ISE 802.1x and Windows Logoff

Similar Messages

• ISE 1.3 and Windows Posture Web Agent

  Hello,
  I am running ISE 1.3 and have an issue running the Posture Web Agent. The client authenticates and gets redirected to the client provisioning portal but get the following message
  Detecting if Web Agent is installed and running gets ticked and then it keeps rolling at scanning your device. Open Web Agent to check the current status of the system scan and update your system as instructed.
  See attached screen shot

  is this issue specific to particular groups of clients/OS type... if using Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)

• SCEP on ISE 1.2 and Windows 2003 Server

  Hi there
  has anyone ever be able to get SCEP on ISE 1.2 working with Windows 2003 Server? I know Cisco recommends Windows 2008 Server onwards, but sometimes the server infrastructure is not yet there.
  Thanks in advance and best regards
  Dominic

  Hmm, good question that I would also like to know the answer to. All of my deployments have been either 2008 or 2012. I believe long time ago I got it working in my lab with 2003 but then my 2003 server blew up so when I re-created it I did it with 2008. However, I cannot confirm 100% and even if it was true it was not in a full production environment. So it would be nice if someone else can chime in here. 
  I did come across this though that would suggest that it is supported with some tweaks:
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html
  Windows Server 2003, Microsoft SCEP (MSCEP) required a Resource Kit add-on to be installed on the same computer as the CA. In Windows Server 2008, MSCEP support has been renamed NDES and is part of the operating system. NDES may be installed on a different computer than the CA (http://technet.microsoft.com/en-us/library/cc753784%28WS.10%29.aspx).
  Thank you for rating helpful posts!

• 802.1x and windows 2003 server

  we have a ACS 4.1 install with 5 acs servers, 25 remote switches and over 800 xp users all doing certificate based machine authentication that work perfectly fine. We are also using a guest vlan in our sites to auth fail a guest user onto the guest vlan so they can get internet access. We had to reduce the dot1x timers so dot1x would fail(45 sec) before windows DHCP fails(approx 55 sec) This has worked fine for the last year with all of our xp machines. We put in a new 4510 into our main building last week for user access and we are running into a issue with developer boxes that are running 2003 server or 2003 x64. What happens is that the when they reboot, the authentication process takes too long and they auth fail and get put into the auth fail vlan. They then get authenticated 20 sec later and they are authenticated in the guest vlan and remain stuck there until I bounce the port. I have a TAC case opened just wanted to see if anyone else has seen this or could duplicate. Very weird and specific to 2003 server 2003 server x64 with Broadcom drivers. Thanks in advance.

  This is actually only on the reboot. One interesting thing is that some people have dynamic vlans, and they auth-fail, get put into the guest vlan, then authenticate, get put into the correct vlan and are fine. Even unplugging/replugging doesn't seem to do it which it really should as the authentication proccess should start over. Also in their infinite wisdom, security has disabled windows profile caching so a user cannot log onto the box without domain connectivity so they can't disable/re-enable. By reducing the dot1x timeout from 90 seconds to 45 to fix the windows DHCP issue we probably caused this one. Again it seems specific to the newer Dell workstations with newer broadcom drivers.

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• 802.1x and Windows 98

  Does anybody knows if there is a software 802.1x Supplicant for Windows 98?
  (Yeah, almost incredible but some companies still using it!!!)
  Thanks in advance.
  Rafael Lanna

  Odyssey Access Client has still version 4.52 for Win 98 available
  Check back versions:
  http://www.juniper.net/customers/support/products/aaa_802/oac_client_user.jsp
  M.
  Hope that helps rate if it does

• ISE 1.2 EAP Chaining and Windows 8 - Auth failures

  Hi All,
  I've got a couple sites that appear to have issues with EAP chaining, ISE 1.2 and Anyconnect client on windows 8 enterprise.
  Basically the windows 8 machines authenticate intermittently and randomly but largely fail auth. 
  Often the client will work perfectly for a boot even after a few reboots etc and then might stop working.  Other clients won't work at all no mater what settings you configure.
  Outer Method - EAP-FASTv2
  Inner Method - MSChapV2
  ISE 1.2 with Patch 1 (latest)
  Windows 8 Enterprise - with patch http://support.microsoft.com/kb/2743127
  Anyconnect Client  3.1.0466 (latest)
  Machine and User Auth Against AD.
  Cert checks disabled for testing.
  Clients using same configuration.xml file
  Symptom is Anyconnect prompts for username / password instead of using existing credentials.  Typing credentials doesn't work.
  Logs show failed "anonymous" authentications or client EAP timeouts.
  Cheers
  Peter.

