ISE dACL for FlexConnect AP

Similar Messages

• ISE used for BYOD and Corporate

  Hello
  I have a customer currently using EAP-PEAP on both their coporate laptop and wireless phones on different SSIDs, the radius servers are a pair of IAS servers. We have recently deployed ISE BYOD for them with a single BYOD SSID. Now they want to completely get rid of the IAS and move all Radius to ISEs but want to keep EAP-PEAP for laptops and phones.
  I am thinking about the authorization rules in the ISE, now they have 3 types of access using EAP-PEAP, a user must at least belong to the Employee AD group, but he may or may not belong to BYOD or/and PHONE groups as well. The authentiation results should be something like:
  1. if Corporate Laptop  then Permit Access
  2. if BYOD then NSP
  3. if Phone then Permit Access
  I am just wondering what is the best way to classify the devices (to decide the following action) without relying on profiling, Surely they all come from different SSIDs so I could check the WLAN ID to determine what action to follow, but that will need to make sure all the WLCs have the same WLAN ID for each SSID. Is there any better or neater way of doing this? What is the best practice for this kind of senario?
  Thanks

  If we're talking purely SSIDs, you can match the name of SSID
  For example here, I'm matching a SSID of "mlatosie".

• ISE License for WLC

  Hello Experts
  i have ISE with advanced license for 1500 user , and i have WLC 2504 , and i need to integrate the WLC with the ISE to get ISE features for the Wireless users  like posturing , remediation and the authentication as well .
  my question : is the advanced license is enough , or shall i install the Wireless License to the ISE to have the integration...
  your feedback and inputs appreciated....
  Reyad

  Here is some information regarding the different types of licenses -
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_license.html#wp1074395
  Essentially a wireless license is much like the base license if your deployment is 100 percent wireless, the wireless upgrade is the equivalent to the advanced license once again for only a wireless deployment.
  Base and Advanced covers all (wired, wireless, vpn..etc). there are no restrictions to the deployment model.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE Licensing for IP Phones nodes

  Hi Guys,
  I'm currently worknig on an ISE design for a network where they have IP Phones for each end user device:
   Switch <--> IP Phone <--> End User Device.
  My concern is the licensing part; i'm not really interested in authenticating or profiling IP Phone nodes. rather i need only to provide full ISE services for End user devices behind IP Phones (Authenitcation,Authorizatino,Posturing....etc.). so i need to order a base and an advanced license that cover ONLY the number of end user devices without accounting for IP Phone units.
  Considering the above requirements ; what is the best deployment scenario to consider when configuring the switch interface that connect to each IP Phone with Single host port authentication (cdp bypass). would the ip phone consume from license count.
  What if we considered doing MAB for IP Phone nides and Dot1x for End users and considering MDA ? would it consume 2 units from total license number of nodes in this case ?
  What is the best practice for deploying and licensing ISE if i Cisco or a Third Party IP Telephony solution and i don't want to autheticate/authorize/profile ip phones ? 
  Thanks,
  Muayad Jallad,

  If you are using Cisco IP phones you can get away with single-host mode on the port which in effect ignores the phone. If the phone is a third party device you will most likely need to use multi-domain authentication and actually use ISE to allow the phone on the network.
  In summary - CIsco phone means potentially no license, if Avaya or other third party you will need to auth and use a license

• Besides CAPWAP, what other ports/protocols needs to be allowed for FlexConnect

  Well the title says it for itself.
  Besides CAPWAP, what other ports/protocols needs to be allowed for FlexConnect?
  To clear things out, I am MOSTLY concerned between the communication of the FlexConnect AP to the WLC. Besides CAPWAP what do i need to consider? I need this list since most our clients have a firewall, and of course, i need to allow certain protocols and/or ports on the firewall so that the AP and the WLC can see each other.
  Any one knows?
  As far as I know, I would allow:
  1. CAPWAP
  2. ICMP         -For reachability testing 
  on the firewall, to/fro the devices.
  Inputs would be helpful! ^_^
  Thanks in Advance.

  Thanks Scott,
  Verifies what I need or rather request clients on what ports to allow on their firewall, since this is VPN connections, ICMP, telnet, SSH wouldn't hurt to be enabled xD
  A. CAPWAP
      PORTS:
      5246/UDP      -Control Channel
      5247/UDP      -Data Channel
  B. ICMP(Ping)                        -OPTIONAL/Reachability verification
  C. AP Remote Access          -OPTIONAL
      PORTS:
      22/TCP               -SSH
      23/TCP               -Telnet

• ISE: support for IPv6 DACL's

  Hi,
  Does anyone know if/when ISE will be able to push out IPv6 dynamic acl's? I have not managed to find any information on this other than an old post here: https://supportforums.cisco.com/discussion/11795676/ise-support-ipv6-dynamic-acls
  Thanks,
  Phill Macey

  It's not supported as of the current ISE 1.3.
  I've heard it is planned for a future release but there's no announced or committed date as of yet.
  If your're working with a partner or Cisco account manager, be sure to officially request it if it's important to you. Customer requests help build the business case for prioritizing the features.

