ISE identfying device

Similar Messages

• ISE, WLC Device Profiling

  Hi, I hope someone can provide some advice/assistance. I am currently trialling ISE 1.1.1 on VM with a Cisco 5500 WLC 7.2.110.0. I have configured this setup so clients authenticate to the WLC via 802.1x and use the ISE as a AAA Server. I have setup this configuration so VLAN ID's can be pushed to clients based on their login credentials(from AD), this all works fine. I'd like to take this on a step further and differentiate users and their devices based on their device type, iPhone, iPad etc. I have enabled DHCP profiling on the WLC. I only seem to be able to identify a device based on their DHCP hostname, should it contain iPhone etc, is there another way I can get more information from the clients or their initial 802.1x communication? I want to use 802.1x as given the nature of the users connecting the VLAN push based on credentials is key to my possible deployment.
  My second query is relating to VLAN pushing on a Flex Auth AP. I've got a remote site with some AP's, it is over a L3 connection. I have my WAP at this site registered to the WLC. Over my sites I have standard VLAN numbers and IP address ranges, site 1 is x.1.a.x, x.1.b.x etc, site 2 is x.2.a.x, x.2.b.x etc. What I would ideally like to do is push VLAN's to the Flex Auth WAP's so that users in site 2 get a site 2 IP address and can use local switching for printing and other local activities. Is this supported? I know it wasn't in H-REAP when I trialled ISE/WLC 4400 last year. I tried to configure this and it looks like users always get IP addresses from site 1.
  Thanks for any advice/assistance.
  Kenny.

  Kenny,
  For the first part of your question there is no more information you can get outside of the dhcp hostname (which will get you the info you are looking for) and the mac address (which only gets you to the Apple Device policy). If you do not want to perform any redirection, then your best bet is to use a span to span all the traffic over to the ISE node in order to span the http traffic in order to profile the devices using the http user agent string.
  As far as your 2nd question- the flex auth aps do not support COA and arent a "supported network access device" from Cisco's webpage.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
  However the APs do support dynamic vlan assignment. So once an endpoint connects to these APs you can set them on the vlan once, however if you are performing posturing and need coa to place them in another rule once a decision has been made then this is where the deployment will break.
  http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE - My Devices Device Count

  Hi, I hope someone can help. I've got an ISE 1.2.1 deployment that is integrated to AD. We have users authenticating via AD, they register and manage their devices in the My Devices Portal. I have limited the device count to 3 devices per user. I have an exception to this where I would like a single user to register between 10-20 devices. Is it possible to have this user configured for a different device count than every other user(the global setting)? I've had a look through my ISE and some configuration guides and cannot see if this is possible. 
  I can have this user configured either as a local user on ISE or on AD if that helps influence any configuration?
  Thanks for any help.
  Kenny

  In ISE 1.3 you have guest types feature, for each guest type you can set max device that can be registered
   

• ISE Radius device administration authentication possible?

  Hi,
  does anybody know if Radius device administration authentication and authorization is possible with the actual ISE release? I know that TACACS will be available in future release.           
  Regards
  Joerg

  Yes it's possible according to "Ask the experts" forum :
  https://supportforums.cisco.com/thread/2172532
  "If you use RADIUS for device administration, ISE can be utilized using authorization policy elements that return Cisco av-pairs.  But personally, I think ACS is currently superior to ISE for this task."
  Anyway, I'm about to test "device admin" and "network access" simultaneously in the same switch with Radius and ISE.
  Please rate if it helps

• ISE Failover Device Licensing

  I am working on getting ISE licensing requirements put together for the upcoming budget. 
  I am confused on licensing for a failover appliance. Do we need to get another set of licenses for the failover appliance, or will the licenses for the primary device cover the failover?

  Hi,
  Prior to ISE Release 1.2, customers could only specify ISE licenses to be registered to a single ISE Administration Node (i.e., the Primary Administration Node). Now, ISE Release 1.2 delivers the capability to register ISE licenses to two Administration Nodes (i.e., Primary and Secondary Administration Nodes). The registration of an ISE license to the Primary Administration Node remains mandatory, but the option to register a Secondary Administrative Node is available.
  Reference link,
  http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/sales_tool_c96-729045.html

• ISE Profiled devices not being used in authz policy.

  ISE is standalone.
  ver 1.2
  Eval license.
  I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).
  However when this is used in an Authorization Policy it never matches.
  Just a basic Policy:
  if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.
  I can change Identity group to ANY and it works.
  Sure i must be misssing something but I've gone round and round with this.
  Tried deleting enpoints and allowing them to repopulate....failed.
  Tried changing endpoints to static with no luck.
  Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.
  Whatever i've tried just ends with the Authz going to the "Default" policy.

  Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:
  1. Enable the top authentication rule called "MAB"
  2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols
  3. Ensure that "Internal Endpoints" is selected for the Identity Store
  4. Test again
  Thank you for rating helpful posts!

• ISE 1.2: Employee with personal device registration

  Hi experts,
  I'm aware of this discussion https://supportforums.cisco.com/discussion/11962026/ise-12-device-registration-mab-only-no-client-provisioning#comment-9371166
  but looking for a detailed configuration to get following to work:
  Employee's have access to the network with their corporate devices. No problem
  Now employees need to be able to use their own mobile devices to get access. There is no definition of what devices are allowed.
  II guess to let employees register their private devices with  MAC address on MyDevice portal would be the most sufficient solution.
  Does anyone have a detailed configuration or link how to achieve that?
  Thanks,
  Frank

  Having BYOD access be based on mac address only is not really ideal and also not secure. A mac address can easily be spoofed and consequently your security policy can be bypassed. If you have a PKI environment you can take the EAP-TLS with SCEP approach:
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html
  If you don't have a PKI environment and don't want to mess with certificates you can still use a more secure method than MAC addresses. For instance, you can perform PEAP user authentication. You can create a "special" BYOD AD group and place the authorized users there. Then they can use their AD credentials to authenticate. In the authorization policy you can limit the access for those type of authentications via dACLs (switches) or named access lists (WLCs)
  Hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 and MDM integration.

      What kind of device information I can collect by MDM integartion with ISE.              

  Hello,
  ISE  Release 1.2 delivers integration between Identity Services Engine and  MDM platforms, which can ensure that all mobile devices are compliant  with security policy before they are allowed to access the network. This  feature enables posture compliance assessment and network access  control of mobile endpoints attempting to access the network. The  solution also performs ongoing posture checks to ensure that devices  remain compliant and that the correct network access level is  maintained. The specific posture attributes collected by MDM partner  platforms for compliance and access policy enforcement in the Identity  Services Engine are:
  • Is the mobile device registered with MDM?
  • Does the mobile device have disk encryption enabled?
  • Does the device have PIN-Lock enabled?
  • Has the device been jail-broken/rooted?
  In  terms of global compliance, posture compliance decisions may be made by  the MDM platform instead of the Identity Services Engine. In this  scenario, additional attributes such as blacklisted applications or  presence of an enterprise data container may be checked. The MDM  platform simply informs the Identity Services Engine if a device is in  compliance, then the Identity Services Engine enforces the appropriate  network access policy.
  This  integration brings great value to MDM customers as it automates to the  device registration process. As MDM solutions are network-blind, they  can't detect a new device when it connects to the wireless network, so  the administrator needs to send a notification to the users who wish to  enroll their devices. With ISE integration, device enrollment is done  automatically when users connect their device to the Wi-Fi network.
  SNS appliances are now available with ISE 1.2 in SNS-3415-K9 and SNS-3495-K9 appliances.

• ISE 1.2 Employee Portal

  Hi Guys,
  I'm a little bit new with this Cisco ISE and I'm wondering if you can help me.
  My setup is a WLAN 802.1x and I'm planning to deploy in the ISE just Device Registration WebAuth (only showing AUP) since the username and password authentication are checked via the WLAN settings of the computer.
  My question are these, if I do that setup and when the employee logs out and in again does that employee needs to see again the AUP? Also, how the ISE checks if the device registration has been successfully done? Does the attribute Endpoint: BYODRegistration = YES will took effect?
  Thank you very much in advance.

  If you had selected every login in multiportal then, the user needs to accept AUP with every login:
  And in Sponsor portal you will be able to see the device status

• ISE is unable to retrieve groups and attributes

  Hello guys,
  I have Cisco ISE installed on EXSi in a lab. I was able to join the ISE server to my test Active Directory server, and under the OU=Computers, I can see my ISE hostname.
  However, when I go to Administrator > External Identity Sources > Active Directory > Groups > Add > Select Group from Directory:
  I have my domain entered in Domain box and an * for filter. When I clicked the "Retrieve Groups" button, I always received "Number of Groups Retrieved: 0 (Limit is 100)"
  It seem like ISE is unable to retrieve the groups that I have on my AD. I checked the status of my ISE server and it says that it is still connected to the domain. When I search for attributes, it keep saying that the user is not found.
  I disabled my AD's firewall and still getting the same results. I ran the detailed test connection, and it was a success and the port connections are all good. At this point, I am pretty much stuck.
  Any help would be greatly appreciated.
  Thanks

  I am sorry Jatin. I have another question.  I am working on Motorola RFS7000 WLC and Cisco ISE v1.1.1.
  I am not sure if I should create a new thread about the new issue I am having now.  I have successfully added my RFS controller and one AP7131 to ISE Network Devices. And I am able to login to these devices using my AD account. However, it is not allowing me to manage these devices.  I believe I am at exec mode. I SSH to my RFS and I can't even get to enable mode.

