ISE and AD synchronization

Similar Messages

• How to Sync clock on WLC ISE and AD

  Hi there,
  I am stuck in NTP, deployed WLC CWA using ISE that is integrated with AD. I tried using AD as NTP source but no luck(universal fact that Cisco uses NTP where as Microsoft uses SNTP).
  The issue is, if time is not synced between WLC, ISE and AD; web redirection stopped working and no authentication takes place.
  I tried installting Meinbergglobal NTP software to distribute time to my Cisco devices. It does work with Cisco devices but it acts as master and do not sync its own time with AD.
  I am trying to figure out a way to sync Cisco with Microsoft, is there any way in this world to do so???
  Please help..
  Thanks in advance           

  You mean I should sync AD and all my cisco devices with global NTP server?
  Yes and no.  If you know your network well, doing this is a pain in the proverbial backside because you have to open firewall rules to everyone going out to the global NTP server.
  The smart thing to do is what George has described.  You select a few (between two to four) to go out to the internet to synchronize.  Normally I would nominate our core routers do this.  Next, all our distribution switches and core switches synchronize to our core routers.  All our servers, PCs, printers, WLC, switches  sychronize to our distro switches. 

• ISE and AD integration

  Hello All,
  Can anyone tell me what are all the prerequisites when integrating ISE with AD..?
  Thanks in advance.

  Hi Prasan,
  Before you connect your ISE server with the Active Directory domain, you must check the following:
  •Ensure that Cisco ISE hostnames are only 15 characters or less in length. Active Directory does not validate hostnames larger than 15 characters, which can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical through the first 15 characters and only distinguished from one another by trailing digits or other identifiers.
  •Ensure that your ISE server and Active Directory are time synchronized. Time in the ISE is set according to the Network Time Protocol (NTP) server. It is recommended that you use the NTP to synchronize time between the ISE and Active Directory. For more information on NTP server settings, see the "System Time and NTP Server Settings" section.
  Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.1 for information on how to configure the NTP server settings from the CLI.
  •If there is a firewall between ISE and Active Directory, certain ports need to be opened to allow ISE to communicate with Active Directory. Ensure that the following default ports are open:
  otocol
  Port Number
  LDAP
  389 (UDP)
  SMB1
  445 (TCP)
  KDC2
  88 (TCP)
  Global Catalog
  3268 (TCP), 3269
  KPASS
  464 (TCP)
  NTP
  123 (UDP)
  LDAP
  389 (TCP)
  LDAPS3
  636 (TCP)
  1 SMB = Server Message Block
  2 KDC = Kerberos Key Distribution Center
  3 LDAPS = Lightweight Directory Access Protocol over TLS/SSL
  •The Active Directory username that you provide while  joining to an Active Directory domain should be predefined in Active  Directory and should have the permission to create and update for computer account objects and change password in the domain you are joining.
  •Ensure that your Microsoft Active Directory Server does not reside  behind a network address translator and does not have a Network Address  Translation (NAT) address.
  Supported document:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1059011
  Jatin Katyal
  - Do rate helpful posts -

• I have an account for apple but this is not acceptable for i cloud. It say it is correct ID and password but this is not icloud account. So my phone can not connect with my computer and not synchronization too

  I have an account for apple but this is not acceptable for i cloud. It say it is correct ID and password but this is not icloud account. So my phone can not connect with my computer and not synchronization too. Last a few months i have not use this phone. Just i start to use again. So most probably i gave my old mail address as a ID or password. So how can i clearing this subject. regards

  ErolSinan wrote:
  ... there is no button for update between the About and Usage buttons in the General. ...
  Correct. That is only a feature of iOS 5 or later...
  ErolSinan wrote:
  ... yes my phone is 3G.
  then it can only go as far as iOS 4.2.1

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• How do you know the date and time synchronization in the windows version?

  Where can I see the date and time synchronization?

  There's a toolbar button sitting in the Customize Palette. Move that button to a toolbar or into the Open Menu box; when you hover the cursor over that button a tooltip will appear with the day-of-week and the time of the last Sync event.