• ISE: dACL to switch

  Hi,
  I am trying to figure out the syntax for dACL to a switch running 12.2(55)SE7.
  In the switch we have used the following static ACL:
  ip access-list extended TEST
  10 permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
  It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a certain device connects the port.
  I added it to ISE like this:
  permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
  But that doesn't work. However, when I change the source to any then it works:
  permit tcp any 10.0.0.2 0.3.255.0 range 1025 2000
  By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates.
  Why does it work with source any?
  Regards,
  Philip

  Hello,
  check if the IOS version and hardware platform (switch) you're using  is mentioned in TrustSec document (page 6):
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
  The minimum IOS version to use with ISE should be 12.2(55),  but generally it's better to use 15.x.
  Also, check if you have  configured everything that is recommended for switch devices in TrustSec  (page 59), including "ip device tracking".
  There's also a very nice  document for troubleshooting:
  "Cisco  TrustSec How-To Guide: Failed  Authentications and Authorizations"
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf
  If it  doesn't work, can you post the output of  the following commands after authorization:
  show  authentication session interface
  sh ip  access-lists interface
  show running-config  interface
  show access-list
  sh  ip access-lists

• ISE DACL Enforcement

  On version ISE 1.2.0.899 is there a way to log the drops that the endusers DACl enforces?

  Hello,
  check if the IOS version and hardware platform (switch) you're using  is mentioned in TrustSec document (page 6):
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
  The minimum IOS version to use with ISE should be 12.2(55),  but generally it's better to use 15.x.
  Also, check if you have  configured everything that is recommended for switch devices in TrustSec  (page 59), including "ip device tracking".
  There's also a very nice  document for troubleshooting:
  "Cisco  TrustSec How-To Guide: Failed  Authentications and Authorizations"
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf
  If it  doesn't work, can you post the output of  the following commands after authorization:
  show  authentication session interface
  sh ip  access-lists interface
  show running-config  interface
  show access-list
  sh  ip access-lists

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• Best Practice for FlexConnect Wireless roaming in MediaNet environment?

  Hello!
  Current Cisco best practice recommendations for enterprise MediaNet design, specify that VLANs be local to a switch / switch stack (i.e., to limit the scope of spanning-tree). 
  In the wireless world, this causes problems if you want users while roaming to keep real-time applications up and running.  Every time they connect to a new AP on a different VLAN, then they will need to get a new IP address, which interrupts real-time apps. 
  So...best practice for LAN users causes real problems for wireless users.
  I thought I'd post here in case there's a best practice for implementing wireless roaming in a routed environment that we might have missed so far!
  We have a failover pair of FlexConnect 7510s, btw, configured for local switching for Internal users, and central switching with an anchor controller on the DMZ for Guest users.
  Thanks,
  Deb

  Thanks for your replies, Stephen and JSnyder.
  The situation here is that the original design engineer is no longer here, and the original design was not MediaNet-friendly, in that it had a very few /20 subnets bridged over entire large sites. 
  These several large sites (with a few hundred wireless users per site), are connected to an HQ location (where the 7510s in failover mode are installed) via 1G ethernet hand-offs (MPLS at the WAN provider).  The 7510s are new, and are replacing older contollers at the HQ location. 
  The internal employee wireless users use resources both local to their site, as well as centralized resources.  There are at least as many Guest wireless users per site as there are internal employee users, and the service to them consists of Internet traffic only.  (When moved to the 7510s, their traffic will continue to be centrally switched and carried to an anchor controller in the DMZ.) 
  (1) So, going local mode seems impractical due to the sheer number of users whose traffic bound for their local site would be traversing the WAN twice.  Too much bandwidth would be used.  So, that implies the need to use Flex / HREAP mode instead.
  (2) However, re-designing each site's IP environment for MediaNet would suggest to go routed to the closet.  However, this breaks seamless roaming for users....
  So, this conundrum is why I thought I'd post here, and see if there was some other cool / nifty solution I wasn't yet aware of. 
  The only other (possibly friendly to both needs) solution I'd thought of was to GRE tunnel a subnet from each closet to the collapsed Core / Disti switch at each site.  Unfortunately, GRE tunnels are not supported in the rev of IOS on the present equipment, and so it isn't possible to try this idea.
  Another "blue sky" idea I had (not for this customer, but possibly elsewhere in the future), is to use LAN switches such as 3850s that have WLC functionality built-in.  I haven't yet worked with the WLC s/w available on those, but I was thinking it looks like they could be put into a mobility group, and L3 user roaming between them might then work.  Do you happen to know if this might be a workable solution to the overall big-picture problem? 
  Thanks again for taking the time and trouble to reply!
  Deb

