ISE 1.4 Released

Similar Messages

• ISE 1.2.1 support for Yosemite?

  Hello all, just curious. I see in the release notes for ISE 1.2.X that support for Mac OS 10.10 (Yosemite) was available via patch 12 on the ISE1.2.0 train of code. That said, I see nothing in the release notes stating any support for Yosemite for any of the patches for ISE1.2.1, the latest being patch 3 released 1 week after ISE 1.2.0 patch 12. Can anyone please advise if Yosemite is in fact supported on 1.2.1 with patch 3??
  Thank you very much in advance for your help
  Jeff

  Jeff,
  OS X 10.10 is supported in ISE 1.2 p11, 1.2.1 p2 and 1.3.
  Patch 12 for 1.2 and Patch 3 for 1.2.1 fix other issues for OS X 10.10, and I recommend updating to the latest patches for these fixes.
  Here is the entry in the Release Notes detailing the fix for 10.10 in 1.2 p 12:
  MacOsXAgent versrion 4.9.5.3 should be used and MacOsXSPWizard 1.0.0.30
  Note that the description for these files denote ISE 1.2 Patch 11/12, ISE 1.3 release and above.  ISE 1.2.1 is not mentioned, but follows the bug fix/release schedule for 1.2, with an adjustment.
  1.2 patch 10 = 1.2.1 patch 1
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.2 Restore Issue

  ISE 1.2 (on vm) creates a backup file without error.  I can use the file to restore a clean ISE installation (same release) without error.  However, the ISE application server process is not running.   "Reload" or "App Start" do not restart the ISE process.  Including or not including the ade-os has no affect.   I would apreciate any suggestions as to what might be preventing the ISE server proecess from running.

  Hi Marvin,
  Please make sure you also have the same version of patches on the clean ISE installation. I know from your statement you have same ISE 1.2 version but I would request you to check with the same version of patches on which the backup was taken.
  Still if you have the same version of patches and not able to bring back the App server up and running , please attach ADE.log and catalina.out file, I will quickly take a look and suggest the next steps.
  As per my knowledge and from your problem explanation , it is for sure you might be missing the patches.
  Thanks,
  Naresh

• Cisco ISE Guest Portal - DNS Issue - External Zone

  Hello,
  I have a customer that has the following sceanrio :
  In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
  since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
  My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
  Thank-you in advance for your replies.
  Robert C.

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Cisco ISE AD (Windows Server 2013) Authentication Problem

  Background:
  Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
  Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
  Problem:
  Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
  Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
  xxdc01.xx.com (10.21.3.1)
  Pinged:0 Mins Ago
  State:down
  xxdc02.xx.com (10.21.3.2)
  Pinged:0 Mins Ago
  State:down
  xxdc01.xx.com
  Last Success:Thu Jan  1 10:00:00 1970
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:0
  Failures:11006
  xxdc02.xx.com
  Last Success:Mon Mar 11 09:43:31 2013
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:25
  Failures:11006
  Domain Controller: xxdc02.xx.com:389
      Domain Controller Type: Unknown DC Functional Level: 5
      Domain Name:            xx.COM
      IsGlobalCatalogReady:   TRUE
      DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
      ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
  Action Taken:
  Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
  2)     Tested wireless authentication using EAP-FAST but same problem occurs.
  3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
  12304  Extracted EAP-Response containing PEAP challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - AD1
  24430  Authenticating user against Active Directory
  24444  Active Directory operation has failed because of an unspecified error in the ISE
  4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
  5)     Tested wireless on different laptos and mobile phones with same error
  6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
  7)     Restarted ISE services
  8)     Rejoin domain on Cisco ISE
  9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
  10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
  Other possibilities/action:
  1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
  2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
  Anyone out there experienced something similar of have any ideas on why this is happening?
  Thanks.
  Update:
  1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
  2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
  This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

  Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
  Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

• Posture Assessment passed in Error using Cisco ISE

  Hi all,
  I would like some help trying to understand why a client that has not been connected to the network for just over a month was allowed full network access despite the AV definitions being over 28days old.
  We have 2 mandatory posture requirements,
  1. Symantec Av MUST be installed
  2. the AV definitions MUST be LESS THAN 28 days out of date
  Currently, the machine I have is showing the AV defs as being 25th March 2013.
  When I produce the detailed posture report, it even shows me that the two mandatory requirements as described above were successfully meant meaning the endpoint is posture compliant. Clearly this is not the case though...!
  Is there anything else I can check on the ISE to help debug this?
  Mario              

