ISE integration with WLC 7.0 code
Hi friends,
i just need to get clear the douts about the features are not supporting in 7.0 code
The features does not support in this integration are as follows:
No support for guest clients – posture for guest user is not supported
H-reap local switching is not supported -
No support for WLAN(s) without 802.1x support.
Client will go through posture during slow roam – when client is associated used 802.1x (not wpa2 or cckm) then when client roams from one WLC to other – WLC will send new session ID hence client will again go through posture validation process.
No support for guest tunneling mobility.
Mac auth. bypass is not supported
VLAN pooling is not supported
No support for AP group
what are VLAN pooling and Mac Auth. and guest tunneling mobility can you plz explain?
and i need to know that these features are supporting? if yes than in wich code?
specially CWA, VLAN pooling and AP groups?
appreciate your reply!
Thanks
VLAN Pooling:
Integration of VLAN Pooling, or the VLAN Select feature, in the 7.0.116.0 release provides a solution to this restriction where the WLAN can be mapped to a single interface or multiple interfaces using interface group. Wireless clients associating to this WLAN will receive an IP address from a pool of subnets identified by a MAC hashing algorithm which is calculated based on the MAC address of the client and the number of interfaces in the interface group. In the instance that the interface selected from the interface group by the MAC hashing algorithm does not serve the IP address to the client for some reason (dhcp server unreachable, dhcp scope exhausted, etc.), that interface will be marked as dirty and a random interface is selected from the interface group.
Guset Tunneling:
Mobility, or roaming, is a wireless LAN client's ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible. For more detail you can see
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
Similar Messages
-
ISE integration with Prime Infrastructure,
Hi Team,
I would like to know what are the advantages and Disadvantages of the ISE integration with Prime Infrastructre.Also how the LAN, wifi, and identity management part (guest access etc) will work together.
Cheers!!!
MinakshiPrime Infrastructure manages the wired and the wireless clients in the network. When Cisco ISE is used as a RADIUS server to authenticate clients, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to Prime Infrastructure to be visible in a single console.
When posture profiling is enforced in the network, Prime Infrastructure talks to Cisco ISE to get the posture data for the clients and displays it along with other client attributes. When Cisco ISE is used to profile the clients or an endpoint in the network, Prime Infrastructure collects the profiled data to determine what type of client it is, whether it is an iPhone, iPad, an Android device, or any other device.
Cisco ISE is assisting Prime Infrastructure to monitor and troubleshoot client information, and displays all the relevant information for a client in a single console. -
ISE integration with Mobile Device Management ( MDM ) help required
Dear Techies,
Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
We are conduction a Proof Of Concept (PoC) on Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
Setup Brief :
=========
Our Setup has ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
Activity Brief:
=========
As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
Clarifications Required
================
Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
Wireless Scenario
MDM can be integrated to ISE ?
How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
Is MDM will do client provisioning or ISE should do ?
Is MDM send or update patches of Mobile Devices ?
As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
Thanks for Reading...
ArunI would like to avail your valuable inputs to understand on the Client provisioning part for the Mobile Devices/ Laptop. I understand from your reply that MDM integration is not available in the current release ISE 1.1 - That is correct.
Kindly let me know your views or any documents on the following scenarios with the current release in mind
1. User with Mobile devices connecting to Wireless ( both Employee and Guest ) , How the Flow differs for the Employee and Guest. How the client provisioning is done ( i.e. Like Posturing or Compliance Check ).
The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
2. User with Laptop connecting to Wireless ( both Employee and Guest ). How the client provisioning is done ( i.e. Like Posturing or Compliance Check ).
Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
3. What are advantages of having ISE also in place for Mobile devices, since most of the Mobile related tasks ( like Authentication, Authorization, Profiling and Posture ) are carried out by MDM. I am checking for the significant advantage of having ISE for Client network having only Mobile devices. Kindly clarify.
Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user authentication as Open ?
For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
6. We are also looking for VDI ( Citrix, VMware ) solution for the client ( both Employee and Guest ) , how ISE can play a role in securing the VDI environment.
For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
7. Is that any integration required with Citrix or VMware. How the VDI can be offered based on the User role ( i.e. Employee, Contractor or Guest ), since Guest database is available only with ISE, how the checks are made from the VDI environment.
IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
Our solution demands MDM in the integrated solution, As on today ISE cant be integrated with MDM. so what kind of solution we can propose to have MDM and Cisco ISE .Do the clients now enter the network should have already installed the MDM agent (or) any other way of pushing the same to the Client.
Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Cisco ISE integration with third-party firewalls
Can Cisco ISE be integrated with a third-party firewall (such as Checkpoint), to provide authentication/authorization services to remote VPN user devices (based on device MAC address)?
The remote user would establish a VPN connection to a third-party firewall, based on a username/password authentication, but the user would only be allowed to send/receive traffic to the internal network if the MAC address of the device being used was authorized by Cisco ISE.
Thank you in advance.Rui,
I do not think the vpn client sends the ip address in a called-station-id, that might be the public ip address that the client is initiating the request from. If you have an existing radius server or can run a packet capture you should be able to verify that.
If the client does send the mac address in the radius packet then you can create a custom condition that can be used to check the mac address along with the username to allow it access to the session. However in VPN deployments there is no concept of profiling since 802.1x deployments usually include the client's mac address.
Thanks,
Tarik Admani
*Please rate helpful posts* -
ISE integration with SMS gateway required license
Hello All,
We have cisco WLC with guest wireless access configured to use local database. the managment requires new solution to send cridintials to user throug SMS after the user signup through portal.
we decided to use the cisco ISE. my question is what is the required license to integrate ISE with WLC and SMS gateway. should we use the Basic license, advanced or the wireless license.
Thanks,
AmrHi Charles,
why do you say "you would need Base and Plus Licenses at a minimum"?
Looking at the ISE licensing guide (table 2):
http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.pdf
it seems that Guest Portal services are already included in Base License (and all the AAA stuff too),
therefore enough for the "Wireless Guest Access with SMS authentication" needed by Amr.
Finally, the advantage of 'Base' license is that is Perpetual ...no annual fee to pay ;-)
Regards.
Gio -
Win 2008 R2 radius integration with WLC 5508
Requires help in integrating Win 2008 R2 Radius server with WLC 5508
Step by Step instructions - NPS & Wireless LAN Controller
PEAP Authentication - http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
EAP-TLS
https://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-eap-tls-authentication
hope that helps, Please let me know if you have any other questions in regards to setting up your NPS server
Please rate that post if it answers your question or helps you to resolve the problem. -
Cisco ISE integration with SMS passcode Device
HI Experts,
i have a scenario where the requirement is to integrate the ISE device with SMSpasscode device which will trigger the OTP to the mobile devices
Currently i have my authentication configured to work with the AD
When my VPN users connects its authenticates against AD and the users get the access .
Now as per the new requirement once the user is authenticate against AD , the user should be prompted for the OTP password send to the users using SMS passcode device
Anyone had worked on similar requirement please help me to resolve the issue .
Thanks in advance
AngusHi all
I am working exactly for a month on this topic with no success.
I need to integrate VASCO OTP solution. But VASCO do not support any external authentication backend for virtual/SMS token. Only passcode or local authentication.
I need to implement an external authentication against LDAP somewhere...
Gunnar, do CISCO clearly says it is not able to participate to such setup?
So, my need would be to be able to insert in the flow an authentication in ISE against the LDAP.
The flow is:
WebApplication send login+password (LDAP) to ISE
ISE checks the credentials and if it is OK forward the request to VASCO
VASCO does not check for password but generate the OTP and send it via SMS
VASCO replies with a access-challenge
ISE forward the challenge to Web Application
WebApplication send login+OTP response to ISE
ISE forward to VASCO
VASCO checks for OTP and replies to ISE with accept
ISE forward to Web Application
User is logged in...
All the flow is working if the user enters a passcode
I would like to implement a Identity source sequences where the user is checked again all the entries not the first match
First LDAP then VASCO... -
ISE integration with Oracle LDAP
Does ISE integrate with Oracle OID LDAP (Version 11G)? If yes, which version?
ISE supports any LDAPv3 compliant servers
-
ISE integration with XenMobile
We are trying to leverage XenMobile with ISE and have it added and it Test successfully. Devices have already been enrolled into MDM, we are wanting to query the MDM to determine if the device is Registered, JailBroke, etc to determine access. In testing the reports show that that a known device in MDM is "un-registered" and all the other fields are unknown. From ISE I can see that the endpoint id is a identifier within the XenMobile Device Manager. I am not part of the group that does the configuration of the MDM so I have limited access to it. I can login to the portal and check the device in question but I don't see any fields that reflect the exact definitions that are in ISE.
As I stated the "Test" comes back successful.
Thanks,
Joe2015-01-12 08:29:40,225 INFO [Thread-42][] cisco.cpm.mdm.api.MdmBaseApi -::0a1f06840002becc54b3da2b:::- GETMDM Server URL: https://xdm.XXXX.com:443/zdm/ciscoise/dev
ices/0/macaddress/48437C7ACFA0/all
2015-01-12 08:29:41,034 INFO [Thread-42][] cisco.cpm.mdm.api.MdmBaseApi -::0a1f06840002becc54b3da2b:::- MDM Server Response Code: 500
2015-01-12 08:29:41,035 WARN [Thread-42][] cisco.cpm.mdm.api.MdmBaseApi -::0a1f06840002becc54b3da2b:::- Failled to connect to MDM Server 500 : Internal Server Error
2015-01-12 08:29:41,040 WARN [MdmEventHandler-25-thread-2][] cisco.cpm.mdm.util.MDMUtil -::0a1f06840002aab854b008ad:::- Couldn't find the endpoint information for mac
address 48:43:7c:7a:cf:a0
Looks like ISE isn't getting a response from the mdm server, is it possible to check the mdm api to verify it is up and running?
Thanks,
Joe -
ISE Compatibility with WLC 5760
The ISE compatibility Matrix (June 5, 2013), does have a row for WLC 5760 in its tables.
The WLC 5760 Release Notes says it is compatible with with ISE without specfying which features.
