ISE 1.3 posuter discovry issue
Dear All :
I have issue with my ISE 1.3 , I can not find the option of "posture discovery" in my authorization profile the option should be fund under
"Web Redirection (CWA,DRW,MDM,NSP,CPP) I should also find PD posture discovery , by this I can not make my client download the nac agent so I stack
in unknown state , in version 1.1 it was under web authentication option by same name PD, any one can help please
Create AnyConnect and Cisco NAC Agent Profiles
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010110.html
Similar Messages
-
ISE 1.2 Posture Update Issue
In ISE 1.2 below message is showing when we do a web posture update either manual or automatic.
"Remote address is not accessible. Please make sure update feed url, proxy address and proxy port are properly configured".
It was working fine for long time and all of a sudden it stopped working
and no changes have made on the network side.
https://www.cisco.com/web/secure/pmbu/posture-update.xml is working in the browser.
Few customers had reported the same. Boxes are installed with latest patch version 7.
We can upload the updates through offline mode.I have experienced the same issue. Both the posture update feed URLs
1. https://www.cisco.com/web/secure/pmbu/posture-update.xml
2. https://www.perfigo.com/ise/posture-update.xml
give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.
A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.
The relevant pcap file is attached -
Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling
Hi All,
We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling
RADIUS Probe
SNMP Probe SNMP Trap HTTP Prob and DNS
2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
- Yellow mark issue - Once authentication , posturing completed we are getting yellow mark on network drive but still we are able to connect to network
- Network Map Drive issue - Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication )
That would be really great if any one can help me on the same.
Thanks & Regards
PranavHi Pablo ,
Please find below solutions
Yellow mark issue - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
Network Map Drive issue - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
Regards
Pranav -
ISE 1.2 Sponsor Portal issue
Hi
we have an ISE version 1.2 installation and are trying to customise the Sponsor Portal login page to show the Terms and conditions for staff whan accessing the page, by using the display pre-loign banner under the sponsor portal themes settings.
We have added the text for both pre and post login banners and have selected the check boxes for both but for some reason when saved the text does not display and the check boxes show as being un checked when going back to the page. Is this a bug ?? i have reset to factory defulats and re tried but still not working.. any help would be appreciatedIt may be a browser issue. Please check the supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals:
These Cisco ISE portals support the following operating system and browser combinations. These portals require that you have cookies enabled in your web browser.
Table 8 Supported Operating Systems and Browsers
Supported Operating System Browser Versions
Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
•Native browser
Apple iOS 6, 5.1, 5.0.1, 5.0
•Safari 5, 6
Apple Mac OS X 10.5, 10.6, 10.7, 10.8
•Mozilla Firefox 3.6, 4, 5, 9
•Safari 4, 5, 6
•Google Chrome 11
Microsoft Windows 82
•Microsoft IE 10
Microsoft Windows 73
•Microsoft IE 9
•Mozilla Firefox 3.6, 5, 9
•Google Chrome 11
Microsoft Windows Vista, Microsoft Windows XP
•Microsoft IE 6, 7, 8
•Mozilla Firefox 3.6, 9
•Google Chrome 5
Red Hat Enterprise Linux (RHEL) 5
•Mozilla Firefox 3.6, 4, 5, 9
•Google Chrome 11
Ubuntu
•Mozilla Firefox 3.6, 9 -
Cisco ISE 1.3 Active Directory issue
Hi Folks
I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration > Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load. Any advice?hi
i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
guillaume -
ISE 1.3 MyDevices Portal issue: You are not owner of this device
Hello there,
I'm facing an issue with MyDevices portal.
The BYOD On-Boarding registration works pretty good, and the users get access to the network as they have to do.
However, when the user accesses the MyDevices portal, some registered devices (which already have access to the network) is showed as in "Pending" state. But it I dont think it could not be an issue because the users can connect any time and get access to the network normally.
The problem is: when the user tries to edit or change the state of the device (mark as Lost, Stolen or Delete), they get the error message "You are not owner of this device; it belongs to someone els. Contact the help desk if you need assistance".
P.S.: the users are allways facing this error message, despite the device is in pending or registered state.
Does someone has faced a problem like this, or have an idea to help me solve it?
