ISE Endpoint clarification

Similar Messages

• ISE Endpoint losing IP after transition to Low-Impact-Mode

  I've recently moved an ISE implementation into the low-impact authentication phase, and the client's security cameras are having a rough go of it. In monitor mode, they were able to stay connected as they should but in low-impact mode they are losing their IP addresses as evidenced in the auth session output below:
  SWITCH-1#sh auth sess int g4/0/6            Interface:  GigabitEthernet4/0/6          MAC Address:  0040.8cc7.4822           IP Address:  10.92.6.3            User-Name:  00-40-8C-C7-48-22               Status:  Authz Success               Domain:  DATA       Oper host mode:  multi-domain     Oper control dir:  both        Authorized By:  Authentication Server          Vlan Policy:  N/A              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c      Session timeout:  3600s (local), Remaining: 338s       Timeout action:  Reauthenticate         Idle timeout:  N/A    Common Session ID:  0AFF320A000661C965742D42      Acct Session ID:  0x00067E9F               Handle:  0x72000982Runnable methods list:       Method   State       dot1x    Failed over       mab      Authc SuccessSWITCH-1#sh auth sess int g4/0/6            Interface:  GigabitEthernet4/0/6          MAC Address:  0040.8cc7.4822           IP Address:  169.254.45.196            User-Name:  00-40-8C-C7-48-22               Status:  Authz Success               Domain:  DATA       Oper host mode:  multi-domain     Oper control dir:  both        Authorized By:  Authentication Server          Vlan Policy:  N/A              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c      Session timeout:  3600s (local), Remaining: 338s       Timeout action:  Reauthenticate         Idle timeout:  N/A    Common Session ID:  0AFF320A000661C965742D42      Acct Session ID:  0x00067E9F               Handle:  0x72000982Runnable methods list:       Method   State       dot1x    Failed over       mab      Authc Success
  This is happening approx. every 10 seconds which curiously is the timer value of my dot1x tx-period. As well, the host never has its reauthentication timer restarted but I can see the following in ISE approx. every 10-15 seconds:
  Why is it going through Dynamic Authorization? Why am I losing my legitimate IP address every 10 seconds and getting an APIPA address in its place? The port configuration is as follows:
  interface GigabitEthernet4/0/6 description Security switchport access vlan 292 switchport mode access ip access-group ACL-DEFAULT in power inline auto max 15400 authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10 storm-control broadcast level 2.00 storm-control action shutdown spanning-tree portfast spanning-tree bpduguard enableend
  And my ACL-DEFAULT is...
  Extended IP access list ACL-DEFAULT    10 permit udp any eq bootpc any eq bootps    20 permit udp any any eq domain    30 permit icmp any any    40 permit udp any any eq tftp    50 deny ip any any log
  Upon switch log review, I'd noticed that the ACL-DEFAULT is blocking the cameras from certain igmp and tcp/554 (RTSP) communications. To see if it would help, even though I shouldn't have to, I placed ACE's into my ACL-DEFAULT to permit this traffic and would still drop my IP address every 10 seconds. I shouldn't have to do this because the "xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c" is a simple "permit ip any any" ACL which should allow all of the traffic to flow.
  Ideas?
  Kind Regards,
  Kevin

  As well, the dACL is properly replacing the first "any" with the endpoint's IP:
  SWITCH-1#show ip access-lists interface g4/0/6
       permit ip host 169.254.45.196 any
  SWITCH-1#show ip access-lists interface g4/0/6
       permit ip host 10.92.6.3 any
  Kind Regards,
  Kevin

• ISE Endpoint Identity Group assignment for 802.1x clients

  Hello
  I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
  Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
  AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
  To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
  My questions are:
  A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
  Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
  Thanks
  Andy

  Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
  There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
  peter

