ISE Identity Report

Similar Messages

• ISE Identity Groups in AuthZ Policy

  So we all know we can leverage identity groups in authorization policy, can we leverage two of them ? I tried building a compound condition that uses an identity group (MAB) along with another identity group (User) and can not get the policy to hit..Thoughts?

  I doubt that, as far as i can tell with ISE, when you are being authenticated either by mab or by a user/pass with ex PEAP, your identity is established as either, not both, and the identity is what gets compared to identity groups.

• ISE(identity services engine) Compatability with 4400 Controllers

  We have mixture of wireless controllers in our environment consisting of Cisco 4400 and 5500 series wireless controllers.  We are in the early stages of piloting Cisco's Identity Services Engine.  I am trying to get clarification if it is fully compatible with 4400 series controllers running on 7.0.116 code, or do you have to use 5500 series on 7.2?  Can someone please clarify this.  Thanks.

  HI,
  Here is the network compatibility guide for ISE - http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038
  There are some new features (i.e. device registration web authentication) that I find very useful when you want to incorporate device registration without redirecting users to a login page, this is not supported on the 4400s since they can't run Radius NAC in mac filtering mode (i.e. fixed in 7.2). I do feel that there is a bug in this document because I have seen CWA work on the 7.0 code.
  I hope this helps,
  Tarik Admani

• Unable to generate self signed certificate on secondary ISE Identity Services Engine node

  certificate has expired,
  we can generate a new one on the primary node
  not on the secondary node that fails
  with
  "internal error - please ask your Administrator to review the error logs."
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
      at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
      at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
      at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
      ... 71 more
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
      at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
      ... 83 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
      at java.security.cert.CertPathBuilder.build(Unknown Source)
      ... 89 more
  2015-01-15 10:27:09,270 ERROR 2015-01-15 10:27:09,270  [http-443-15][] cpm.admin.infra.action.LocalCertAddAction- Unable to import certificate : com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: com.cisco.cpm.nsf.api.exceptions.NSFEntityTypeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  2015-01-15 10:27:22,019 INFO  2015-01-15 10:27:22,019  [http-443-17][] cpm.admin.infra.action.TimeSettingsAction- retrieve server status: SEC(A), SEC(M)

  What version and patch level of ISE are you running?

• ISE Identity Certificate.

  Hi there,
  Does anyone have any experience with Publicly signed ID certificates for ISE.
  We are going to be deploying Guest Services via CWA. When a user connects to the portal they get a certificate error as the current ID certificates are only signed by our internal CA and nobody but internal users will have that CA installed.
  I went to an external provider (Geotrust) and wanted to get a Public CA signed Certificate with the CN = guestportal.company.com and SAN fields of internalserver.company.local.lcl, Private IP of BOX and External IP of Box. I get this Error from Geotrust.
  Certificates that expire      after November 1st, 2015 may not contain an internal server IP address or      server name. Please modify SAN entry to continue.
  Researching further into this it seems that all Certificates being issued by Public CA’s need to abide by the following new rules.
  “What is an Internal Name?
  An internal name is a domain or IP address that is part of a private network. Common examples of internal names are:
      Any server name with a non-public domain name suffix. For example, www.contoso.local or server1.contoso.internal.
      NetBIOS names or short hostnames, anything without a public domain. For example, Web1, ExchCAS1, or Frodo.
      Any IPv4 address in the RFC 1918 range.
      Any IPv6 address in the RFC 4193 range.”
  Has anyone got around this? Or will the guests just have to put up with the Certificate error? Also I'll have to change the PSN's hostname to the CN which has implications for it joining our internal active directory so not keen on that.
  I've ready that LDAP might be my only solution which I am not really keen on see below.
  https://supportforums.cisco.com/docs/DOC-37562

