ISE 1.3 Locations

Similar Messages

• ISE Could not locate Network Device or AAA Client

  When authenticating using 802.1x and MAB, I recieve an authentication failure with the error 11007(Could not locate Network Device or AAA Client). The root cause that ISE spits back at me is "Could not find the network device or the AAA Client while accessing NAS by IP during authentication." I did pretty much everything by the book except instead of using a loopback interface I used a vlan with a defined ip address.  Could this be causing the problem?
  Here is the config of the port that I'm testing on:
  interface GigabitEthernet1/0/9
   switchport access vlan 9
   switchport mode access
   switchport voice vlan 8
   ip access-group ACL-ALLOW in
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 4
   authentication event server dead action authorize voice
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust device cisco-phone
   mls qos trust cos
   dot1x pae authenticator
   dot1x timeout tx-period 10
   auto qos voip cisco-phone
   spanning-tree portfast
   service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
  end

  I can ping both the vlan and the endpoint from the ISE.  As far as allowing ISE to speak snmp and RADIUS to the NAD, I have enabled it on the NAD config inside the ISE. I have also double checked the snmp and radius shared passwords.
  I have gotten MAB authentication to work but I am still getting the same error for dot1x authentication. Here are some of the configs on the switch.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authentication dot1x defualt group radius
  aaa authentication dot1x group group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  aaa session-id common
  ip radius source-interface TenGigabitEthernet1/0/1
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 10.10.10.47 auth-port 1812 acct-port 1813 test username test key 7 097940581F5412162B464D
  radius-server vsa send accounting
  radius-server vsa send authentication
  dot1x system-auth-control
   authentication order dot1x mab
   authentication priority dot1x mab
   dot1x pae authenticator
   dot1x timeout tx-period 10

• ISE multi-portal

  I want to make another guestportal because the default one's language is incorrect. You can change the language of the sponsor portal quite easily but for the guestportal you have to adjust the html pages. I tried this but couldn't get the layout correct.
  Is there a package available with better html pages and/or instructions?
  Mathieu

  Well, I left the fields as they were because they are hardcoded and cannot be edited. Today I tried to use the guest portal with my WLC but ran in some troubles. The url of the guestportal ends like this:
  /guestportal/Login.action?portalname=nameofguestportal
  But when you use it with a WLC there are some arguments added. You'll get this:
  /guestportal/Login.action?portalname=nameofguestportal?arguments
  The problem is that your browser or the ise is searching for a portal called: nameofguestportal?
  Accompagnied by the questionmark the ise can't locate the portal and uses the default one.
  I have another problem: there is a requiered file: "guest success file" but I couldn't find this in the delivered html pages  by cisco.

• MSE-provided location used with ISE Authorization Profile

              Hello Everyone,
  Can MSE-provided location be used in an ISE Authorization Profile?
  Thanks much,
  David D.

  Yes, ISE 1.2 can used this feature if it is used with Merridian or Ironmobile integration. and This is still in Road Map.

• Cisco ISE - How to map User- Location - Restrict Access to other locations

  Hi,
  i've got a simple question and I hope someone here can help me out with this mess.
  The problem is about WLAN 802.1x Auth with Cisco WLC and a ISE.
  The design goal is the following:
  There are several branch facilities. A user belongs to only ONE facility. This user should not access the WLAN in other facilities.
  The technical design is this:
  Local WLC and/or central vWLC. In the datacenter is one ISE which must handle the auth-requests. The identity source of the users, where I add and manage them, should be the ISE itself for the first time, later I want to AD and LDAP sources.
  Here is the problem:
  I don't understand how I can create a ruleset or something else where I can define that a user of facility A can only login over APs, WLCs,.....in facility A and NOT facility B. Or maybe my design is so bad that I have to start from scratch.
  PLEASE HELP.

  I don't know but may be this is the correct way to validate the user:
  NAS-ID in AP-Groups (One AP-Group per facility) must match "12345" AND Identity-Group must match "12345".
  Iam confused because there is no way to compare these values. 
  In this case to compare the value of "NAS-ID" and die users "IDENTITY-GROUP".
  If they match against each other than "Permit-Access".

