ISE 1.3 posuter discovry issue

Dear All :
I have issue with my ISE 1.3 , I can not find the option of "posture discovery" in my authorization profile the option should be fund under 
"Web Redirection (CWA,DRW,MDM,NSP,CPP) I should also find PD posture discovery , by this I can not make my client download the nac agent so I stack
in unknown state , in version 1.1 it was under web authentication option by same name PD, any one can help please

Create AnyConnect and Cisco NAC Agent Profiles
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010110.html

Similar Messages

  • ISE 1.2 Posture Update Issue

    In ISE 1.2 below message is showing when we do a web posture update either manual or automatic.
    "Remote address is not accessible. Please make sure update feed url, proxy address and proxy port are properly configured".
    It was working fine for long time and all of a sudden it stopped working
    and no changes have made on the network side.
    https://www.cisco.com/web/secure/pmbu/posture-update.xml is working in the browser.
    Few customers had reported the same. Boxes are installed with latest patch version 7.
    We can upload the updates through offline mode.

    I have experienced the same issue. Both the posture update feed URLs 
    1. https://www.cisco.com/web/secure/pmbu/posture-update.xml
    2. https://www.perfigo.com/ise/posture-update.xml
    give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.
    A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.
    The relevant pcap file is attached

  • Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

    Hi All,
    We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
    1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling 
    RADIUS Probe 
    SNMP Probe                                                                                                                                                                                                                                                  SNMP Trap                                                                                                                                                                                                                                                     HTTP Prob and DNS
    2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
     - Yellow mark issue  -  Once authentication , posturing completed we are getting yellow mark on network  drive but still we are able to connect to network
    - Network Map Drive issue  -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
    For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication ) 
    That would be really great if any one can help me on the same.
    Thanks & Regards
    Pranav

    Hi Pablo ,
    Please find below solutions 
    Yellow mark issue  -  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
    Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
    Regards
    Pranav

  • ISE 1.2 Sponsor Portal issue

    Hi
    we have an ISE version 1.2 installation and are trying to customise the Sponsor Portal login page to show the Terms and conditions for staff whan accessing the page, by using the display pre-loign banner under the sponsor portal themes settings.
    We have added the text for both pre and post login banners and have selected the check boxes for both but for some reason when saved the text does not display and the check boxes show as being un checked when going back to the page. Is this a bug ?? i have reset to factory defulats and re tried but still not working.. any help would be appreciated

    It may be a browser issue. Please check the supported Operating Systems and Browsers for Sponsor, Guest, and My Devices Portals:
    These Cisco ISE portals support the following operating system and  browser combinations. These portals require that you have cookies  enabled in your web browser.
    Table 8     Supported Operating Systems and Browsers
    Supported Operating System Browser Versions
    Google Android 1 4.0.4, 4.0.3, 4.0, 3.2.1, 3.2, 2.3.6, 2.3.3, 2.2.1, 2.2
    •Native browser
    Apple iOS 6, 5.1, 5.0.1, 5.0
    •Safari 5, 6
    Apple Mac OS X 10.5, 10.6, 10.7, 10.8
    •Mozilla Firefox 3.6, 4, 5, 9
    •Safari 4, 5, 6
    •Google Chrome 11
    Microsoft Windows 82
    •Microsoft IE 10
    Microsoft Windows 73
    •Microsoft IE 9
    •Mozilla Firefox 3.6, 5, 9
    •Google Chrome 11
    Microsoft Windows Vista, Microsoft Windows XP
    •Microsoft IE 6, 7, 8
    •Mozilla Firefox 3.6, 9
    •Google Chrome 5
    Red Hat Enterprise Linux (RHEL) 5
    •Mozilla Firefox 3.6, 4, 5, 9
    •Google Chrome 11
    Ubuntu
    •Mozilla Firefox 3.6, 9

  • Cisco ISE 1.3 Active Directory issue

    Hi Folks
    I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration >  Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load.  Any advice?

    hi
    i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
    i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
    it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
    guillaume

  • ISE 1.3 MyDevices Portal issue: You are not owner of this device

    Hello there,
    I'm facing an issue with MyDevices portal. 
    The BYOD On-Boarding registration works pretty good, and the users get access to the network as they have to do.
    However, when the user accesses the MyDevices portal, some registered devices (which already have access to the network) is showed as in "Pending" state. But it I dont think it could not be an issue because the users can connect any time and get access to the network normally.
    The problem is: when the user tries to edit or change the state of the device (mark as Lost, Stolen or Delete), they get the error message "You are not owner of this device; it belongs to someone els. Contact the help desk if you need assistance".
    P.S.: the users are allways facing this error message, despite the device is in pending or registered state.
    Does someone has faced a problem like this, or have an idea to help me solve it?
    Thanks in advance.
    Error message attached.