Thanks in advance.
Error message attached.robertbrink1,
I've tried to reproduce the problem in my lab environment, however every thing have worked perfectely. So I'm guessing if this issue is not regarding the ISE implemented in a Distributed Deployment. Because the real implementation I'm working is a Distribuited Deployment and the LAB I tested is a Standalone.
So, for the next steps I'll replicate the tests to a Distributede deployment.
Thanks in advance,
Paulo -
Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?
In a distributed ISE deployment with regional intermediate CA, I am getting failed authentication due to " EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain". Client device have only one client certificate issued from regional intermediate CA. When client device goes across the region, they can't authenticate and gets this "unknown” CA error. The admin node has certificates of all intermediate CAs and root CA.
One possible solution is to add intermediate CA certificates to all regional Node groups but apparently it is not possible on ISE policy nodes.
Have a look at the diagram below and let me know you think (Client authentication failure at both location 1 and 3).Thanks Jan for reply. And short answer is Yes ....
we have identified the issue and it has been resolved now. It was down to one of the cert corruption on primary admin.
It was only identified after going to debug logs in prrt. Verification was done by export that particular cert and analyzing it. Don't know how it got corrupted but it did.
In CA cert section on primary admin node, it was displaying correct value like issue date etc but when it was exported for analysis, I couldn't open it.
So moral of the story is that the someone thought that they need to put a status field against every cert on ISE and it wasn't decided how to check its status - no offence. -
ISE Distributed System - AD join issue
Hi,
We have deployed 04 ISE nodes in the following senario. (ISE ver 1.1.2.245)
1 ISE - Primary (A) Secondary (M)
2 ISE - Primary (M) Secondary (A)
3 ISE - Policy Service (PDP)
4 ISE - Policy Service (PDP)
When integrating with AD, we can only integrat to the 1 ISE only. NTP, Timezone, DNS working on all 04 boxes perfectly. We are getting the attached error while integrating AD with other ISE nodes.
In the above senario, what ISE nodes should have the AD joined, only the PDP or all 04 nodes should have joined..?
Can someone please advise. Please see the attached screenprints for the deployment and detailed error while joining to AD.
Thanks in advance.Hi Neno,
Below is the debug logs for AD joining. I can see the below two issues, but dont know how to find the solution..
•1) (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
•2) SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm"
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state ProbePorts complete for hqv-dcs-02.xxx.gov.qa. Elapsed time 0.014737 secs
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.kerberos.keytab GetSaltFromKDC returns: xxx.GOV.QAAdmin-Asif
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.aduser getSalt update: user:[email protected] salt:xxx.GOV.QAAdmin-Asif
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
Mar 3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Performing LDAP binding with GSSAPI mechanisms to server - hqp-dcs-01.xxx.gov.qa
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
Mar 3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.osutil Module=Kerberos : SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm" (reference base/adbind.cpp:495 rc: -1765328228)
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST:reportFailure: hqp-dcs-01.xxx.gov.qa
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DIAG base.bind.ad connectToServiceInDomain: Failed to connect to hqp-dcs-01.xxx.gov.qa:389: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm"
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _ldap._tcp.xxxsite._sites.xxx.gov.qa
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Attempting to connect to a DC in site 'xxxsite'
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Connecting to hqv-dcs-02.xxx.gov.qa:389
Mar 3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DIAG base.bind.ldap 10.0.11.52:389 fetch dn="" filter="(objectclass=*)" timeout=11
Mar 3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG lrpc.adobject new object:
Mar 3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Connected root=DC=xxx,DC=gov,DC=qa, domain=xxx.GOV.QA functionality=3
Mar 3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Address of hqv-dcs-02.xxx.gov.qa is 10.0.11.52
Mar 3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Performing LDAP binding with GSSAPI mechanisms to server - hqv-dcs-02.xxx.gov.qa
Mar 3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
Mar 3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
Mar 3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.osutil Module=Kerberos : SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm" (reference base/adbind.cpp:495 rc: -1765328228)
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST:reportFailure: hqv-dcs-02.xxx.gov.qa
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad connectToList: Failed to connect to hqv-dcs-02.xxx.gov.qa:389: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm"
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.osutil Module=LDAP : reconnect failed (reference base/adbind.cpp:785 rc: -11)
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Destroying binding to 'xxx.GOV.QA'
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting zonename to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting schema to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting zone to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting domaincontroller to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting site to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting domain to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting prew2k.host to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting host to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG cli.adjoin Unexpected LDAP Error Connect error
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG cli.adjoin due to unexpected configuration or network error.