  Hi Peter,
  It sounds like the Inner Method is not being negotitated properly so its only reading the Outer Method which by default is set to show "Anonymous" in AnyConnect Profiles.
  Is it possible to upload a PDF version or copy paste the output of the failure from ISE's perspective?
  Kind Regards,
  Vlad

• 802.11n with Bootcamp and Windows xp

  My 13 inch Macbook connects to my airport network at 802.11n 5GHz dual bandwidth using OSX but only 802.11g works when using bootcamp and windows. My 802.11n network shows-up on windows as an available network and I can type in my network password but it won't make the connection. Is 802.11n automatically active with bootcamp? I am able to connect at 802.11n speeds to my network using my work's Window laptop and a Linksys 802.11n usb card so I know it works.

  Boot Camp forum.
  https://discussions.apple.com/community/windows_software/boot_camp

• [SOLVED] Wireless 802.1x PEAP Windows 7 and Windows 2012 NPS and CA

  Hello,
  We are in progress of migrating our RADIUS (Windows 2003 R2) and Certificate (Windows 2003 R2) servers to 2012 (R2). This went fine, no problems. After that we have changed
  our Wireless controller a Cisco 5508. We have change our certificate from a 1024bits to a 2048bits certificate.
  We tested the other certificate functions and that went fine too.
  But we experience a problem with wireless 802.1x in combination with Windows 7 machines. We have Windows 8 and 8.1 machines that do not experience this problem and wireless 802.1x?
  We recreated the wireless policy but also no success.
  We have seen this problem before, with a customer who had a Windows 2008 R2 certificate server and Windows XP machines with wireless 802.1x . Exact the same problem. After
  decommissioning the Windows 2008 R2 certificate server and changed it to a Windows 2003 R2 certificate server, there where no problems any more.
  It looks like that older versions of Windows do not work with newer certificate servers?
  Do we miss something? Can someone confirm this.
  We already looked for these forum posts, but with no success
  http://social.technet.microsoft.com/Forums/windows/en-US/796d447f-518c-4ccb-81ff-921ee561d742/win2k8r2-peapnps-with-cisco-wireless-controller-problem?forum=winserverNIS
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/76644dcc-911d-451e-b7f1-39269db43ac7/nps-event-6273-reason-code-16
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/d543fe75-0cf9-49e7-bbfa-dd0df219cfe5/the-radius-request-did-not-match-any-configured-connection-request-policy-crp
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:                            
  domainname\NB80W7$
  Account Name:          
  host/NB80W7.domainname.local
  Account Domain:                               
  domainname
  Fully Qualified Account Name: domainname\NB80W7$
  Client Machine:
  Security ID:                            
  NULL SID
  Account Name:                                  
  Fully Qualified Account Name: -
  OS-Version:                            
  Called Station Identifier:                    
  08-d0-9f-ec-96-60:domain
  Calling Station Identifier:                   
  a0-88-b4-35-2e-08
  NAS:
  NAS IPv4 Address:                 
  192.168.2.6
  NAS IPv6 Address:                 
  NAS Identifier:                       
  WLC5500
  NAS Port-Type:                                  
  Wireless - IEEE 802.11
  NAS Port:                               
  1
  RADIUS Client:
  Client Friendly Name:             
  WLC5500
  Client IP Address:                              
  192.168.2.6
  Authentication Details:
  Connection Request Policy Name:     
  WLC5500
  Network Policy Name:            
  Authentication Provider:                    
  Windows
  Authentication Server:                       
  DC01.domainname.local
  Authentication Type:              
  EAP
  EAP Type:                               
  Account Session Identifier:               
  Logging Results:                                
  Accounting information was written to the local log file.
  Reason Code:                        
  48
  Reason:                                             
  The connection request did not match any configured network policy.
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:                            
  domainname\Username
  Account Name:                                  
  domainname\Username
  Account Domain:                               
  domainname
  Fully Qualified Account Name: domainname.local/ICT Specialisten/Username
  Client Machine:
  Security ID:                            
  NULL SID
  Account Name:                                  
  Fully Qualified Account Name: -
  OS-Version:                            
  Called Station Identifier:                    
  08-d0-9f-ec-96-60:domain
  Calling Station Identifier:                   
  a0-88-b4-35-2e-08
  NAS:
  NAS IPv4 Address:                 
  192.168.2.6
  NAS IPv6 Address:                 
  NAS Identifier:                       
  WLC5500
  NAS Port-Type:                                  
  Wireless - IEEE 802.11
  NAS Port:                               
  1
  RADIUS Client:
  Client Friendly Name:             
  WLC5500
  Client IP Address:                              
  192.168.2.6
  Authentication Details:
  Connection Request Policy Name:     
  WLC5500
  Network Policy Name:            
  WLC5500
  Authentication Provider:                    
  Windows
  Authentication Server:                       
  DC01.domainname.local
  Authentication Type:              
  PEAP
  EAP Type:                               
  Account Session Identifier:               
  Logging Results:                                
  Accounting information was written to the local log file.
  Reason Code:                        
  16
  Reason:                                             
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