    robertbrink1,
    I've tried to reproduce the problem in my lab environment, however every thing have worked perfectely. So I'm guessing if this issue is not regarding the ISE implemented in a Distributed Deployment. Because the real implementation I'm working is a Distribuited Deployment and the LAB I tested is a Standalone.
    So, for the next steps I'll replicate the tests to a Distributede deployment.
    Thanks in advance,
    Paulo

  • Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

    In a distributed ISE deployment with regional intermediate CA, I am getting failed authentication due to " EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".  Client device have only one client certificate issued from regional intermediate CA. When client device goes across the region, they can't authenticate and gets this "unknown” CA error. The admin node has certificates of all intermediate CAs and root CA.
    One possible solution is to add intermediate CA certificates to all regional Node groups but apparently it is not possible on ISE policy nodes.
    Have a look at the diagram below and let me know you think (Client authentication failure at both location 1 and 3).

    Thanks Jan for reply. And short answer is Yes ....
    we have identified the issue and it has been resolved now. It was down to one of the cert corruption on primary admin.
    It was only identified after going to debug logs in prrt. Verification was done by export that particular cert and analyzing it. Don't know how it got corrupted but it did.
    In CA cert section on primary admin node, it was displaying correct value like issue date etc but when it was exported for analysis, I couldn't open it.
    So moral of the story is that the someone thought that they need to put a status field against every cert on ISE and it wasn't decided how to check its status - no offence.

  • ISE Distributed System - AD join issue

    Hi,
    We have deployed 04 ISE nodes in the following senario. (ISE ver 1.1.2.245)
    1 ISE - Primary (A) Secondary (M)
    2 ISE - Primary (M) Secondary (A)
    3 ISE -  Policy Service (PDP)
    4 ISE -  Policy Service (PDP)
    When integrating with AD, we can only integrat to the 1 ISE only. NTP, Timezone, DNS working on all 04 boxes perfectly. We are getting the attached error while integrating AD with other ISE nodes.
    In the above senario, what ISE nodes should have the AD joined, only the PDP or all 04 nodes should have joined..?
    Can someone please advise. Please see the attached screenprints for the deployment and detailed error while joining to AD.
    Thanks in advance.

    Hi Neno,
    Below is the debug logs for AD joining. I can see the below two issues, but dont know how to find the solution..
    •1)      (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    •2)  SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm"
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state ProbePorts complete for hqv-dcs-02.xxx.gov.qa. Elapsed time 0.014737 secs
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.kerberos.keytab GetSaltFromKDC returns: xxx.GOV.QAAdmin-Asif
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.aduser getSalt update: user:[email protected] salt:xxx.GOV.QAAdmin-Asif
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Performing LDAP binding with GSSAPI mechanisms to server - hqp-dcs-01.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.osutil Module=Kerberos : SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm" (reference base/adbind.cpp:495 rc: -1765328228)
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST:reportFailure: hqp-dcs-01.xxx.gov.qa
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DIAG  base.bind.ad connectToServiceInDomain: Failed to connect to hqp-dcs-01.xxx.gov.qa:389: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm"
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _ldap._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Attempting to connect to a DC in site 'xxxsite'
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Connecting to hqv-dcs-02.xxx.gov.qa:389
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DIAG  base.bind.ldap 10.0.11.52:389 fetch dn="" filter="(objectclass=*)" timeout=11
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG lrpc.adobject new object:
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Connected root=DC=xxx,DC=gov,DC=qa, domain=xxx.GOV.QA functionality=3
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Address of hqv-dcs-02.xxx.gov.qa is 10.0.11.52
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Performing LDAP binding with GSSAPI mechanisms to server - hqv-dcs-02.xxx.gov.qa
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.osutil Module=Kerberos : SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm" (reference base/adbind.cpp:495 rc: -1765328228)
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST:reportFailure: hqv-dcs-02.xxx.gov.qa
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad connectToList: Failed to connect to hqv-dcs-02.xxx.gov.qa:389: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm"
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.osutil Module=LDAP : reconnect failed (reference base/adbind.cpp:785 rc: -11)
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Destroying binding to 'xxx.GOV.QA'
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting zonename to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting schema to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting zone to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting domaincontroller to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting site to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting domain to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting prew2k.host to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting host to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG cli.adjoin Unexpected LDAP Error Connect error
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG cli.adjoin  due to unexpected configuration or network error.
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG cli.adjoin Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting host to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting prew2k.host to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: INFO  cli.adjoin Join to domain 'xxx.gov.qa', zone 'null' failed.
    Mar  3 09:54:23 xxx-TW-ISE-2 adinfo[27666]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:23 xxx-TW-ISE-2 adinfo[27666]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:23 xxx-TW-ISE-2 adinfo[27668]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:23 xxx-TW-ISE-2 adinfo[27668]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:33 xxx-TW-ISE-2 adinfo[28164]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:33 xxx-TW-ISE-2 adinfo[28164]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:44 xxx-TW-ISE-2 adinfo[28172]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:44 xxx-TW-ISE-2 adinfo[28172]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:54 xxx-TW-ISE-2 adinfo[28900]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:54 xxx-TW-ISE-2 adinfo[28900]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:05 xxx-TW-ISE-2 adinfo[28905]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:05 xxx-TW-ISE-2 adinfo[28905]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:16 xxx-TW-ISE-2 adinfo[28907]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:16 xxx-TW-ISE-2 adinfo[28907]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:27 xxx-TW-ISE-2 adinfo[28911]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:27 xxx-TW-ISE-2 adinfo[28911]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:38 xxx-TW-ISE-2 adinfo[28913]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:38 xxx-TW-ISE-2 adinfo[28913]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:49 xxx-TW-ISE-2 adinfo[28920]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:49 xxx-TW-ISE-2 adinfo[28920]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:56:00 xxx-TW-ISE-2 adinfo[28988]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:56:00 xxx-TW-ISE-2 adinfo[28988]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:56:11 xxx-TW-ISE-2 adinfo[29010]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)

  • ISE 1.3 Upgrade LDAP Issue

    We recently upgraded to 1.3 and everything seems fine except that we noticed that the catalyst switches we use AD authentication through ISE for stopped dropping us automatically in enable mode. I did rejoin the device to AD as required post upgrade and have since unjoined and rejoined. When I run the test user option for the AD Identity store I get an error saying its unable to fetch LDAP attributes, see attached. There is also a similar error in the syslog anytime a user logs into the switch. I went back on the syslogs and these errors were not happening until the upgrade. I am assuming this somehow correlates to my issue. Anyone else experienced this post upgrade? Thanks.

    Are you using LDAP or native AD join ?
    There are some issues with LDAP and quotes in the group names, which is not supported. I also have had issues with 1.3 and using comma and users names, so something like Doe, John. is not possible as the name of a user in AD.
    As for native AD, i have not had any issues with ISE 1.3

  • Ise and windows CA cert issues during tls

    Hi All,
    We are having some issues when doing eap-tls during onboarding. The setup is to have a single ssid network. Clients initially gets connected via peap and after onboarding it is eap-tls. The environment is a 2 tier CA hirearchy having a root-ca (offline) and intermediate CA (this is the AD domain enterprise CA and scep server). ISE cert was signed by the intermediate CA for https and eap. Also imported the certificate chain from the intermediate CA to ISE cert store (converted from .p7b to .der). It also has the scep RA certificate and scep communication between ise and scep server looks ok.
    The issue is during the onboarding process (tested with windows xp) after the redirection to guest poral, windows SPW wizard starts and prompts to confirm the user certificate. This keeps on prompting after 'ok' is clicked and does not proceed further. The 'view certificate' shows the following error " The issuer of this ccertficate is not found". ISE shows the following errors in authentication details (jpg attached). Windows SPW logs shows that it keep on retrying authentication.
    The issuer of the client cert which is the intermediate CA cert is already in the ISE certificate store. Therefore shouldn't that client get this issuer CA details from ISE and ISE should be able to authenticate client during onboarding to start the tls connection? Do we have to import seperate certs for root-ca, Intermediate ca in ise store instead of the chain?
    Does anybody had this issue with ISE in a hirearchical CA environment?
    Thanks in advance.

    Review this link
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1044440

  • Cisco ISE & 3750 Switch MAB configuration Issue

    Hi,
    I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again.
    Here is the test switch configuration :
    interface FastEthernet0/22
    switchport access vlan 10
    switchport mode access
    authentication event fail action next-method
    authentication event server dead action authorize vlan 11
    authentication event server alive action reinitialize
    authentication order mab dot1x
    authentication priority mab dot1x
    authentication port-control auto
    authentication periodic
    authentication violation restrict
    mab     
    dot1x pae authenticator
    spanning-tree portfast
    spanning-tree bpduguard enable
    snmp-server community ISE-Test RO
    snmp-server community ISE-Test1 RW
    snmp-server trap-source FastEthernet0/24
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 192.168.98.10 auth-port 1812 acct-port 1813 key cisco123
    radius-server vsa send accounting
    radius-server vsa send authentication
    Thank you in advanced! I hope that this issue might be intersting!
    Martin

    Can you confirm that you have the following syntax in your NAD:
    aaa server radius dynamic-author
    client 192.168.98.10 server-key AAA_Secret
    Also, it would be nice to have the complete aaa/radius config. If esear post your whole config here.
    Last but not the elast, you can try moving to 15.x code. I had issues in the past with 12.x code and 802.1x

  • ISE 1.1.1 Certificate Issue

    I've an ISE deployment of two nodes. I generated a CSR, self signed it and bind it in the ISE. It was working fine. Now when i wanted to change the certificate with a new authority. I took the same CSR and signed it with different authority. But after uploading it to the ISE and deleting the old one, i'm still getting the same certificate when i do https. I deleted the old certificate from secondary node also and rejoined it. Even i restarted the ise appliance but still getting the old certificate from primary node.
    Is this a bug or do i need to change something? I already seletected the new certificate for HTTPS and EAP authentications.
    Thanks,
    Zohaib

    @bikespace
    I checked all the locations in primary and secondary node but couldn't find the old one. After i deleted the old one, i did stop, start the ise app but same problem.
    @Neno
    That's what i did in the start, i didn't delete the old one, just override it with new one and stop start the ise app. It was still giving me the old cert, that's why i delete it.
    It seems like the old cert is stored somewhere in the disk, which is ofcourse not accessbile. My last option would be to backup and factory default both boxes, restore and generate new certificates since the backup doesn't backup certs.
    Thanks,
    Zohaib

  • ISE SNS-3415-K9 License Issue

     Hi All,
    We are planning to take ISE SNS-3415-K9 appliance for 2500 wireless end points.
    Can you please guide me how to take license?  Base lances are really required for wireless end points??
    Your early response will be highly appreciated.
    Regards,
    Satish.

    If you are purchasing Wireless license then Base license is not required, it would support the below services
    Device onboarding/provisioning
    AAA
    Guest provisioning
    Link encryption policies
    Device profiling and feed service
    Host posture
    Cisco Security Group Access
    Integrated vendor MDM support
    Refer : http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.html

  • An issue with authentication and authorization on ISE 1.2

    Hi, I'm new to ISE.
    I have an issue with authentication and authorization.
    I have ISE 1.2 plus patch 6 installed on VMware.
    I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
    On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
    I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
    I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
    I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
    What  should I do to resolve this issue?
    Switch configuration:
     testISE#sh runn
    Building configuration...
    Current configuration : 7103 bytes
    ! Last configuration change at 12:20:15Tue Apr 15 2014
    ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname testISE
    boot-start-marker
    boot-end-marker
    no logging console
    logging monitor informational
    enable secret 5 ************
    enable password ********
    username radius-test password 0 ********
    username admin privilege 15 secret 5 ******************
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
     client 172.16.0.90 server-key ********
    aaa session-id common
    clock timezone 4 0
    system mtu routing 1500
    authentication mac-move permit
    ip dhcp snooping vlan 1,22
    ip dhcp snooping
    ip domain-name elauloks
    ip device tracking probe use-svi
    ip device tracking
    epm logging
    crypto pki trustpoint TP-self-signed-1888913408
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1888913408
     revocation-check none
     rsakeypair TP-self-signed-1888913408
    crypto pki certificate chain TP-self-signed-1888913408
    dot1x system-auth-control
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    ip ssh version 2
    interface FastEthernet0/5
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/6
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/7
    interface Vlan1
     ip address 172.16.0.204 255.255.240.0
     no ip route-cache
    ip default-gateway 172.16.0.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-ALLOW
     deny   icmp any host 172.16.0.1
     permit ip any any
    ip radius source-interface Vlan1
    logging origin-id ip
    logging source-interface Vlan1
    logging host 172.16.0.90 transport udp port 20514
    snmp-server community public RO
    snmp-server community ciscoro RO
    snmp-server trap-source Vlan1
    snmp-server source-interface informs Vlan1
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move
    snmp-server host 172.16.0.90 ciscoro
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    radius server ISE-Alex
     address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key ******
    ntp server 172.16.0.1
    ntp server 172.16.0.5
    end

    Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

  • Ip phone and pc VLAN security issue - ISE 1.0

    Hello there.
    We are about to implement IP phones to our current network and during testing I have found 2 issues.
    1- ip phone connects to a protected port using ISE mab authentication for the data network.
    The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
    Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
    2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
    Let me know your thoughts...thanks
    Port config info....below
    interface GigabitEthernet0/2
    description Extra port by Camilos Desk
    switchport mode access
    switchport voice vlan 220
    srr-queue bandwidth share 1 30 35 5
    priority-queue out
    authentication event fail action next-method
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order mab dot1x
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    mls qos trust cos
    snmp trap mac-notification change added
    auto qos trust
    spanning-tree portfast
    end

    On # 1
    You have the make sure that
    "authentication host-mode multi-domain" command is under each port
    This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
    On #2
    I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
    On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
    Hope this helps.

Maybe you are looking for