  Hi,
  You might have two problems:
  1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.
  2. NAC Agent version problem?
  I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.
  Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.
  Check
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131
  Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE) Cisco supports different versions of the NAC Agent for integration with  NAC Appliance and ISE. Current releases are developed to work in either  environment, however, interoperability between deployments is not  guaranteed. Therefore, there is no explicit interoperability support for  a given NAC Agent version intended for one environment that will  necessarily work in the other. If you require support for both NAC  Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in  your specific environment to verify compatibility. Unless there is a specific defect or feature required for your NAC  Appliance deployment, Cisco recommends deploying the most current agent  certified for your ISE deployment. If an issue arises, Cisco recommends  restricting the NAC Agent's use to its intended environment and  contacting Cisco TAC for assistance. Cisco will be addressing this issue  through the standard Cisco TAC support escalation process, but NAC  Agent interoperability is not guaranteed. Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release.

• OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

  We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
  Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
  thanks - ciscosx

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• ISE DHCP automatic renew dont work on the browser

  ISE v1.2
  I use wired and wireless (WLC 7.2)
  Normaly when GUEST user connect he get IP in the default VLAN, he is redirected and he enter his login and password
  Then the VLAN guest is puched, his IP is renewed and he get new IP in GUEST vlan
  But in my case I must perform ipconfig /release and ipconfig /renew manualy by cly on the computer
  It is not done automatycaly on the browser(mozilla 26.0 and internet explorer 11.0.9600, I have activated java and activex
  What is the issue, why DHCP renew ip is not donne automaticaly ?
  Please help

  Check the "Enable Agent IP refresh after VLAN change" parameter to refresh the Windows client IP address in both wired and wireless environments for MAB with posture.
  To ensure the Mac OS X client IP address is refreshed when the assigned  VLAN changes, this parameter is required for Mac OS X client machines  accessing the network via the native Mac OS X supplicant in both wired  and wireless environments.
  Note When you use the "Enable Agent  IP refresh after VLAN change" option, Cisco ISE sends "DHCP release  delay" and "DHCP renew delay" settings (as specified below) instead of  using the "Network transition delay" setting used for Windows Agent profiles. If you do not use the "Enable Agent  IP refresh after VLAN change" option, Cisco ISE sends "Network  transition delay" timer settings to client machines, but Cisco ISE will  not send both.

• Delaying ISE Posture / Remediation

  Hi, we have a requirement where we would like to add a small delay for about 10 - 15 seconds to the time it takes for the NAC agent to attempt remediation of the client.
  Is this possible?
  What seems to happen at the moment is that an error appears on the NAC agent during remediation advising of a Networking issue during remediation. This is because we have a proxy server and you must have elevated priveledges to download certain file types from the internet such as executables.
  To get round the limitation of the NAC agent not being able to be configured to use its own Web Proxy settings with a user account with more priveledges, we use different locations in our AV product so that once the AV Product realises that the Laptop is connected to the wireless it changes the location to "wireless" and applies the correct web proxy settings so that AV updates can be downloaded.
  However, the NAC agent is trying to remediate quicker than the AV product can change the location and apply the new web proxy settings.
  Hope that makes sense.
  Mario                  

  Hello Mario,
  You can customize remediation timeout settings for your requirement. Please review the following:
  Remediation Timeout Customization
  Parameter
  Default Value
  Valid Range
  Description or   Behavior
  Remediation   timer
  4
  1-300
  Specifies    the number of minutes the user has to remediate any failed posture  assessment   checks on the client machine before having to go through  the entire login   process over again.
  Network   Transition Delay
  3
  2-30
  Specifies    the number of seconds the agent should wait for network transition  (IP   address change) before beginning the remediation timer countdown.
  Note When    you use the "Enable agent IP refresh after VLAN change" option,    Cisco ISE sends "DHCP release delay" and "DHCP renew   delay" settings  (as specified below) instead of using the "Network   transition delay"  setting used for Windows agent profiles. If you do not   use the "Enable  agent IP refresh after VLAN change" option, Cisco ISE   sends "Network  transition delay" timer settings to client machines,   but Cisco ISE  will not send both.
  For more detail understanding on this, please visit the section  Configure Client Provisioning Policies > Remediation Timeout  Customization at the following location in ISE user guide -  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1134841
  You may also want to review more options that you can customize in Configure Client Provisioning Policies section.
  Regards,
  Ashok

