ISE 1.3 MaaS360

Similar Messages

• ISE 1.3 and NAC

  I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
  They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
  Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
  Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
  Thanks for any advice/comments/experiences
  Jim

  Hi Jim-
  Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
  With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
  I hope this helps!
  Thank you for rating helpful posts!

• ISE 1.3 and Instant Access "Limited support"

  Hello
  The Cisco 1.3 compatability matrix http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.pdf indicates that "Limited support, some functionalities are not supported" applies to ISE 1.3 Profiling when using Cat 6848ia switches.
  Can anyone tell me which Profiling functionalities aren't supported when using ISE 1.3 Profiling and 6848ia switches?
  Thanks
  Andy

  Hi Jim-
  Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
  With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
  I hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE to block jailbroken or android specific versions

  We have Cisco ISE deployed with Advanced subscription license. Is it possible to block IOS jailbroken devices and android devices with older OS version (or rooted) from joining the wireless network.

  You cannot do that with ISE alone. You will need to purchase a supported MDM solution (Airwatch, MobileIron, Maas360, etc) and integrate that with ISE. The MDM can then be queried by ISE and check for things like rooted device, PIN, encryption, etc
  Thank you for rating helpful posts!

• Logical Profiles in ISE 1.2.1

  I´m having trouble understanding the Logical Profiles. 
  What I understand from the user guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#58510
  for those to lazy to read: 
  You can use the logical profile in an authorization policy condition to help create an overall network access policy for a category of profiles. You can create a simple condition for authorization, which can be included in the authorization rule. The attribute-value pair that you can use in the authorization condition is the logical profile (attribute) and the name of the logical profile (value), which can be found in the EndPoints systems dictionary.
  so I thought that meant that I can group Different Profiles (Apple Iphone, Ipad, Ipod) together into a logical group e.g. "BYOD_Idevice" and use this logical profile in the Authorization. 
  But I can´t choose this freshly created Logical Group in the Authorization Condition. As for the fact, I can´t choose this logical group ANYWHERE. 
  Leaning back and thinking about it - it somehow makes sense. In the Authorization, you don´t pick Profiles, you choose Identity endpoints. So whats the point about the logical profiles? I was hoping to clean/lean up my authorization rules with them. But for what would I use them else? 
  Or is this a bug in ise 1.2.1? Not sure if I should call tac about this, or if I´m just not getting it :D
  Thanks alot for your help!  

  Nice username! :)
  So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile
  Hope this helps!
  Thank you for rating helpful posts!

• Can't install the software for the Brother MFC-9440CN because it is not currently available from the Software Update server....how do I get the driver then..it ised to work in my old mac..but cant print to it in my new unit

  Can't install the software for the Brother MFC-9440CN because it is not currently available from the Software Update server....how do I get the driver then..it ised to work in my old mac..but cant print to it in my new unit

  Download the Brother Mountain Lion drivers here.

• Caching credentials for webauth in ISE 1.2?

  We are providing internet access through a Guest portal. The portal is provided by the ISE through webauth and the user is created through the ISE Sponsor Portal.
  When an account is created and the enduser logs in to it, I would like for the ISE to cache the credentials for that user for a period of time; at least 1 or more days before it prompts them to log back in again. Right now, if a user disconnects for a short period and then goes to reconnet, it prompts for the username/password again.
  Where (and how) in the ISE do you configure that?
  Thank you.                  

  Thanks for the quick reply Charles. I am reading through the details of it now.
  It looks like DRW basically registers the MAC of a connecting device in an identity store and then allows that device to connect. Does it still match the MAC to a guest user so that we can set time profiles against it and does it expire like the guest accounts do?
  Any ETA on the release of ISE 1.3?

• Intermittent AD Authentication failures in ISE 1.2

            Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?
  Thanks
  Jef

  Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
  When you say Multicast to you AD...how did you check that? We do use multicast.

• Double lookup possible in ISE 1.2 ?

  I want to do MAB on a certain SSID and authenticate and register devices used in the SSID.
  I managed to do that. If not "RegisteredDevice" then redirect to a portal where users can login with AD account and register there devices.
  After registration, the device MAC is added to "RegisteredDevices" and the endpoint is profiled.
  The ISE database contains an endpoint profile and this profile contains the propertie "BYODRegistration" = yes and "PortalUser" = the AD account xxx@ADdomain.
  Now i want to link the state of the AD account to the database. When the user account is locked/expired/disabled, the device should be refused.
  I wonder if it is possible to do the following:
  MAB authentication occurs -> lookup MAC address in Registered Devices (=OK), lookup "Portal User" of device -> Query AD for this user, get property "UserAccountControl". Based on this property, i can determine if account is still active. If yes -> allow access. If not -> refuse access, even if device is in "RegisteredDevices".
  When i troubleshoot however, i notice that -when using MAB- ISE is trying the MAC address as username against AD and gets returned: "Unknown User", of course. Is there a way to use the linked "PortalUser" as username against AD instead of MAC address ?
  [NOTE: i am fully aware that the proper way of doing this is through Client Provisioning and Certificates with a second SSID using 802.1x to authenticate certificates, but for now, i want to prevent pushing anything to the clients.......]