• ISE and WLC for posture remediation

  Please can anybody clarify a few things in relation to ISE and wireless posture.
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
  2) Can/Should a dACL/wACL be specified as a remediation ACL?
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
  5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
  thanks
  Nick

  Nick,
  Answers are inline:
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
  2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
  source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
  5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
  You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
  Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
  Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
  Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• CoA issues between ISE and 3750x

  We are having an issue using the cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)
  When the radius sends a reauthentication CoA message to the switch, the switch responds with a 'session contect not found' reply. I have upgraded the code to the latest levels on both the ise and switch and still have the same resultts.
  This reauthenticate is needed after the NAC profiler determines the pc is complient. I am receiving the complient message from the pc and switch, but becuase the switch never reauthentices the client after the CoA request, the client is never granted full access.
  I am not sure if the radius server is sending the wrong session id, or if the switch is looking at it wrong.
  Please Help...!!!!!
  -Debug --
  Log Buffer (10000 bytes):
  Feb 28 19:34:21.940 UTC: RADIUS: COA  received from id 38 10.122.1.82:40171, CoA Request, len 140
  Feb 28 19:34:21.940 UTC: COA: 10.122.1.82 request queued
  Feb 28 19:34:21.940 UTC: RADIUS:  authenticator 62 6B 15 C9 C7 A5 CA 88 - 4F B2 EE 4C A0 3D 9F 50
  Feb 28 19:34:21.948 UTC: RADIUS:  NAS-IP-Address      [4]   6   10.122.1.66
  Feb 28 19:34:21.948 UTC: RADIUS:  Event-Timestamp     [55]  6   1362080061
  Feb 28 19:34:21.948 UTC: RADIUS:  Message-Authenticato[80]  18
  Feb 28 19:34:21.948 UTC: RADIUS:   BC B3 BA 2A 11 BD 63 0B 22 7E 82 AA C2 A5 F7 C4              [ *c"~]
  Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  41
  Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
  Feb 28 19:34:21.948 UTC: RADIUS:  Vendor, Cisco       [26]  49
  Feb 28 19:34:21.948 UTC: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A7A014200000272048AF0F1"
  Feb 28 19:34:21.948 UTC: COA: Message Authenticator decode passed
  Feb 28 19:34:21.948 UTC:  ++++++ CoA Attribute List ++++++
  Feb 28 19:34:21.948 UTC: 07353140 0 00000001 nas-ip-address(585) 4 10.122.1.66
  Feb 28 19:34:21.948 UTC: 0735375C 0 00000001 Event-Timestamp(430) 4 1362080061(512FB13D)
  Feb 28 19:34:21.948 UTC: 0735376C 0 00000009 audit-session-id(794) 24 0A7A014200000272048AF0F1
  Feb 28 19:34:21.948 UTC: 0735377C 0 00000009 ssg-command-code(475) 1 32
  Feb 28 19:34:21.948 UTC:
  Feb 28 19:34:21.957 UTC: AUTH-EVENT: auth_mgr_ch_search_record - Search record in IDC db failed
  Feb 28 19:34:21.957 UTC: RADIUS/ENCODE(00000000):Orig. component type = Invalid
  Feb 28 19:34:21.957 UTC: RADIUS(00000000): sending
  Feb 28 19:34:21.957 UTC: RADIUS(00000000): Send CoA Nack Response to 10.122.1.82:40171 id 38, len 62
  Feb 28 19:34:21.957 UTC: RADIUS:  authenticator DF 18 2F 59 21 4F 84 E1 - 61 B8 43 B8 01 C5 58 B4
  Feb 28 19:34:21.957 UTC: RADIUS:  Reply-Message       [18]  18
  Feb 28 19:34:21.957 UTC: RADIUS:   4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E  [ No valid Session]
  Feb 28 19:34:21.957 UTC: RADIUS:  Dynamic-Author-Error[101] 6   Session Context Not Found [503]
  Feb 28 19:34:21.957 UTC: RADIUS:  Message-Authenticato[80]  18
  Feb 28 19:34:21.957 UTC: RADIUS:   30 C9 AE 52 80 2E A2 54 FF F3 4B C7 28 31 A9 61          [ 0R.TK(1a]
  ESWHQFL02-S#
  ESWHQFL02-S#
  -- Switch Config -
  aaa authentication login default group tacacs+ local-case
  aaa authentication login local_login local
  aaa authentication enable default group tacacs+ enable
  aaa authentication dot1x default group radius
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 5 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius
  aaa authorization network auth-list group DOT1X
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 5 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa server radius dynamic-author
  client 10.122.1.82 server-key 7 14141B180F0B
  client 10.122.1.80 server-key 7 045802150C2E
  aaa session-id common
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server host 10.122.1.82 auth-port 1812 acct-port 1813 key 7 13061E010803
  radius-server host 10.122.1.80 auth-port 1812 acct-port 1813 key 7 104D000A0618
  radius-server deadtime 5
  radius-server key 7 030752180500
  radius-server vsa send accounting
  radius-server vsa send authentication

  As per the cisco recommendation IOSv12.2(52)SE is suitable for Catalyst 3750-X which will support all  the features without any issues like  MAB,802.1X,CWA,LWA,COA,VLAN,DACL,SAG as mentioned in the link below:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html.
  I see you are using IOSv12.2(58)SE2,which is not recommended.So you can  downgrade to IOSv12.2(52)SE which will solve your issues.