  I have run into he same situation with public CAs. I need two separate certs, a public https one and an internal EAP one, each on a different domain. Is this possible? if so how do you generate the certs for two different domains? The public one is straight ford as it will have the correct domain on configure on the ISE node. However for the EAP cert how will an internal PKI react to a CSR generated by a box on a different domain?
  Recently I had a conversation with the TAC engineer. And the outcome seemed positive. The outcome from that conversation was the following:
  - Https wild card certificate from Public issuer with example.org.au 
  - CLI change on ISE nodes to change their domain to org.au
  - The company DNS must be able to resolve the ISE FQDN node names with example.org.au. For example - ISE01.example.org.au. 
  - The EAP certificate can be issued from the legacy Corporate PKI with a domain of example.local
  However in a response to the same question the account team have said:
  In response to checking if ISE can deployed with multiple domain certificates such as for http management on example.org and EAP on example.internal.org
  The reason why this is not possible is because for installing a certificate in ISE you need to pass few conditions - 
  "Cisco ISE checks for a matching subject name as follows:
  1.Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node’s FQDN.
  2.If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.
  3.If no match is found, the certificate is rejected."

• ISE Identity Group Assignment

  I need to avoid a large set of devices to get access to Internet through the Wireless Guest Service. I had made some test and know I can block a MAC address through the Policy Authorization (If Blacklist then DenyAccess).
  In order to blacklist a large set I would like to import the MAC list and include in the CSV the Identity Group Assignment. It appears it is not possible ... I can have an easy way to change the Identity Group Assignment instead of one by one?
  Regards.
  Daniel Escalante.        

  Additional Information and Question:
  Currently my Authorization Policy has this:
  The result is that any user trying to acesss the Guest Service can see the Guest Portal, introduce Credentials and if they are valid, the AUP is displayed, after that if the device is in the Blacklist, service is denied and the Guest Portal is displayed again, but any message about the situation is indicated to the user. I wonder if I can generate a message and even avoid the AUP if the device is in the blacklist.
  Any comment will be greatly appreciated.
  Regards.
  Daniel Escalante

• Cisco ISE (Identity Services Engine) - SGA seed device?

  Hi,
  We are having LAB with Cisco ISE, certificates and DACL. Everything is working fine with version 1.1.1, but now we would like to use SGA-SGT functionality instead of ACL and we found that we need seed device for this and that the only device which supports this is Nexus 7000. Is that true? Is this the only way that we can use SGA-SGT? Are there any plans that any other device will be used for seed device?
  BR,  Marko

  The seed device defined as the first device that communicates with ISE. This needs to be a Nexus.
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
  Furthermore the Nexus needs an Advanced Services license installed in order to support Trustsec.
  I can't comment on any future plans.

• ISE 1.2 Auth Avg Response Time

  Hi Guys,
  We have recently moved to ISE 1.2 (distributed deployment on UCS C220 blades) from ACS 5.x. We are seeing Avergage Auth response time ~150ms in each PSN nodes (4 in total) & wonder whether this is too slow.
  Is this normal or we should have much lower average response time for thos radius authentications ? What are the typical value you guys observed in those sort of deployment
  Any input would be much appreciated
  Rasika       

  Hi,
  Where did you get your information from? Is it from the ISE Authentication Report Summary? If so, which of the Average responses are you concerned about? Authentications By Day, Identity Group, Identity Store, Allowed Protocol etc.
  In my network average response based on protocol PEAP is 121ms. Authentication by day is 74ms. Then again my network may be smaller than yours. Also I have an appliance and not a Virtual Server. In my opinion, I don't think 150ms is that much to make the user notice. If authentication response gets close to 300ms, then you have an issue.
  If you have a very large network like a University Campus, then 150ms is OK.

• Monitoring ISE node as syslog destination

  Hi Security Experts,
  We are setting up Cisco ISE (Identity Services Engine) in our network.
  I have the confusion if we need to configure monitoring node IP address as the syslog destination on the access switches. In what situations is this needed and in which situations is it not needed?
  PS: I rate useful posts.
  Thanks,
  Kashish

  Kashish,
  When you look at the user authentication report, ISE also builds related syslog messages that pertain to the user connection.
  This isnt mandatory but useful since it does help correlate syslog messages to the user authentication session. Here is an example of it in action:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1050132
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Ise 1.2.0.899 CWA Windows AD based