• Change default recover document location in Powershell ISE

  Hello
  I think it is under appdata\Local\Microsoft_Corporation\ and I need to change this to the roaming part of the profile

  I'm not sure if this is actually possible or not.
  You could try a symlink and see if that does the trick.
  Don't retire TechNet! -
  (Don't give up yet - 12,950+ strong and growing)

• ISE Authz rules with location based device

  Hi forumers'
  I have a POC situation as below:
  A policy to restirct contractor only able to log-in to the network using AP-01
  There's no problem for me to do the authentication and authorization rules for me to get the contractor connect, but my challenge is how i should apply the "only able to log-in to the network using AP-01" requirement?
  My AP is cisco 1041 AP, what and how should i to enable this happen any fulfill the requirement?
  thanks
  Noel

  It should be in the monitoring page under authentication, when you click on the magnifying glass you should be able to see the details of the attributes that are being sent.
  Or you can run a report for radius authentication and export the pdf of the authentication details.
  thanks,
  Tarik Admani

• Intermittent AD Authentication failures in ISE 1.2

            Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?
  Thanks
  Jef

  Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
  When you say Multicast to you AD...how did you check that? We do use multicast.

• ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

  Hello guys
  Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
  Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
  I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
  Thanks in advance
  Sayre

  Hello Sayre-
  For Question #1:
  Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  You can configure Radius and Profiling to be enabled on other interfaces
  Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  Take a look at this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
  For Question #2
  If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
  The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
  –Option 12—HostName of the client
  –Option 60—The Vendor Class Identifier
  After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
  Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
  On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  I hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 and maximum PSNs supported in my Persona config

  Hello folks,  I am putting together a medium to large distributed ISE deployment and wondered if anybody could tell me what the maximum number of PSNs are allowed under this configuration.   I was reading thru an older training document with version 1.1 and it suggested only 5, which is why I am wondering if the specs changed on 1.2 but I cannot find them anywhere handy.
  I have a large VM running the PRIMARY admin persona which also is secondary for my reporting & monitoring in my main data center.
  In another state (connected with 10G) is another large VM acting as my secondary admin persona with primary monitoring & reporting.
  Across multiple states I want to have multiple PSNs across the geographical layouts of each state but I am not sure if I can scale enough PSNs with my current version of 1.2 and my persona config listed above.    I have a need for about 12 to 15 PSNs.
  Wondering if I need two more VMs to break out my monitoring as one node in DC1 and secondary monitoring in DC2 in order to get more PSN scalability.
  Any help would be greatly appreciated.
  -Thanks

  As Marvin suggested, I would look into using 1.3 at this point unless you have some specific concerns with that version and really want to stay with 1.2. With that being said, here are my recommendations/comments:
  - Both v1.2 and v1.3 can actually scale up to 40 PSN nodes
  - If any of your PSN nodes are going to be placed in the same location and are layer 2 adjacent I would recommend putting them in a node group and behind a load balancer. If you don't have a load balancer, I would still put them in a node group. At the moment a node group can have up to 10 PSNs
  - If you are going to have 10-15 PSN nodes then you should dedicate 2 nodes for specifically for the monitoring persona
  - The maximum roundtrip delay between any nodes cannot exceed 200ms
  For more info you can always reference the "Network Deployment" section in the hardware installation guide for ISE:
  v1.3
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html
  v1.2
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_deploy.html
  Thank you for rating helpful posts!

• How do I create a Repository in ISE for 1.2 upgrade?

  Hello,
  I am upgrading out 1.1.4 ISE nodes to version 1.2 in the next few weeks. Following the Cisco guide for this I should create repositories on both our admin nodes and store the upgrade file locally. These repositories cannot be created using the UI. They must be created using the CLI.
  How do I create and name the repositories so that I can ftp the upgrade file to this location?
  Thank you.

  Correct...Having the upgrade bundle in the local repository significantly reduces the time it takes to download it from the network during the upgrade process.
  You may want to go through the below listed links
  Important Notes To Read Before You Upgrade to Release 1.2
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html#ID50
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 patch 3 - Sponsor Portal default timezone changed to non-existant ECT