• Cannot register ISE endpoint through External RESTful Interface

  The ISE External RESTful Service API says that the endpoint registration request should have an Accept header, but the example given uses a Content-Type header.  When I try to use an Accept header, I get a Resource media type exception titled "Wrong media type, check Content-Type request header".  Using the Content-Type request header results in a CRUD operation exception titled "Canot find endpoint with ID register".  It looks like the server thinks this is an update endpoint request.  The update endpoint API also has an Accept header in the description, but a Content-Type header in the example.  Detailed information follows
  Request: PUT
  URL = https://192.168.001.001:9060/ers/config/endpoint/register
  Content-Type header = application/vnd.com.cisco.ise.identity.endpoint.1.0+xml
  Content =
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ns3:endpoint
      xmlns:ns2="ers.ise.cisco.com"
      xmlns:ns3="identity.ers.ise.cisco.com" id="endpointID" description="description-465">
      <link type="application/xml" href="https://192.168.001.001:9060/ers/config/endpoint/endpointID" rel="self"/>
      <groupId><groupID</groupId>
      <identityStore></identityStore>
      <identityStoreId></identityStoreId>
      <mac>00:11:22:33:44:90</mac>
      <portalUser>user90</portalUser>
      <profileId>profileID-46</profileId>
      <staticGroupAssignment>true</staticGroupAssignment>
      <staticProfileAssignment>false</staticProfileAssignment>
  </ns3:endpoint>
  Response:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ns2:ersResponse
      xmlns:ns2="ers.ise.cisco.com" operation="PUT-update-endpoint">
      <link type="application/xml" href="https://192.168.001.001:9060/ers/config/endpoint/register" rel="related"/>
      <messages>
          <ns2:message type="ERROR" code="CRUD operation exception">
              <title>Canot find endpoint with ID register</title>
          </ns2:message>
      </messages>
  </ns2:ersResponse>
  Any help would be appreciated.

  This could be server side error type 500 I think

• Cannot deregister ISE endpoint from java app.

  The ISE ERS endpoint java demo downloaded from Cisco does not deregister the endpoint.  The output is:
  #  De register endpoint:                                      #
  #  This demo sends PUT request to deregister an existing      #
  #  endpoint mac:     aa:bb:11:22:33:44                        #
  #  The expected response would be status 201.                 #
   *** about to deregister endpoint id: e254f250-289a-11e4-8fe1-005056862eb7
  Request URI: /ers/config/endpoint
  REQUEST HEADERS:
          content-type: application/vnd.com.cisco.ise.identity.endpoint.1.0+xml; charset=utf-8
  RESPONSE HEADERS:
          Pragma: No-cache
          Cache-Control: no-cache
          Expires: Wed, 31 Dec 1969 19:00:00 EST
          Allow: POST,GET,DELETE,PUT,OPTIONS,HEAD
          Date: Wed, 20 Aug 2014 18:50:42 GMT
          Content-Type: text/xml
          Content-Length: 0
          Server:
  RESPONSE STATUS:
          HTTP/1.1 404 Not Found
  In the included ERSClient deregister method deregister is misspelled when creating the HttpPut object.  I corrected that but the endpoint still is not deregistered.
  Any help would be appreciated

  The way you get values into the parameters in your Request object is to either put them on the query string part of the URL or put them in POST data. It would be easiest for you to put them on the query string - so just modify the URL you are hitting to include your parameters on the query string (?param1=value1&param2=value2 ...)
  Good Luck
  Lee

• ISE CoA clarification

  Hi everyone--trying to make sense of ISE licensing and what a client of mine is wanting to accomplish. They want to be able to do dot1X and have the machine authenticate via AD before the user even tries to authenticate and if it's not a domain machine, then do a reject access. My question is that able to be accomplished via base licensing or is that considered posturing/profiling?
  Thanks all!
  SJ
  Sent from Cisco Technical Support iPad App

  Scott,
  Hi the requirement that you are requesting will work under the base feature set. You do not need advanced and coa is not required to make this work. You can build your authorization policies such that user authentications must pass a check for a previou successful machine authentication.
  Thanks,
  Tarik Admani
  Please remember to rate helpful posts!