  Hi, I'm running ISE 1.2.0.899 patch 6
  When a use a internal ISE user which in the Identity Group "Onboard". The guest authentication, self registration and profiling are going just great (see picture) . But when I use a AD created user which on AD is in the same "Onboard"  security group, it is authenticated but further than that I got the message" The system admin has either not configured or enabled a policy for your device". Furthermore I can see in the log that the AD user is authenticatd with Identity Group "Any".  I tried several things in the authorization in matching the memberof/ external group based on "Onboard" with or without the guest flow specified.  If I manage to get the device to registered in the Identity Endpoint and I try to match on a AD group I see that is working.
  So to bottom line of this question is; if the BYOD/CYOD is not registered in the ISE ( Identity Endpoint)  which policy rule can I make so it will profile it as a android and put it as a registered device?
  Does anyone know how this can be configured?  Any help is appreciated.
  Thanks in advance,
  Kind regards, 
  Michel

  Hi Neno,
  I was mislead by the d0t1x AuthN in my first statement, if a connection is made on d0t1x with PEAP (mschapv2) then the AuthN check in the identity source sequence (first AD ) if the user exist. This is the case so this connection is allowed by AuthZ rule: BYOD_AD_D0t1x
  1. What do you have configured under: Administration > System > Settings > Profiling > CoA?
  currently it is configured for: "no COA"
  as the cisco documentation said:
  Exemptions for Issuing a Change of Authorization:
  An Endpoint Created through Guest Device Registration flow—When endpoints are created through device registration for the guests. Even though CoA is enabled globally in Cisco ISE, the profiling service does not issue a CoA so that the device registration flow is not affected. In particular, the PortBounce CoA global configuration breaks the flow of the connecting endpoint.

• Problem with download link for a BLOB Column in a "Classic report"

  I am having a problem where I cannot make a download link for a blob column function in a "classic" (non-interactive) report. I went through the tutorial on this topic and it was great help it working out the minor bugs, but I get a 404 error (apex_util.get_BLOB not found). For testing purposes I went ahead and created a an identical report on the same page that is an "Interactive report" and it works like a charm. Same query, same BLOB formatting Mask, pulling data from the same table. So, it really doesn't seem like an issue with the grants, since both reports should be executing as the same user.
  I know it sounds like the obvious answer is to just go with the interactive report and my problem is solved, but the rest of this site uses classic reports, and I don't need the sort features of an interactive report, and the slightly different style of the the report really stands out even if I turn off all the bells and whistles. I don't want to change the css to make them look identical, I just want a regular report to work.

  I eventually found another post: APEX_UTIL.GET_BLOB was not found on this server
  In this post there is the suggestion of putting "dbms_lob.getlength("var")" after the date field in your select. So I changed my query to have it at the end, and now my format mask (DOWNLOAD:table_name:ATTACHED_FILE:FILE_ID::FILE_MIME_TYPE:FILE_NAME:::attachment:Download) works like a charm, in a classic report.

• ISE Guest Service fail depending on the browser

  One of my customers is complaining about having problems to access the guest services depending on the browser used:
  When the visitor has Intenet Explorer 10 or 11, he said the content is blocked and even the guest portal is not displayed. When the visitor has Google Chrome (no specific version indicated), he said the portal is displayed but the content is blocked after ingress user and password. Whit Firefox a certificate exception was added in advanced options.
  I think the issue can be something related with certificates or even the  computer but I'm not sure how can I identify the root cause.
  I wonder if something in the ISE is reported about the browser used to authenticate in the guest portal. I know the release notes indicate browser compatibilities, but in guest services I think shouldn't be restrictions, because you don't know what device, OS, or browser will be used by guests.
  The ISE is running 1.1.2.145, no patches yet.
  I will appreciate any tip you can provide me.
  Regards.

  Hi ,
  This below link gives the detailed versions of the supported operating systems and their supported browsers for Sponsor and Guests.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
  Google chrome , Mozilla and IE are supported, but there is some restriction in the browser versions.
  For IE make sure you have enabled ActiveX controls and check if the compatibilty mode is enabled.
  If customer is making use of supported browsers and still experiencing the issue then we need to check what options are enabled on browsers and what is blocking the content download in the browser.