  Hi everybody,
  We've applied patch3 to our ISE 1.2 cluster and after the upgrade all the sponsor accounts (externally autenticated on Active Directory) now have GMT +01:00 Europe/ECT as default Time Zone. Thus all the guest account created have the same time zone and guest authentication fails.
  This is the error from ise-console.log:
  guest:- com.cisco.cpm.guest.exceptions.PortalUserException: java.lang.IllegalArgumentException: The datetime zone id 'ECT' is not recognised
  guest:-        at com.cisco.cpm.guest.edf.GuestUserAdaptor.isAcctValid(GuestUserAdaptor.java:489)
  I checked the admin interface and the 1.2 documentation but could not find any default setting for sponsor users Time Zone
  Time zone for the 3315 is CET:
    clock timezone CET
  A workaround is to have each sponsor user update its Time Zone setting on the Sponsor Portal, but this is impratical.
  Did anybody experience the same issue?
  Regards,

  Hi Luigi Gangitano,
  From when are you experiencing this issue? I suspect this would have been an issue when the server timezones are changed from CEST timezone to CET timezone.
  To further figure out where exactly the issue is , 
  1.Can you please let us know what is the timezone in the UI on the top most right corner in the server information section is ?
  2.Similarly can you please check the timezone in the CLI of Primary ISE node.
  If the above two locations are displaying correct timezone then we have to suspect with the sponsor portal.

• ISE 1.2 Patch 8 - Wired CoA Bug

  Hi all,
  Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
  I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
  So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?

  CoA Not Initiating on Client Machine
  Symptoms or
  Issue
  Cisco ISE is not able to identify the specified Network Access Device (NAD).
  Conditions Click the magnifying glass icon in Authentications to display the steps in the
  Authentication Report. The logs display the following error message:
  • 11007 Could not locate Network Device or AAA Client Resolution
  Possible Causes • The administrator did not correctly configure the Network Access Device
  (NAD) type in Cisco ISE.
  • Could not find the network device or the AAA Client while accessing NAS by
  IP during authentication.
  Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
  • Verify whether the Network Device or AAA client is correctly configured in
  Administration > Network Resources > Network Devices
  Symptoms or
  Issue
  Users logging into the Cisco ISE network are not experiencing the required Change
  of Authorization (CoA).
  Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
  supported network devices.
  Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
  commands, may be assigning the wrong port (for example, a port other than 1700),
  or have an incorrect or incorrectly entered key.
  Resolution Ensure the following commands are present in the switch configuration file (required
  on switch to activate CoA and configure the switch):
  aaa server radius dynamic-author
  client <Monitoring_node_IP_address> server-key <radius_key>

• ISE 1.2.1.198 patch 5 - Operations Authentications not loading or displaying

  Is anyone else having an issue with getting Authentications to display under operations? We were running 1.2.0.899 and started to run into a couple bugs so we upgraded to 1.2.1.198. Ever since then the Operations - Authentications have not been working right. I may occasionally see and actual authentication but not as many as I should. Most of the messages I saw yesterday pertained to radius processes already in progress from endpoint which was my wireless controller. Today I just get a loading data message at the bottom of the screen. It does not seem to be affecting system operation as users are still properly authenticating but I am unable to monitor the process or troubleshoot a users if they were to have an issue. We are on the edge of moving this into full production but really cannot until I get this resolved.
  I have a case open with tac and their comment was that the issue of authentications not displaying was fixed in 1.2.1 and not sure what may be happening. We went ahead and applied patch 5 just in case there was something else going on. That did not fix things and it now seens to be getting worse.
  I just wanted to see if anyone else had seen this and could possible shed some light on a resolution.
  I am running a cluster containing the following. Primary admin on a VM - two policy Services servers both on VMs - secondary admin on retired ACS 2111 appliance. All three VMs are on the same physical server. Memory utilization on the admin server is just under 50% with the Policy servers both in the 30% range. I do have one policy server that is showing authentications in the 10-12ms latency but do not think that should affect anything. The ISE cluster is also tied into our 5508 wireless controller for support of the wireless networks. I have two SSIDs in production here at corporate and trying to figure out FlexConnect for the remote locations so we can centralize everything.
  Brent

  TAC recommendation was to install patch 5 which should include patch 4 plus other things. They took logs from my servers and asked to give them a day or so to look at the issue. Today is day three with no update.
  I am going to reboot all the servers in the cluster tonight. I do not have console access to the VMs so am hoping that I can reload from the CLI and accomplish the same thing rather than just reload the services.
  I tried a wired connection this morning and it popped into the authentications report but will have to test to make sure it repeats.
  What is mostly in the log is simply the reports of the supplicant stopped responding to ISE. I know thought that I have at least 5 people that are connected via wireless. Here is a sample of what is in the log.