  Too bad.
  I wish Cisco had implemented a property like this: RegisteredDevices:PortalUser:IdentityAccessRestricted
  (i am assuming PortalUser is an AD account here). Maybe a PER can help.....

• Max authz rules in ISE 1.2 ?

  Hi All,
  Is there any doco on what the current limit is on Auth Z rules in ISE 1.2
  I have read 1.1.x had a limit of 140 authz rules.
  I am also considering using policy sets if that increases the total authZ rules.
  Cheers

  Peter,
  Here are the numbers for both 1.1.x and 1.2.  Hope this helps.
  * ISE 1.1.x
  # ISE 1.2
  Authentication Policy Rules
  * 50
  # 400
  Conditions Per AuthC Policy Rule
  * 3
  # 8
  Authorization Policy Rules
  *140
  # 600
  Authorization Identity Groups
  * 20
  # 1000
  Conditions per AuthZ Policy Rule
  *6
  # 8
  Authorization Profiles
  * 30
  # 600
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Bug CSCup27305 in ISE 1.2.1.198 patch3

  Hi guys,
  I´m hitting bug CSCup27305 in version ISE 1.2.1.198 patch3 but cant find a fix version.
  Do you know what version can be applied, so DACL can start with permit IP Host 2.2.2.2 Host 1.1.1.1 = is NOT ok!
  Thanks a lot for your help.
  Erick Flamenco

  It is not resolved in any shipping version and will currently be in first release that ships post 1.3
  Note that this issue impacts DACL validator functionality in that does not detect the invalid DACL as it should but does not impact any end to end functionality and so may not get priortized for any earlier patch

• Authentication Combination in ISE 1.2

  Is it possible to have dual authentication using workstations auth certs and Windows domain credentials for authentication in ISE 1.2?                  

  Hi Kevin,
  This would be a client side configuration.
  What type of authentication is this?
  VPN? wired or wireless dot1x?
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• Logical Profiles in ISE 1.2

  I created a logical profiles group that is assigned with the Apple-ipad, Apple-iPhone and Apple-iDevice policies. Now ISE will not update the feed policies for the three devices. This is the message that I recieved from ISE when it does it Feed Polices update, I use the logical profiles group matching for authentication and authorization. Is there any way for me to update these feed polices? Thanks for the help!!
  Feed Version 1 policies downloaded.
  Total number of feed polices to apply are 3.
  Feed policies total 3 skipped.
  Feed policies warning message : Apple-Device has been changed by admin.
  Apple-Device:Apple-iDevice has been changed by admin.
  Apple-Device:Apple-iPad has been changed by admin.

  Hello Toua,
  Please Verify switch configuration for those network segments where endpoints are not being appropriately profiled to ensure that:
  •The required information to profile the endpoint is being sent to Cisco ISE for it to profile.
  •Probes are configured on the network Policy Service node entities.
  •Verify that packets are received at the Cisco ISE profiler module by running the tcpdump function at Operations > Troubleshoot > Diagnostic Tools > General Tools > Tcpdump.
  Note If you are observing this issue with endpoints on a WAN collected by HTTP, Netflow, and NMAP, ensure that the endpoint IP address has been updated with a RADIUS/DHCP Probe before other attributes are updated using the above probes
  For more information, please visit the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp192504

• ISE 1.2 patch 4 not retrieving groups

  Since the update to ISE 1.2 patch 4 it isn't possible anymore to retrieve groups or attributes from the active directory. It keeps loading.
  Anyone else experiencing this issue?           
  Regards,
  Mathieu

  The issue you are referring to is documented in the following CDETS:
  CSCul84544: Retrieval of AD groups or attributes is failing
  This is not yet resolved. May be resolved in a future patch
  The workaround given in the CDETS is
  Fix the DNS server so that the reverse DNS lookup matches
  I believe there are other steps that can be taken to mitigate this but would need intervention from TAC

• ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

  We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
  Is there any requirements or configurations change needs to be done to make it success?

  Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
  If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton