ISE 1.2 Windows 8.1 onboarding

Similar Messages

• BOYD ISE Native Supplicant Windows 7

  Connects to BYOD-SSID
  and go through the process, including self registration
  once everything is done, my windows machine does not automatically selects certificate (TLS) for authentication
  maunally need to go under proprites and select certificate and then it authenticates.
  I though this all should be automatic!!!

  Are there multiple certificates installed on the client OS at the time of onboarding? Also are you running the latest supplicant provisioning wizard for windows on your ise deployment?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE 1.2 - Problem with Device Onboarding of internal users using AD Credentials

  Dear experts,
  We have implemented ISE 1.2 with WLC 7.5 in our organization. We are using Device Onboarding by letting the users enter their AD Username and Passowrd on Guest portal which then redirects them to device registration portal where they simply register their device and they get internet access.
  The problem is that some users are unable to authenticate using this portal while some can successfully authenticate and register their devices. All users are of the same group in AD. Also, we have enabled this check on two places. One is when users connects to the SSID where the security WPA2-Enterprise uses 802.1x and asks for AD username password. The other is on the portal.
  All users are able to connect to the SSID using their AD credentials. However, 30% of the users are not being authenticated when they are redirected to the Guest portal for device registration. Also, it gives no error or event on either ISE or on the mobille device. When the users enters their credentials, the same guest portal page comes back blank with no errors or logs anywhere.
  Can someone guide me if there is some configuration mistake that I may have done or have someone faced this same issue and were/weren't able to resolve it.
  Thanks in advance.
  Jay

  Our problem got solved. It was related to a few user accounts in AD. Usually any authentication on AD User Account is carried out using the User ID. However, during Web Authentication, Login ID/Name is also checked by ISE and should be same as User ID.
  The problem you are facing might also related be to AD since we had the similar issue. try to check this on a laptop as the mobile portal gives no error if the user is unknown or invalid. Also, you can enable logs for web authentication which are off by default. It will give you a pretty good idea where the problem lies. And yeah, do not keep the web authentications log on for long, it can hang your ISE.
  Anyways, thanks for all the support.

• ISE with per-windows 2000 domain

  Hi
  I am experiencing a problem with AD authentication.
  I have joined the ISE appliance to the windows AD and I can browse the groups and attributes.
  But the problem I am experincing is that the users logon to the domain using the pre-windows 2000 domain name.
  FQDN format : ab.cdef.com       - ISE is joined to this
  pre-windows 2000 name : abcd  - Users logon with this
  So wen the users authenticate I get the following error : 22056 Subject not found in the applicable identity store.
  Also tried to logon with [email protected] with no luck.
  Does someone have any suggestions?
  Thanks

  The 802.11 Mac Layer is a bit longer than the ethernet mac layer. This sometimes cause problem with domain login because they are done using UDP by default. The frame are sometime drop. To test if this is your problem, I recomand changing the MTU on the 2000server(DC) and the host to something lesser than the actuel MTU on the interface. (configure the DC and host @1300 leaving the network @1500)
  A Windows 2003 server as a default mtu of 13?? something to get around this problem. I usaully tell my users to install the cisco vpn client if they want to use domain in wireless because the installation of this client lower the MTU of every interface to 1300.
  Another path you can look into is forcing kerberos to use TCP insted of UDP. (look on MS TechNet for method)

• Cisco ISE to check Windows Firewall is enabled or not in Posture Requirement.

  I have already a running setup for wireless employees. Everything is working fine. Wireless Employees authenticate by AD through ISE. URL redirection is working fine. Posture requirements to check Hotfixs & AV installation & definition is working fine. Now I have new requirement to check whether Window firewall is enabled or not, if not then put the users in temporary access & do the remediation, if failed then put the user in noncompliant.
  I want to know under which option i can create Window Firewall requirement.
  Thanks

  Windows Firewall in Windows XP creates  a registry key
  Registry Key:
  HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  Registry Value:
  EnableFirewall
  If the XP Firewall is on the Value will be = to “1”
  The following link shows how to tell if firewalls of different brands are running
  http://cisconac.blogspot.com/2007/05/custom-checks-personal-firewall.html
  So, the ISE config will be something like the following picture. Please rate if it helps

• PC w/Windows 8. Onboard Speakers no longer wrking (although all scans say they are)

  Hi,   Maybe 10 or 20 years ago someone might have called me "PC Expert" but at 81 with all the age related problems that brings, I am very lucky if I can figure out how to turn the beast on, so I'm hoping maybe some one of you young tigers can tell me what to do to get my onboard speakers to working again. (Hint: Probably a mistake I made sometime within the past year or so).
  OK Tiger (or ess) come!, lead me by the hand. . . Thanks a bunch
  This question was solved.
  View Solution.

  Check at the rear of the PC to ensure that the Speaker cable connector is plugged into the green audio input instead of another one.
  Desktop PC, with the exception of All-in-one PC,s don't have onboard speakers.
  ****Please click on Accept As Solution if a suggestion solves your problem. It helps others facing the same problem to find a solution easily****
  2015 Microsoft MVP - Windows Experience Consumer

• New windows Server Deployment (Onboarding) Documents.

  Hi Team,
  Can anyone share me the general Windows Server Onboarding (Pre-Build and Post-Build) basic Checklist or a Document, which will help us in streamlining the process of deploying a new server in the existing environment.
  Thanks in advance.
  Vimal Kumar S
  Vimal Kumar S

  Hi,
  The question is quite broad.
  For deployment, you can follow this blog:
  http://blogs.msdn.com/b/msgulfcommunity/archive/2013/03/06/installing-and-activating-windows-server-2012-step-by-step.aspx
  And this article introduced server manager:
  http://blogs.msdn.com/b/msgulfcommunity/archive/2013/03/06/installing-and-activating-windows-server-2012-step-by-step.aspx
  For specific roles and features you can refer:
  http://technet.microsoft.com/en-us/library/hh831669.aspx
  Hope this helps.

• Windows 8.1 Onboard Keyboard and Touchpad Stopped Working.

  After upgrading to Win 8.1 my keyboard and touchpad stopped working suddenly.  They both worked fine for the entire Windows 8.0 release.  When I upgraded to 8.1, they both worked for about 3 months.  Then what started happening is the computer
  would freeze during the startup process.  
  Now they both don't don't work.  But a USB powered mouse works.  So with a USB powered mouse and the on screen keyboard I have been troubleshooting.  I have removed the drivers from the device manager, reinstalled the drivers, searched for
  driver updates etc.  Nothing works. 
  Can someone please point me in the right direction.  PC is kind of useless at the moment.

  Hi,
  Kindly check this application that can show incompatible/unwanted/untrusted/ applications then remove these with different kinds of PC cleaner/Application removal tools.
  http://www.getsysteminfo.com/
  After Downloaded, Run the Application and Save Report, Upload the Report and Press Submit Button and Click Read the report as an Expert.
  If you found anything in these 2 Auto analyses
  then find the solution.
  1) Driver To Update:
  2) Application to Update:
  Good Luck!

• ISE authentication with windows hibernate

  i have ISE 1.2 , machine can't authenticate during hibernate so user must logoff and login again.
  is this applicable on ISE or not?

  If you are using windoze native supplicant, try using anyconnect nam. There is a bug (feature) in the native supplicant that causes it to go brain dead after returning from sleep mode/hibernation. Microsoft has hotfixes for vista and later, but not xp. I've had hit and miss success with these, and that's why I suggest trying anyconnect.
  Sent from Cisco Technical Support Android App

• Machine +User Auth for windows endpoint autheticating through ISE

  Hi
  Is there any way to use machine + user auth at same time when authenticating Windows machine through ISE.  In Windows native supplicant there is option as
  1) Machine OR user Auth
  2) User Authentication
  3) Machine Authentication
  4) Guest authentication
  I want to give more priveledge access to endpoints where they are joined to AD domain AND the user is logged in using AD credentials.
  Is there any way to achieve this functionality ...

  With windows you do not have the option, however with ISE 1.1.1 and the latest cisco anyconnect nam supplicant (which is free) has a feature called eap chaining, it uses eap-fast to send the authentication sequence just as you want.
  Here is the reference:
  ISE release notes
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp307279
  Anyconnect release notes
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871
  Configuration of anyconnect -
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1065210
  Tarik Admani
  *Please rate helpful posts*

• Yoga S1 Windows 8.1 Activation Disabled and poor (or no support from Lenovo at all).