• ISE 1.2 rejects RADIUS messages from vWLC

  Hello,
  I have an ISE appliance with the Wireless license. The Cisco vWLC is configured to send Radius traffic to the device, but is getting the error message:
  11054 Request from a non-wireless device was  dropped due to installed Wireless license
  The vWLC is showing up under endpoints as a VMWARE workstation, and not a WLC, and so under the licensing requirements will not allow RADIUS to be received from anything other than a WLC. I tried hard-coding the policy to match a Cisco WLC with a condition of matching its MAC address, and even disabled the VMWARE profile policy, but the endpoint then only matches the "Unknown" policy. Any ideas?

  Check the Cisco ISE dashboard (
  Operations > Authentications
  ) for any indication
  regarding the nature of RADIUS communication loss. (Look for instances of your
  specified RADIUS usernames and scan the sy
  stem messages that are associated with
  any error message entries.)
  Log into the Cisco ISE CLI
  2
  and enter the following command to produce RADIUS
  attribute output that may aid in debugging connection issues:
  test aaa group radius
  new-code
  If this test command is successful, you should see the following attributes:
  Connect port
  Connect NAD IP address
  Connect Policy Service ISE node IP address
  Correct server key
  Recognized username or password
  Connectivity between the NAD and Policy Service ISE node
  You can also use this command to help narrow the focus of the potential problem
  with RADIUS communication by deliberatel
  y specifying incorrect parameter values
  in the command line and then returning to the administrator dashboard (
  Operations
  > Authentications
  ) to view the type and frequency
  of error message entries that
  result from the incorrect command line. For example, to test whether or not user
  credentials may be the source
  of the problem, enter a username and or password that
  you
  know
  is incorrect, and then go look for error message entries that are pertinent
  to that username in the
  Operations > Authentications
  page to see what Cisco ISE
  is reporting.)
  Note
  This command does not validate whether or not the NAD is configured to use
  RADIUS, nor does it verify whether th
  e NAD is configured to use the new
  AAA model.

• 1 workbook, 2 identical queries, 2 different currency types on one refresh

  Hello BEX Gurus
  I have to create a workbook with 2 identical queries (2 worksheets). One sheet should be with currency type A and the other sheet should be with currency type B. My input variables are on company code, period, year and currency type. How can I get on a single refresh both worksheets with the proper currency type data displayed ?  (1 sheet in CAD and the other one in USD for example).
  I tried unsetting the Workbook settings <Display same variable only once> so that I have a chance to input the parameters for every query and it works (as it shows me both data providers input variables) but this is not a good solution if I have 15 queries in another workbook ... i.e the user will not be happy inputting 15 parameter input popups...
  How is this achieved, considering that I am not a VB programmer, that we are on BI 7 and that I don't want to create new identical reports for the other currency type to report on ? If this involves VB coding, please be clear on how to implement this.
  Tx

  Joke
  When I drill across currency type, I get the <no applicable data found> message. There must be something I am doing wrong 
  1) I added currency type in the <Free Charact> tab
  2) I refresh the workbook
  3) I filter the CAD sheet with the FIlter for currency = CAD
  4) Then I rmc and select the drill and I ge the no data found message.
  Tx
  Yves

• Maintaining formats(layouts) on Crystal report with different database

  I was just needing some help maintaining the layout of a report but using a different database. The databases are very similar for example, a field for the database in use is line1xxxx what I wish to do is keep all the formating & point it line2xxxx database. Where line1 is the original Database & Line2 is the new database I wish to use. Both of these databases reside in the same folder its just that I need identical reports for both Line 1 & Line 2 & am trying to get away from duplicating all the work I did on the Line 1 report.
  Hopefully not too trivial for this forum.
  Thanks in advance.

  If you have same tables in both the databases then open the report and go to menu option in the report database-->set data source location and create new connection in the bottom window and select both existing connection from top window and new from bottom and click on update. Now the report points to the new database, so now use save as option to save the report with some other name so that you can have the old report with old connection and the new one with new connection.
  regards,
  Raghavendra.G