• ISE 1.1.1 firewall rules distributed deployment

  My question is in reference to the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
  Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
  My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
  I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

  Try this for size.
  In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
  You might be able to cut this list down, and you might have to add to it for any specific requirements.
  From PSN to AD (potentially all AD nodes):
  TCP 389, 3268, 445, 88, 464
  UDP 389, 3268
  From PSN to Monitoring nodes:
  TCP 443
  UDP 20514
  PSN to Admin Nodes (2Way):
  TCP 443, 1521
  ICMP echo and reply (heartbeat)
  WLC to PSN:
  TCP 443, 8443, 80, 8080
  UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
  PSN to other PSN’s (2 way)
  UDP 30514, 45588, 45990
  Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
  TCP 8443, 8905
  UDP 8905
  Admin/Sponsor to all ISE nodes:
  TCP 22, 80, 443, 8080, 8443
  UDP 161
  PSN access to DNS servers:
  TCP/UDP 53
  PSN access to NTP servers:
  UDP 123

• Does Cisco ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 support command accouting like ACS

  Hi
  Can Anybody can update whether   ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting
  Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting ..
  has succeed in  command level accounting on  Cisco ISE ..
  Please update
  Cisco ISE doesn't have TACACS feature ...

  Command Accounting is a TACACS+ feature so not for ISE....yet.
  However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory.  The notify syslog is what sends it via syslog.
  conf t
  archive
  log config
  logging enable
  logging size 200
  hidekeys
  notify syslog
  end
  wr mem
  Remember, syslog is clear text  :-)  log away from user traffic when possible.  Or use TLS based syslog when possible.
  I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.
  Please rate post you consider useful.
  -James

• Meraki MDM and Cisco ISE

  Has anyone done an integration of Meraki Systems Manager enterprise MDM and Cisco ISE?   there is absolutely no documentation on the subject except for the Meraki announcement that lists:
  Cisco Identity Services Engine (ISE) integration – allows Systems Manager to directly communicate with ISE for device enrollment and posture assessment

  Hidden in the Meraki blog is this configuration guide for Meraki SM and ISE.
  https://www.dropbox.com/s/4pd2acrni9w9rjr/Meraki%20Wirelessv5.pdf
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• IPod touch 4g not recognized in computer and itunes

  I

  See:
  iOS: Device not recognized in iTunes for Windows
  I would start with
  Removing and reinstalling iTunes, QuickTime, and other software components for Windows Vista or Windows 7
  or
  Removing and Reinstalling iTunes, QuickTime, and other software components for Windows XP
  Run this to help if it identifies the cause
  iTunes for Windows: Device Sync Tests
  Have you tried on another computer to help determine if you have a computer or iPod problem?

• ISE 1.2 - Self-Provisioned devices still in pending registration status

  Hi everybody,
  I'm on ISE 1.2 patch 2, setting up single-SSID self-provisioning BYOD flow which works as expected except for a couple of issues:
  first PEAP authorization always fails (no server certificate confirmation appears on device and no Endpoint Profile is assigned), second on goes through as expected and self-registration flow is started;
  at the end of the flow, TLS certs are installed, device appears in endpoint database under user's account but "Device Registration Status" stays "pending" and this makes it impossibile to further authorized RegisteredDevices identity group;
  single mobile devices gets different "Endpoint Profile" result at each subsquent access. For example: Android smartphones are profiled as Android or HTC device or HP devices or Samsung randomly.
  I've tried to analyze log files but cannot extract a full dump of the profiling process that could help identify why all this happens.
  Can you please help?
  Regards,
  L

  Hi Kevin,
  I did not find and answer. In subsequent patches the self-registration flow seems to have changed somehow and now I have more device in 'Registered' state, but still most of the time at the end of the process there is no guarantee that the devices will be in this stage. I've moved to more broad policies for authorization (i.e. if you have a valid certificate and login from one of the accepted profiles, we'll let you in).
  Please let me know if you open a TAC case, what is the answer.
  Regards,
  L