-
BPM Application: Task access related issue
Hi Gurus, I have one secure (using ADF security) Application(Simple ADF Application), which will write data in XML format into a JMS Queue.After login to application,user can use that functionality. Then that message is fetched by one BPM Application
-
Hi friends, We have the Requirement of taking customer data from Legacy to ECC through PI. The Client has 167 fields in his customer database . But ECC needs Only 25-30 fields . BI needs all fields. So my PI consultant has create on
-
Asset history sheet version is not complete
Hi Guru, I have implemented a new Asset history sheet version. When I run the Completion check I have the message "Asset history sheet version is not complete". This message I see it when I run the transaction code S_ALR_87011990 - Asset History Shee
-
Error when I executed my JSP page
Hello, I have installed in my machine o OracleAS e o OracleDS. I created a JSP page using Reports Builder. When I try run my page, after some time, the following error message is displayed in the browser: Reports Error Page Wed Jun 19 10:08:29 BRT 20