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG cli.adjoin Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting host to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting prew2k.host to
Mar 3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: INFO cli.adjoin Join to domain 'xxx.gov.qa', zone 'null' failed.
Mar 3 09:54:23 xxx-TW-ISE-2 adinfo[27666]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:23 xxx-TW-ISE-2 adinfo[27666]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:23 xxx-TW-ISE-2 adinfo[27668]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:23 xxx-TW-ISE-2 adinfo[27668]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:33 xxx-TW-ISE-2 adinfo[28164]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:33 xxx-TW-ISE-2 adinfo[28164]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:44 xxx-TW-ISE-2 adinfo[28172]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:44 xxx-TW-ISE-2 adinfo[28172]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:54 xxx-TW-ISE-2 adinfo[28900]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:54:54 xxx-TW-ISE-2 adinfo[28900]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:05 xxx-TW-ISE-2 adinfo[28905]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:05 xxx-TW-ISE-2 adinfo[28905]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:16 xxx-TW-ISE-2 adinfo[28907]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:16 xxx-TW-ISE-2 adinfo[28907]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:27 xxx-TW-ISE-2 adinfo[28911]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:27 xxx-TW-ISE-2 adinfo[28911]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:38 xxx-TW-ISE-2 adinfo[28913]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:38 xxx-TW-ISE-2 adinfo[28913]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:49 xxx-TW-ISE-2 adinfo[28920]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:55:49 xxx-TW-ISE-2 adinfo[28920]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:56:00 xxx-TW-ISE-2 adinfo[28988]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:56:00 xxx-TW-ISE-2 adinfo[28988]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
Mar 3 09:56:11 xxx-TW-ISE-2 adinfo[29010]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2) -
ISE 1.3 Upgrade LDAP Issue
We recently upgraded to 1.3 and everything seems fine except that we noticed that the catalyst switches we use AD authentication through ISE for stopped dropping us automatically in enable mode. I did rejoin the device to AD as required post upgrade and have since unjoined and rejoined. When I run the test user option for the AD Identity store I get an error saying its unable to fetch LDAP attributes, see attached. There is also a similar error in the syslog anytime a user logs into the switch. I went back on the syslogs and these errors were not happening until the upgrade. I am assuming this somehow correlates to my issue. Anyone else experienced this post upgrade? Thanks.
Are you using LDAP or native AD join ?
There are some issues with LDAP and quotes in the group names, which is not supported. I also have had issues with 1.3 and using comma and users names, so something like Doe, John. is not possible as the name of a user in AD.
As for native AD, i have not had any issues with ISE 1.3 -
Ise and windows CA cert issues during tls
Hi All,
We are having some issues when doing eap-tls during onboarding. The setup is to have a single ssid network. Clients initially gets connected via peap and after onboarding it is eap-tls. The environment is a 2 tier CA hirearchy having a root-ca (offline) and intermediate CA (this is the AD domain enterprise CA and scep server). ISE cert was signed by the intermediate CA for https and eap. Also imported the certificate chain from the intermediate CA to ISE cert store (converted from .p7b to .der). It also has the scep RA certificate and scep communication between ise and scep server looks ok.
The issue is during the onboarding process (tested with windows xp) after the redirection to guest poral, windows SPW wizard starts and prompts to confirm the user certificate. This keeps on prompting after 'ok' is clicked and does not proceed further. The 'view certificate' shows the following error " The issuer of this ccertficate is not found". ISE shows the following errors in authentication details (jpg attached). Windows SPW logs shows that it keep on retrying authentication.
The issuer of the client cert which is the intermediate CA cert is already in the ISE certificate store. Therefore shouldn't that client get this issuer CA details from ISE and ISE should be able to authenticate client during onboarding to start the tls connection? Do we have to import seperate certs for root-ca, Intermediate ca in ise store instead of the chain?