• ISE license for TrustSec

  Hello,
  I want to know  does ISE with Plus-License support  TrustSec features ?     On the TrustSec 5.0 document, it is mentioned that you must have ISE Advance-License for TrustSec support. but  on other-hand on ISE Licensing-datasheet it is written Plus-License (Provides context about endpoints for more detailed access policies).   as per bellow table:
  ISE License Package
  Focus
  Perpetual/Subscription (Terms Available)
  Notes
  Base
  Secured access
  Perpetual
  Plus
  Provides context about endpoints for more detailed access policies
  Subscription (1, 3, or 5 years)
  Does not include Base services; Base licenses are required to install Plus licenses.
  Advanced
  Provides context and compliance details about endpoints for more detailed access policies
  Subscription (1, 3, or 5 years)
  Does not include Base services; Base licenses are required to install Advanced licenses
  http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.html
  Please let me know should I order Advanced or Plus License?      if Plus has this capability will be good for me because of its License pricing
  Thanks,

  At the beginning, there were only the Base- and Advanced licenses. There you needed Advanced for nearly everything that goes beyond basic Authentication and Authorization. In newer versions (starting 1.2.1 and one of ne newer 1.2.0 patch-levels), the plus license was introduced. And many Advanced-features were moved to Plus. As you will probably directly start with a newer version where the new licenses are used, you'll be fine with "Plus".

• ISE Addon for Checkout or Checkins via TFS 2013

  Hi
  I am coordination the development of some PowerShell scripts to work against our SharePoint Farm.  Now as there is more that just me developing these scripts, I think we need to start doing regular checkin and checkouts in our TFS 2013.  Anyway,
  I naively thought there must be an addon  I could add to ISE for this; since it seems such a common requirement. However, there does seem much out there that is actively being used. Are there alternatives that are widely used such a series of PS functions
  anyone knows about. 
  Daniel 
  Freelance consultant

  Hi Daniel,
  If you want to complete checkout in Powershell ISE automatically, please go through this article:
  Protect Your PowerShell Scripts with Version Control
  In addition, you can also refer to this script
  PowerShell ISE-specific profile script, which performs a few simple things:
  Checks if you have the TFS client installed (eg Team Explorer).
  Registers for ISE events on each open file and any files you open later.
  Upon editing of a file, if it is TFS-managed then checks it out.
  The end result is the same TFS workflow experience from within the PowerShell ISE as Visual Studio provides.
  Refer to:
  Automatic TFS Check Out for PowerShell ISE
  If there is anything else regarding this issue, please feel free to post back.
  If you have any feedback on our support, please click here.
  Best Regards,                              
  Anna Wang
  TechNet Community Support

• ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

  Hi,
  We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
  Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
  When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
  Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
  Thanks
  Pranav

  Hi Tarikh,
  I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
  Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
  What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
  Thanks
  Pranav

• Cisco ISE protocols for ldap and Windows wireless client

  Only the protocols below are supported by ise in combination with ldap identity sources.
  EAP-GTC, PAP, EAP-TLS, PEAP-TLS.
  Mac OS devices seem to be able to use these but Windows users seem to be having problems. How should windows users connect with ise that only uses ldap?

  Mathieu,
  Take a look at the user guide for NAM -
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
  You will see the protocols support like GTC that should allow you not to have to deploy certs.
  Thanks.
  Tarik Admani
  *Please rate helpful posts*

• ISE : Authentication for IKEv2

  Just to check if anyone might be able to assist me regarind an issue that I am trying to work out a solution for.
  My Requirements are: Multitenant deployment using ASR1K with IKEv2 vpn authenticated with ISE or ACS and user databases in most cases will be in Active Directory. And authentication has to be with User and Password.
  EAP-MD5: does not work with LDAP integration with Active directory, it does however work in Radius proxy mode but security level of password storage in AD has to be degrated alot by allowing AD to store reversible passwords.
  EAP-GTC: As far as I understand from everything I read, this might be the holy grail for U/P authentication for IKEv2. But in ISE and ACS EAP-GTC is only supported as an inner method in PEAP and EAP-FAST will this change in the near future ?
  And is there possibly something else that I am missing which might be a solution to this design criteria ?

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml