ISE Central webauth and vWLC 7.4

Similar Messages

• ISE 1.3 and NAC

  I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
  They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
  Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
  Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
  Thanks for any advice/comments/experiences
  Jim

  Hi Jim-
  Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
  With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
  I hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 and iPEP Certificate Requirements

  Hi,
  For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:
  Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.
  [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
  Any thoughts?
  Thank you,
  Octavian

  The EKU validation has been removed in version 1.2
  "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."
  Source:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

• Central Excise and WHT Settings  in CIN Version for 4.6C

  hi sap gurus,
  i need urgent support from your end regarding Central Excise and WHT Settings  in CIN Version for 4.6C. I am new to CIN Version, and now i deputed to the same.
  can any body give the configuration of the Central Excise and WHT Settings  in CIN Version for 4.6C.
  kindly revert back asap.
  thanks and regards,
  raghav

  Hi
  Go to transaction code J1iln you get all the details on CIN or you can go to logistics general > tax on Goods Movement in SPRO
  Anand

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Dialog box says-"Bridge encountered a problem and is unable to read the cache. ... purge central cache" For one, I can't find the central cache and two, I've purged the cache in bridge. Shouldn't that help.

  Our Bridge has been acting very strange. It keeps giving a dialog box of "Bridge encountered a problem and is unable to read the cache. ... purge central cache" For one, I can't find the central cache and two, I've purged the cache in bridge. Shouldn't that help? There's just all kinds of weird stuff going on. I suppose it does have something to do with the central cache, so maybe someone can tell me where to find it.
  When I use the burn/dodge tool sometimes it drags and staggers and takes forever to complete whatever I'm burning/dodging. When I try to delete an image from the dock, it won't disappear but it won't display either.
  Any help would be appreciated.

  The Central Cache is the Bridge Cache.
  It's referred as the Central Cache to differentiate it from the individual folder's cache or even the individual image cache.

• Ise patch 1 and 2 for 1.1.4 problem with resetting-application

  Hi guys,
  For your info. ISE patch 1 and 2 got the same problem on 1.1.4. If you got patches installed and tries to reset the application of ISE the monitoring applets are all gone. It's loading an empty page. Solution: rollback any installed patches. Monitoring is back up again. Install the patches again and erverything is fine. Took me one afternoon to figure this out.

  Hi Ravi,
  Do you know, what is going wrong? I'm wondering if everything is working correctly and if patches are applied correctly.

• ISE 1.3 and Windows Posture Web Agent

  Hello,
  I am running ISE 1.3 and have an issue running the Posture Web Agent. The client authenticates and gets redirected to the client provisioning portal but get the following message
  Detecting if Web Agent is installed and running gets ticked and then it keeps rolling at scanning your device. Open Web Agent to check the current status of the system scan and update your system as instructed.
  See attached screen shot

  is this issue specific to particular groups of clients/OS type... if using Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)

• Cisco ISE 1.1 and IE9

  Is anyone else having problems with ISE admin/monitoring pages not working properly under IE9?  I just completed an upgrade to ISE 1.1, and it seems more and more, when I try to manage the system with IE9, I will get the following error (host name changed to protect the inocent). I dont know if this is truly an IE9 issue, or the chrome plug-in we are forced to use.  Works perfect under Firefox 11.0.
  This webpage is not available
  The webpage at https://iseserver.domain.com/mnt/pages/dashboard/dashboard.jsp?mnt_config_write=true&token=BEGIN_TOKENXspmm4x5AwFsV6NExIBAVA==END_TOKEN might be temporarily down or it may have moved permanently to a new web address.
  Error 103 (net::ERR_CONNECTION_ABORTED): Unknown error.