• CSCum97337 - Ise Endpoint Profile is getting degraded based on poorer user agent

  I have searched but I can not find out how to do this 
  Where can I add user-agent strings to an exclusion list ? 
  regards
  Gudmundur

  Check permission of account and account is lockout.
  Also check below link
  http://technet.microsoft.com/en-us/library/hh212922.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• ISE upgrade 1.2: Self-provisioning portal not working

  Hi all,
  I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
  Screenshot of page is attached:
  I've checked ise-console.log application log file and found two errors correponding to the first page:
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:-         at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
  and the second (not working) one:
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:-  at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
  Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
  Can somebody please help?
  Thanks,
  L

  Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

• ISE deny access to Android devices

  I have a customer who likes to deny access to any Android devices on its guest service. (The network has an anchor WLC, the authentication is set as LWA)
  First I tried setting a simple AuthZ rule indicating "if Device-OS equals Android, then Deny Access"
  Also tried setting a profiled group. Any device belonging to this Android devices group must be denied.
  It appears the results were not consistent enough. On my first tests, a Galaxy smartphone was not allowed to pass after the AUP, but after some tries the user got access.
  I think something may be missing in the config, as it appears the ISE is not recognizing the Device-OS. Any device is added to the profiled group.
  Some idea to troubleshoot and fix this requirement?
  Regards

  I did a quick test enabling DHCP profiling on WLAN in the WLC. I couldn't did extensive tests because the DHCP appears to not working, so I needed to back. I don't understand why enabling this option affects the DHCP functionality ...
  Unfortunately I can't do extensive tests on productive network, so I would need to be sure about which parameters to change.
  In lab (not the same environment to test) I have seen the ISE is able to identify a Galaxy smartphone as Samsung Device (by RADIUS probe), I guess by the OUI Endpoint, and some minutes later as Android (by DHCP probe) ... So, I wonder if it is possible to define a priority or preference over which probe apply first ...
  In the ISE Endpoint details I found this
  User-Agent      Mozilla/5.0 (Linux; U; Android 2.3.6; es-us; GT-I9070 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
  I guess here is where the ISE learns from the device is an Android, right?
  Regards ...

• Cisco ISE Enpoint Protection Services (EPS)

  Hi
  I've got a question of understanding to the Cisco ISE (Endpoint Protection Services).
  I am looking for an Integrity check for client systems. I have read of EPS.
  Is EPS for checking the Integrity of client systems or only to block client by her IP or Mac? I found some instructions for configuring EPS, but never a server is specified, which verifies the integrity (eg, Microsoft WSUS, Avira ...). Can someone explain the exact use of EPS?
  Thanks for any help.
  Marco

  What you are looking for is the posture-service which tests the clients for integrity/compliane based on your policy.
  And you are right, the EPS in ISE is more a tool to assist you to efficently block systems that you found to be malicious for example.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Device ID already exists - ISE1.3 issue

  Hi ,
  Anyone can help guide me. How to solve this issue.
  My authorization rules allow ONLY Registered Device to access. During the testing I deleted a client's MAC from Endpoint Identity Group List > RegisteredDevices. Then I try to register the device again through My Devices portal. Error show "Device ID already exists".
  I try to find out from the document but it's not much help. The document is not clear. It said
  Errors When Adding Devices to My Devices Portal
  Employees cannot add a device, if another employee has previously added it such that the device already exists in the Cisco ISE endpoints database.
  If employees attempt to add a device that already exists in the Cisco ISE database:
      •    And it supports native supplicant provisioning, we recommend adding the device through the BYOD portal. This will overwrite any registration details that were created when it was initially added to the network.
      •    If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device first. If appropriate, you can remove the device from the endpoints database using the Admin portal, so that the new owner can successfully add the device using the My Devices portal.
  another source from cisco
  When I try to add a device, I get an error that says that the device already exists, but I do not see it listed as one of my devices. How can I add this device?
  That error means that someone has already added the device to the system. If it does not appear on your list, one of your coworkers has registered the device already.
  You have several options for resolving this situation:
      •    If you are attempting to add a device such as a printer, you will need to contact your help desk to locate the current owner and to resolve this issue for you.
      •    Regardless of the device type, you can contact your help desk so that they can verify who registered the device previously and delete it from the database so you can re-register it.
  Some source tell me to delete device from My Device portal that was registered. However, the device is not shown there.
  Any suggestions are welcome. Thank you.
  Nipat CCIE#29422

  This happens normally when you register one host against the zlm server, stop zmd, delete the deviceid and secret file, start zmd and register it again against the zlm server without deleting the existing device in the zlm web interface.
  What happens at this time is that the zlm client registers with the deviceid and the secret against the zlm server. In the web interface you see the hostname of it. If you open the details, you see the guid of the host which equals the deviceid.
  When the zlm client communicates with the zlm server it uses the deviceid and the secret to login and query the bundles, catalogs and policies assigned to it.
  So now when the zlm client is stopped, the files deleted, the zlm recreates them the next time it is started. After registering against the zlm server, it tries to login with the new deviceid and the new secret. There is already such a host entry, therefor it renames one and register with the new values again.
  Do you have maybe a cron job or something that deletes those files and restarts the zlm client ?
  Rainer