• PDA and data synchronization -help required

  Hi,
  I have experince in developing web applications in jsp/servlets and php. I wish to develop a PDA supported java server
  application. I have downloaded netbeans for using as an IDE. It does have support for mobile emulators, but does not support
  PDA/Palm OS emulators.
  What about IBM websphere and eclipse for using as IDE? Will they support J2ME SDK? Please help me in devoloping my PDA
  application.
  why we use data synchronisation for laptop and PDA for web applications? Why is it not applied in normal PC?
  Thanking in advance,
  From,
  Vinod

  Vinod, you might want to look at the palm.com web site. There is quite alot of information available for developers.
  By reading your original query, I assume you are talking about thread safety and not synchronization, per se. Thread safety is very important in a web app as you surely know. If you don't and have been developing Servlets/JSPs then, hoo boy!

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• How to fix Import and folder-synchronize?

  Installed Lightroom 4.2 RC. Now Import and folder synchronize hang up. Uninstalled 42. RC with same result. Removed and then reinstalled 4.1 with same problem.
  Please advise.
  [email protected]
  Message was edited by: SD Rowdies

  They might not be compatible with the iPad's video capability. Are they Flash videos?

• Reference and Assignment Synchronization Report for FBL5N Transaction

  is ther any standard report for ...Reference and Assignment Synchronization Report for FBL5N Transaction.

  Hi,
  FBL5N is a standard TCode which is used to see Open, Cleared and All line items of customer as per company code.Line items means whatever transaction has been posted to the customer.
  These line items may be related to invoices raised against the customer, payments received from customer and advance receipt from customer.
  Hope you have understood
  Regards
  Tapan

• ISE and Guest Portal

  WLC - 7.2.110.0
  ISE - 1.1.1
  I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action
  At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.
  I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?

  As you asked the documents related to ISE and Guest Portal. I am sending you two docs which will help you in this case. Please find the below documents:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

• CWA with ISE and 5760

  Hi,
  we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
  I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
  aaa authentication login Webauth_ISE group ISE
  aaa authorization network cwa_macfilter group ISE
  aaa authorization network Webauth_ISE group ISE
  aaa accounting network ISE start-stop group ISE
  aaa server radius dynamic-author
  client 10.232.127.13 server-key 0 blabla
  auth-type any
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 31 send nas-port-detail mac-only
  wlan test4guests 18 test4guests
  aaa-override
  accounting-list ISE
  client vlan 1605
  no exclusionlist
  mac-filtering cwa_macfilter
  mobility anchor
  nac
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security dot1x authentication-list Webauth_ISE
  no shutdown
  wc5# debug aaa coa
  Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
  Feb 27 12:19:08.444: RADIUS:  authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
  Feb 27 12:19:08.444: RADIUS:  NAS-IP-Address      [4]   6   10.232.127.11
  Feb 27 12:19:08.444: RADIUS:  Calling-Station-Id  [31]  14  "40f308c3c53d"
  Feb 27 12:19:08.444: RADIUS:  Event-Timestamp     [55]  6   1393503547
  Feb 27 12:19:08.444: RADIUS:  Message-Authenticato[80]  18
  Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  41
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  43
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37  "subscriber:reauthenticate-type=last"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  49
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0aea2001530f2e1e000003c6"
  Feb 27 12:19:08.444: COA: Message Authenticator decode passed
  Feb 27 12:19:08.444:  ++++++ CoA Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444:
  Feb 27 12:19:08.444:  ++++++ Received CoA response Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
  Feb 27 12:19:08.444:
  wc5#

  Reason for this are two bugs which prevent this from working:
  https://tools.cisco.com/bugsearch/bug/CSCul83594
  https://tools.cisco.com/bugsearch/bug/CSCun38344
  This is embarrassing because this is a really common scenario. QA anyone?
  So, with ISE and 5760 CWA is not working at this time. 

• ISE and NAC Agent

  Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

  Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?