  Supported Administrative User Interface Browsers
  You can access the Cisco ISE administrative  user interface using the following browsers:
  •Mozilla Firefox 3.6 (applicable for  Windows, Mac OS X, and Linux-based operating systems)
  •Mozilla FireFox 9 (applicable for Windows,  Mac OS X, and Linux-based operating systems)
  •Windows Internet Explorer 8
  •Windows Internet Explorer 9 (in Internet  Explorer 8 compatibility mode)
  Cisco ISE GUI is not supported on  Internet Explorer version 8 running in Internet Explorer 7 compatibility mode.  For a collection of known issues regarding Windows Internet Explorer 8, see the  "Known Issues" section of the Release Notes for the Cisco Identity Services  Engine, Release 1.1.

• ISE Guest Portal and one more SSID using internal accounts

  Hi Guys,
  I have two SSIDs on WLC, the first is related with ISE Guest Portal and the second is related with employee but i realize that the
  Guest user can access the employee SSID and employee accounts can access the Guest portal page.
  I guess this is happen because i cannot split these databases under "Internal Users" on Authentication Policy.
  How can i restrict the access even if i am using the internal databse?
  thanks a lot

  using the Authorization policy is the right way.  Match the corp ID store to the corp WLAN SSID ID in the AuthZ policy, for example (where Employee is your corp ID store and yyyy is the name of your corp SSID):

• FlexConnect local/central switched and Access-Accept Packets

  For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
  •  Full network access, local switched.
  •  Limited network access, central switched:
  ◦       To isolate traffic from the branch’s LAN.
  ◦       To force traffic through a firewall at the central site.
  ▪       To ease access rules management.
  ◦       Internet access only by default.
  ▪       Internet access is located at the central site.
  ▪       We expect to manage some exceptions to the rule.
  We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
  However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
  Authentication Attributes Honored in Access-Accept Packets (Airespace)
  VAP ID
  This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
  Source:
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
  We then made an assumption that the following was possible:
  •  Create a second SSID
  ◦       Broadcast not enabled
  ◦       Central Switched
  •  Users would authenticate using the first SSID
  •  In it’s access-accept packet, the RADIUS server would return an
  Airespace-WLAN-Id attribute with the value of the second SSID.
  •      The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
  So far, our tests showed no results.
  •  Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
  •  If not, what would you recommend?
  For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
  Thank you very much,

  Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value.  AAA attributes can change a users vlan, acl and QoS.  The other attributes are intended to use for rules... example:
  Is the user part of this AD group and is this user on WLAN ID=1.
  You will not be able to go from centrally switched to locally swithed and vice versa.  I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest.

• Difference Between central instance And application instance

  Hi every body can any one tell me that
  what is the difference between Central instance and Application instance.
  If i am using 4.7 ee with orcale data base.

  Check these links
  http://oreilly.com/catalog/sapadm/chapter/ch01.html
  Basically these terms comes when you are working on live servers where all the users log into to do their daily work.
  We says when we want to distribute the workload on servers we requires central instance and application servers.
  Normally it is not known to common users where they are logging into...but they can login directly usign the specific Instance details of servers.
  Please see this also
  http://help.sap.com/saphelp_nw2004s/helpdata/en/c4/3a64e8505211d189550000e829fbbd/frameset.htm

• Multiple position for one central person and one user

  Dear Guru's,
  I have a requirement to create multiple position for a existing User - which already has CP Central Person and S Position.
  How to create this new position and assign the same CP to all the new positions ?
  Thanks and regards,
  Anil Rajpal

  Hi
  Yes you can definitely do this
  Create the new position and assign the CP to this position in transaction PPOME. You may find the position first there in PPOME, and then drag-drop the CP over the position to make the assignment. System will ask the percentage of responsibility.......which you will ve to enter...
  Regards
  Virender Singh

• Why do we need to specify Role baseprovider and membership provider in Central Admin and security config files?

  Hi,
  why do we need to specify role base provider and membership provider files in central admin and securiy config files.
  thanks,
  gaurav

  We use 3 settings in Forms based auth:
  1 Membership = This contains Users and groups information. (This table also has username and password)
  2 ConnectionString = Connetion details to connect to database is stored here(servername, databasename, username, password, port )
  3 Role = This table contains all the Roles (Admin, contibutor, etc of the data source)