  Dear Lenovo Friends,
  I've purchased Thinkpad Yoga S1 with Windows 8.1 onboard.
  I've had an OS problem that leaded me to order Recovery DVDs via Lenovo Thinkpad Support in Poland (thanks, got disc set in 7 days).
  After reinstallation the WIndows 8.1 OS keeps saying my licence code embedded into BIOS is invalid and I can no longer activate the system. See the event log for sample try and fail on activation my system, please.
  Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  - <System>
    <Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
    <EventID Qualifiers="32768">1017</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-09T20:02:04.000000000Z" />
    <EventRecordID>1866</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>n316-pc04</Computer>
    <Security />
    </System>
  - <EventData>
    <Data>0xC004F069</Data>
    <Data>9D6TC</Data>
    <Data>?</Data>
    <Data>?</Data>
    </EventData>
    </Event>
  I've contacted the Lenovo Support in Poland and they tend to tell that this is because Microsoft has invalidated my codes for unknown reason. Contacting Microsoft they told me that it its vendor's (Lenovo) problem and they are not responsible - shall I obtain new licence key from Lenovo. The Polish Thinkpad support is working on the problem since January the 9th, with no success.
  The Windows grace period is already over and I cannot use my ultrabook now without activating the licence.
  Is this the famous Thinkpad support quality? I already own 4 Thinkpads and sorry gyus but I'm considering swithing to some other vendor.
  When I called them, the solution provided by the Thinkpad support was... "would you please reainstall the OS once more to get another grace period?" I was thinking it was a kind of joke, but it wasn't... Asking for the responsibility of the Lenovo for the Windows OS they provided I was told that Lenovo is not responsible and I was given the advice to buy the hardware with no OS next time, have box licence from Microsoft separatelly.
  I'm really disappointed. This is my last Thinkpad I believe. It seems even having the warranty it is not enoug to get support from Lenovo - I'm on my own...
  Regards,
  P.
  Solved!
  Go to Solution.

  Solved!
  Finally I've got another DVD recovery set from Lenovo. Now it works. Seems that the first DVD set was invalid .
  Regards,
  P.

• Posture check for Windows Update

  Hi All,
  I am constructing Posture conditions in ISE, which check  Windows Update are not more than 7 days old.
  Can you guys help me in formulating this condition.
  Thanking in advance,
  Thank You,
  Aditya

  Hello Aditya,
  Configure WSUS Remediation
  This example shows how to ensure that all employee computers with Windows 7 have the latest critical patches installed. Windows Server Update Services (WSUS) are internally managed.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html#anc17

• VDI Access Control with ISE

  Hi Guys,
  Can ISE do the Access Control for the VDI users with thinclients like PCs? Now we wanna to setup the 802.1x authentication for the VDI users, but i'm not sure if this can be done by ISE. Do we just need to configure the access switch ports to open 802.1x as usual and the switch then will relay the radius to ISE?

  Rodrigo,
  You are right if it is using the same IP+MAC, then I don't think the identity-based firewall feature of the ASA will work for you unless you can set the Citrix VDI to use DHCP to give a unique IP for each desktop.
  This is how it worked with vmware::
  1. Single VDI pool with a unique IP for each desktop assigned by DHCP on the same subnet.
  2. User logs in to floating desktop and Windows login server is updated with username and IP
  3. Cisco Directory Agent (CDA) gets the username/IP mapping from Windows login server.
  4. Cisco ASA is configured to allow access based on Windows AD group X.
  5. ASA gets username/IP mapping from CDA and checks AD directly for group assignment.
  6. ASA enforces access policy on the IP that is currently used by the user of group X. Users of groups Y and Z would have different policies.
  NOTE: Anyconnect is not used with identity-based firewall for Windows devices. If used for 802.1x (wired or wireless) or any other supplicant, it does allow Identity-based firewall to work with non-windows devices. If Cisco would only enhance RA VPN to work when using ISE authentication with windows domain detection or assignment, it would be a complete identity-based solution. RA VPN can work if authenticating directly with AD.

• ISE No EAP response from Client

  Hi,
  So on the same switch, same port configuration, 1 users laptop has absoutely no issues authenticating on the port.
  On another port, same configuration, I see the below error in ISE.
  Same windows settings on both laptops regarding the 802.1x authentication.
  No response received during 120 seconds on last EAP message sent to the client                                                                                 :
  5411 No response received during 120 seconds on last EAP message sent to the client
  Any ideas as to why or whats happening here?

  Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts. For more information you can see the below link.
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf

• Windows freezes with Soundblaster Xtremega

  What a day. I did a fresh installation of Windows XP, have onboard disabled with no drivers installed, installed soundcard into PCI slot , installed drivers from CD in safe mode. I cannot get into windows with the card. It will always freeze when loading windows normal mode?at windows logo. I disable it in device manager, and I can get into windows normal mode. However, if I enable it while in windows, it will freeze again anyway. I have:
  Biostar T Force 550 SE motherboardAMD Athlon 64 X2 3600+2GB DDR2-800 RAMGeforce 7900 GS?Someone please have an answer!

  It is explicitly stated Tesla C2070/2075 and a Quadro card only to achieve a Maxumus configuration, not a very old FX card. Given the limited number of CUDA cores in the Tesla card and the limited bandwidth, the first Maximus results are far from appealing. A Quadro 6000 + Tesla  C2075 (€ 6000) is slower than a GTX 570 for a fraction of the price (€ 270). Talk about BFTB.
  From the documentation I have found about the M2090, for a whopping € 4800, it requires Windows Server 2008, is still based on the Fermi architecture and has the same number of cores as a 580, but less bandwidth.