Does anybody had this issue with ISE in a hirearchical CA environment?
Thanks in advance.Review this link
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1044440 -
Cisco ISE & 3750 Switch MAB configuration Issue
Hi,
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
Here is the test switch configuration :
interface FastEthernet0/22
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 11
authentication event server alive action reinitialize
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
snmp-server community ISE-Test RO
snmp-server community ISE-Test1 RW
snmp-server trap-source FastEthernet0/24
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
radius-server vsa send accounting
radius-server vsa send authentication
Thank you in advanced! I hope that this issue might be intersting!
MartinCan you confirm that you have the following syntax in your NAD:
aaa server radius dynamic-author
client 192.168.98.10 server-key AAA_Secret
Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x -
ISE 1.1.1 Certificate Issue
I've an ISE deployment of two nodes. I generated a CSR, self signed it and bind it in the ISE. It was working fine. Now when i wanted to change the certificate with a new authority. I took the same CSR and signed it with different authority. But after uploading it to the ISE and deleting the old one, i'm still getting the same certificate when i do https. I deleted the old certificate from secondary node also and rejoined it. Even i restarted the ise appliance but still getting the old certificate from primary node.
Is this a bug or do i need to change something? I already seletected the new certificate for HTTPS and EAP authentications.
Thanks,
Zohaib@bikespace
I checked all the locations in primary and secondary node but couldn't find the old one. After i deleted the old one, i did stop, start the ise app but same problem.
@Neno
That's what i did in the start, i didn't delete the old one, just override it with new one and stop start the ise app. It was still giving me the old cert, that's why i delete it.
It seems like the old cert is stored somewhere in the disk, which is ofcourse not accessbile. My last option would be to backup and factory default both boxes, restore and generate new certificates since the backup doesn't backup certs.
Thanks,
Zohaib -
Hi All,
We are planning to take ISE SNS-3415-K9 appliance for 2500 wireless end points.
Can you please guide me how to take license? Base lances are really required for wireless end points??
Your early response will be highly appreciated.
Regards,
Satish.If you are purchasing Wireless license then Base license is not required, it would support the below services
Device onboarding/provisioning
AAA
Guest provisioning
Link encryption policies
Device profiling and feed service
Host posture
Cisco Security Group Access
Integrated vendor MDM support
Refer : http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.html -
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
Ip phone and pc VLAN security issue - ISE 1.0
Hello there.
We are about to implement IP phones to our current network and during testing I have found 2 issues.
1- ip phone connects to a protected port using ISE mab authentication for the data network.
The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
Let me know your thoughts...thanks
Port config info....below
interface GigabitEthernet0/2
description Extra port by Camilos Desk
switchport mode access
switchport voice vlan 220
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust cos
snmp trap mac-notification change added
auto qos trust
spanning-tree portfast
endOn # 1
You have the make sure that
"authentication host-mode multi-domain" command is under each port
This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
On #2
I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
Hope this helps.
Maybe you are looking for
-
Is it possible to control the height of the Portfolio panel via the PDF Portfolio itself?
Hi All, Is it possible to embed into a PDF Portfolio kind of a directive to Adobe Acrobat Reader what should be the height of the Portfolio panel (red line on the image below)? The idea, basically, is to adjust the height of the panel to the number o
-
Actuals postings to Cost Centre Accounting
Hi, We have a Z field created in SPL and added the same in BSEG table. The same field does reflect in Cost Centre Accounting document but with incorrect values (Transaction MIRO). Any pointers towards any standard SAP user exit / program would be use
-
Can't extend the body/color behind a table
I need the body height to be longer to encompass the two tables. I had to extended the first table to put an additional image at the bottom. That worked fine, but then i needed to compensate by changing the height of the body. When I increased the he
-
Get rid of the google search bar??
I want net neutrality. Google must go. I loaded Firefox on windows-xp and the Google search bar still comes up within Firefox. How do I GET RID OF GOOGLE?? I have used Firefox on Linux also on the same machine.
-
Trying to create a PDF getting error no PDFMaker
Have unistalled reinstalled twice