  Hi,
  Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
  More information:
  Renew a Certificate
  http://technet.microsoft.com/en-us/library/cc730605.aspx
  NPS Server Certificate: Configure the Template and Autoenrollment
  http://msdn.microsoft.com/en-us/library/cc754198.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• ISE 1.2 and multiple certificates

  Hello,
  Hopefully someone can answer this question.  We have ISE 1.2 setup and running, 802.1x and user and computer certificates.  All is working fine except some users have two user certificates, one from our server the other from our parent company.  When these users log in they get a bubble message saying "additional information is required to connect to the network", they click on this and they are asked to pick a certificate.  If they pick the one from us all works. 
  Question, is there a way either in Windows or ISE to use our certificate by default?  The PCs in question all have the cisco NAC agent, 4.9.43, and are either XP, Windows 7 or 8. 
  Thanks

  Thanks for the response but it's wrong. Cisco supports stacked ports in 1.2 for wired users. They carried over 1.1documentation to 1.2 and never updated it. We have it in writing from Cisco tac. 

• ISE 1.3 and NAC

  I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
  They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
  Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
  Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
  Thanks for any advice/comments/experiences
  Jim

  Hi Jim-
  Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
  With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
  I hope this helps!
  Thank you for rating helpful posts!

• ISE Single SSID BYOD - Windows Endpoint user experience

  We are implementing wireless BYOD using Cisco ISE 1.2 and WLC 7.4x. We are using PEAP / MS-CHAP v2 for wireless security. We are able to on-board iOS, Adroid, and MAC OS endpoints using single SSID and Native supplicant provisiong seems to work fine with these endpoints. We are having issues with Windows clients. On Windows client, when the user selects the SSID, it is prompting for userid/password, but never gets a pop-up for server certificate. We are using a third party public wildcard certificate on ISE for HTTP/EAP authentication.  On ISE, we are getting: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client.                

  12511
  EAP
  Unexpectedly   received TLS alert message; treating as a rejection by the client
  While trying to   negotiate a TLS handshake with the client, ISE received an unexpected TLS   alert message. This might be due to the supplicant not trusting the ISE   server certificate for some reason. ISE treated the unexpected message as a   sign that the client rejected the tunnel establishment.
  Warn

• Cisco ISE 1.1 and IE9

  Is anyone else having problems with ISE admin/monitoring pages not working properly under IE9?  I just completed an upgrade to ISE 1.1, and it seems more and more, when I try to manage the system with IE9, I will get the following error (host name changed to protect the inocent). I dont know if this is truly an IE9 issue, or the chrome plug-in we are forced to use.  Works perfect under Firefox 11.0.
  This webpage is not available
  The webpage at https://iseserver.domain.com/mnt/pages/dashboard/dashboard.jsp?mnt_config_write=true&token=BEGIN_TOKENXspmm4x5AwFsV6NExIBAVA==END_TOKEN might be temporarily down or it may have moved permanently to a new web address.
  Error 103 (net::ERR_CONNECTION_ABORTED): Unknown error.