• WLC License HA or floating model

  Hello,
  I am getting ready to purchase a large number of controllers for sites around the world. Because of geographic/bandwidth reasons, it is not practical to do N+1 redundancy worldwide. I need to do N+1 (most sites will be 2 5508 controllers) redundancy in each major site. With that being said, I am going to be purchasing twice the number of AP licenses as I need solely for the purpose of HA...
  Does anyone know of any plans to run a "floating" license model where we could pool worldiwde licenses (think ISE endpoint licensing), OR a plan for an "HA/Secondary" controller. This would be a controller that serves no purpose but to backup another controller.
  Because of the # of APs that can be hosted on the 5508s I can not justify purchasing numerous controllers, just for additional HW redundancy.
  Any info would help, thanks!!

  These are spread out worldwide (AM,EU,APAC,China). The local site with the controller will be local, and wan sites in e region will be HREAP. For a variety of reasons including latency/bandwidth (even with MPLS), Internet, and not wanting to enable 60 countries on the controllers we have made the decision to keep the controllers in the same region.
  However, those reasons mean I am buying 2 of everything. I do not mind buying 2 pieces of hw, we are just having a hard time buying 2x licenses.
  We ran into this with Asa Ssl VPN licenses, and those share now. Same with ncs, ISE, the licenses are shared worldwide. MSE and wlc is the only thing still with licenses tied to hw with no ha option.
  Since I am getting ready to place such a large order was wondering if anyone has herd anything. I saw online rumors about licensing sharing in wlc 8...

• ISE 1.2.1 logs full of Identity/Endpoint ID of 00:00:00:00:00:03, authentication failed

  After an upgrade to 1.2.1, I now see a lot of auth failed entries with an Identity/Endpoint ID of 00:00:00:00:00:03.
  I dont see this MAC on the switch port of the NAS where ISE reports it.
  Anybody know what this is and how to stop it from happening?
  thanks

  Answers are:
  Its a HP ESXi server.  2x Win7 VM PC's run on this machine, each with a dedicated NIC.
  I haven't, will shut the VM's and shut the ports and see what happens.
  The auth session shows the MAC, but the switch MAC table doesn't
  SW1-C3750X#show authentication sessions int gi 1/0/19
  Interface MAC Address Method Domain Status Fg Session ID
  Gi1/0/19 000c.2931.54f6 dot1x DATA Auth 0A0A01FE000000870EDF8C3B
  Gi1/0/19 0000.0000.0003 N/A UNKNOWN Unauth 0A0A01FE000000B219576F86
  SW1-C3750X#show mac address-table int gi 1/0/19
  Mac Address Table
  Vlan Mac Address Type Ports
  100 000c.2931.54f6 STATIC Gi1/0/19
  Thanks for replying.

• ISE 1.2 disable endpoints with certain mac address

  Hi All,
  We have an AD to authenticate for wireless users. In AD, we have specified to block the user if the password is entered wrongly for more than 3 times. The problem is some of them are using other user ID and locking the accounts. I have gotten the MAC address of the user. Can anyone please advise how to block the request from this MAC from even reaching the AD.
  Thanks

  You have two options from ISE and one option from the WLC:
  The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.
  Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.
  From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:

• Cisco ISE 1.2 and Symantec Endpoint Protection

  Hi Experts,
  Good Day!
  I'm just wondering if ISE 1.2 is able to detect an application/software in a laptop like the Symantec Endpoint Protection before giving the user an access to the network? Is it possible?
  I tried to searched over the internet however, I can't find any documentation about it.
  Thank you for your support.
  Cheers,
  Niks

  hello ,have you checked posturing service of ISE , with ISE posture service enabled you can check Antivirus Installation , Antivirus Version/ Antivirus Definition Date etc . Check the following link for different Posture Assessment Options  available
  http://www.cisco.com/en/US/partner/docs/security/ise/1.2/user_guide/ise_pos_pol.html#wp2276381