• ISE version 1.2 patch 6 release notes

  Hi Everyone,
  I notice that Cisco has released patch 6 for ISE version 1.2 yesterday. 
  I am trying to locate the all the "resolved" issues for patch 6; However, when I look at the ISE release notes
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/release_notes/ise12_rn.html#wp407339
  It only shows resolved issues up to patch 5.
  Where can I find the list of "resolved" issues that comes with patch 6?
  Thanks in advance.

  Due to the high demand for patch 6, it was released prior to the release notes.  The Release Notes will be updated within 24 hours.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.1.4 Patch 5 - Release Notes

  Any word on the availability of the release notes for ISE 1.1.4 Patch 5?  I have a production affecting bug that is supposed to resolved in a future release and I'd like to know if it is resolved in Patch 5.
  Also, in what case would you release a patch and not update the release notes?  This isn't a chicken vs egg argument, there is a patch therefore there should be release notes prior to the patch ever being released.  It's a bit of an oversight IMO.

  Hi
  You can install patches on ISE servers in your deployment from the primary administration node. ISE patches are usually cumulative, however, any restrictions on the patch installation will be described in the README file that will be included with the patch. Cisco ISE allows you to perform patch installation and rollback from either the command-line interface (CLI) or GUI. When you install or roll back a patch from a standalone or primary administration node, ISE restarts the application. You might have to wait for a few minutes before you can log back in.
  For more information regarding installation and configuration please go through the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf

• ISE CWA DHCP renew/release

  Does a user needs Admin right on his Windows laptop for the Central WebAuth DHCP Renew / Release to work?
  Thanks.

  Thank you Tariq for your prompt reply.
  I'm don't understand how CoA fix the problem of the workstation.  CoA tells the swtich to assign a new VLAN, but it's not CoA per se that tells the workstation to reset the IP address, since CoA is between ISE and the switch only.  It must be ISE then that send a DHCP release / renew command to the workstation.  I presume that for a Guest user that is done in the browser by Activex.  So maybe the problem is that the web browser is not accepting ActiveX coding?  If you have any other information on the DHCP release / renew process wiith CWA, it would be appreciated.
  Thank you again for all the great posts you are contributing to this forum.
  Catherine

• ISE profiler feed policies update changelog / release notes

  I often notice that updated feed policies are skipped because the policy was canged by an admin (me).
  In the past the cisco provided policies weren't detailed enought to use them for secure authentication policies, so I modified/added a lot of them.
  Is there any changelog/release notes of the automatically distributed feed policies updates?
  How can I find out the difference between the policies I created/modified and that ones that the cisco updater provides?
  How can I reset the modified entries to the cisco provided values? (in case that ciscos modifications seem to be better than mine)

• Has Cisco announced a release date for ISE 1.2.1?

  We are anxiously awaiting it to fix bug CSCuj88888. Thanks.

  April has come and gone, and May is almost gone, still no 1.2.1. Also the bug toolkit page for this issue says it is still extant in version 1.3. https://tools.cisco.com/bugsearch/bug/cscuj88888
  Any idea when we will see a release that does not have this issue? Thanks.

• Caching credentials for webauth in ISE 1.2?

  We are providing internet access through a Guest portal. The portal is provided by the ISE through webauth and the user is created through the ISE Sponsor Portal.
  When an account is created and the enduser logs in to it, I would like for the ISE to cache the credentials for that user for a period of time; at least 1 or more days before it prompts them to log back in again. Right now, if a user disconnects for a short period and then goes to reconnet, it prompts for the username/password again.
  Where (and how) in the ISE do you configure that?
  Thank you.                  

  Thanks for the quick reply Charles. I am reading through the details of it now.
  It looks like DRW basically registers the MAC of a connecting device in an identity store and then allows that device to connect. Does it still match the MAC to a guest user so that we can set time profiles against it and does it expire like the guest accounts do?
  Any ETA on the release of ISE 1.3?