  Supported Administrative User Interface Browsers
  You can access the Cisco ISE administrative  user interface using the following browsers:
  •Mozilla Firefox 3.6 (applicable for  Windows, Mac OS X, and Linux-based operating systems)
  •Mozilla FireFox 9 (applicable for Windows,  Mac OS X, and Linux-based operating systems)
  •Windows Internet Explorer 8
  •Windows Internet Explorer 9 (in Internet  Explorer 8 compatibility mode)
  Cisco ISE GUI is not supported on  Internet Explorer version 8 running in Internet Explorer 7 compatibility mode.  For a collection of known issues regarding Windows Internet Explorer 8, see the  "Known Issues" section of the Release Notes for the Cisco Identity Services  Engine, Release 1.1.

• ISE, Active directory and OUs

  Hello Everyone
  I have an ISE with an AD integration, i am trying to limit the access to the wireless users, i only added one OU "wireless users", but all the users can access to the wireless network, i just want to allow the access to the users in that OU, and block the access to the other users not included in that OU.
  Other thing, i am not able to see the attributes from the directory, is this an issue with the AD?.
  Regards
  Israel

  Just to add some information, I added the AD in the external identity sources, and i can see the OUs in the groups, i choosed the ou wireless.
  Then i created an authorization compound conditions
  Radius Service type: Frame
  Radius Nas Port: Wireless -802.1x
  and the network access equals domain/users/wireless.
  I applied this in my authorization policy.
  But it still does not work.

• Cisco 3850 Switch and Windows 7 IP Conflicts

  Team,
  Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
  We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
  with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
  This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
  we went with a very vanilla config on each port
  interface g1/0/1
  switchport host
  that is it - nothing special at all.
  well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
  This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
  we tried 3+ hours of prescribed work-arounds found when researching this issue -
  ip device tracking probe delay 10 (global config)
  ip device tracking max 0 (disabed, on interface)
  finally,
  nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
  Finally,
  we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
  Doing more research, I found out this also can effect vmware guests running windows SERVER.
  this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
  the work-around I came up with which is not great is -
  Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
  interface g1/0/1
  switchport mode trunk
  switchport trunk native vlan 1
  this is NOT an acceptable workaround as this presents security issues even with
  switchport trunk allowed vlan 1, etc. as the only allowed vlan.
  Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
  192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
  1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
  2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
  3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
  4) when could confirm NO DHCP SNOOPING
  5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
  6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
  This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
  Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
  thanks,
  Joe Brunner
  #19366

  thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
  Answers in line -
  This all stems from a switch replacement correct?
  yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
  Are these 3850's in a stack?
  >yes, tested all aspects of the stack many times.
  Does it have a managment ip address -If so, is it using the old switch ip address
  >old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
  What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
  >various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
  How are they connected( L3 interface/L2 trunk/access port)
  >all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
  Are thse switches performing inter-vlan routing or just acting as host switches?
  >dumb flat network, no routing.
  Is ip routing enabled?
  >not unless enabled on 3850 by default. I didnt type "ip routing"
  Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
  Your 7 pcs = are they just client pcs not servers?
  client PC's - no servers OS per say.
  can you confirm something like ICS isnt enabled (Internet connection sharing)  on any of them?
  >yes not enabled.
  Are the just using one NIC each?
  > one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
  default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
  sh switch
  2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
  tested all power and general 3850 stacking. saw no issues.
  sh int trunk
  >all ports are now trunks (hence the workaround used to get it up).
  has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
  sh vlan brief
  >just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
  sh vtp status
  not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
  sh cdp neighbours
  cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
  sh ip route
  just the L and C routes for the vlan 1 ip address 192.168.17.1/24
  no static routes
  no vlan interfaces other than int vlan 1
  no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
  int g0/0/0
  ip vrf forwarding Switch_Mgmt
  i can get over there if you think of anything else key to show the group.
  thanks,
  Joe