Why is the WLC 5760 missing from the ISE Compat Matrix and how can I get specific ISE feature support (ie CoA, DACL).
Thanks.Hello Marvin,
ISE 1.2 is in road map and it will be available till July 17, 2013 and that will support WLC 5760 and all the features which you are looking. -
Cisco ISE integration with AD fails
Cisco ISE Ver: 1.1.2.145
Windows : Win 2003 Server
I am attempting to integrate ISE with AD, but ISE won't join AD and joining attempts fails, though I am able to add same domain as external LDAP identity store ?
1.user used to join the domain has admin permission on AD
2. ISE resolved the domain correctly
3.There is a firewall inbetween ISE (192.168.100.10) & AD (172.16.100.1), but all the traffic are permited.
4. No NATing taking place, Firewall is forwarding all trafic between ISE & AD
Can't really understand why AD connection fails
From ISE Interface - Detailed Test Connection
Adinfo (CentrifyDC 4.5.0-357)
Host Diagnostics
Uname: Linux Iseadn 2.6.18-274.17.1.el5PAE #1 SMP Wed Jan 4 22:49:48 EST 2012 I686
OS: Linux
Version: 2.6.18-274.17.1.el5PAE
Number Of CPUs: 1
IP Diagnostics
Local Host Name: Iseadn
Local IP Address: 192.168.100.10
FQDN Host Name:iseadn.gnet.cp
Domain Diagnostics
Domain: Gnet.cp
Subnet Site: Default-first-site-name
DNS Query For: _ldap._tcp.gnet.cp
Found SRV Records:
Gnet.cp:389
Testing Active Directory Connectivity:
Domain Controller: Gnet.cp
Ldap: 389/tcp - Good
Ldap: 389/udp - Good
Smb: 445/tcp - Good
Kdc: 88/tcp - Good
Kpasswd: 464/tcp - Good
Ntp: 123/udp - Good
Domain Controller: Gnet.cp:389
Domain Controller Type: Windows 2003
Domain Name: GNET.CP
IsGlobalCatalogReady: TRUE
DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
ForestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
DomainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Forest Name: GNET.CP
DNS Query For: _gc._tcp.GNET.CP
Testing Active Directory Connectivity:
Forest Name: GNET.CP
Kerberos Error: Rc=-1765328377 SASL Bind To Ldap/[email protected] - GSSAPI Mechanism With Kerberos Error : Server Not Found In Kerberos Database
Computer Account Diagnostics
Not Joined To Any Domain
System Diagnostic
Not Joined To Any Domain
Centrify DirectControl Status
Not Joined To Any Domain
Licensed Features: Enabled
SELinux Status: Disabled
Amavis1.1.0
Ccs1.0.0
Clamav1.1.0
Dcc1.1.0
Dnsmasq1.1.1
Evolution1.1.0
Ipsec1.4.0
Iscsid1.0.0
Milter1.0.0
Mozilla1.1.0
Mplayer1.1.0
Nagios1.1.0
Oddjob1.0.1
Pcscd1.0.0
Postgrey1.1.0
Prelude1.0.0
Pyzor1.1.0
Qemu1.1.2
Razor1.1.0
Ricci1.0.0
Smartmon1.1.0
Spamassassin1.9.0
Virt1.0.0
Zosremote1.0.0
From Ad-agent logHi Jallaluddin
I work for Centrify Support and saw your posting. Here our analysis on checking the adlogs.txt.zip:
Server not found in Kerberos database" (reference base/adbind.cpp:495 rc: -1765328377)
That error is likely coming from the KDC - meaning there is some problem with server side SPNs
We need the following:
1) A network trace.
2) adcheck output.
3) adinfo --support output
4) Run dcdiag or netdiag on the server side.
Also we partner with Cisco and so would it possible to work with your partners and I am pretty sure they have seen this before with DC issues etc. Can you please work with them and see?. TIA
Best Regards
Raghu Srinivasan -
Any doc on implementing inband wireless with NAC?
Lets say 2 SSIDs. 1 staff that has 30 networks based on 30 locations and 1 guest network for all locations. The Controller is trunked to the switch. How do u force the traffic to go to CAS?
Thanks in advance!In-Band Virtual Gateway is the recommended configuration. What you have in the link is In-Band Real IP. You can use either one... with real ip you will need static routes. In IN-Band virtual gateway, the NAC will bridge the traffic from the untrusted to the trusted.
Basically the ssid is mapped to a vlan like 50 and that is passed onto a dot1q trunk to the switch. Vlan 50 is not routed and the only other port on vlan 50 is the untrusted port on the CAS. The CAS then bridges that to... lets say vlan 51 which is routed on the network.
Every time I have to deploy one of these, it still confuses me somewhat... So hope this doesn't confuse you. -
What is the lowest ISE version supported with WLC 7.3.112.0
Dears
Kindly i want to know what is the lowest version of ISE supported with WLC 7.3.112.0 or WLC 7.3.101.0
Please need your feedback.
Regards,the lowest version of ise supported wlc 7.3 is ISE 1.2 as per document :
Wireless LAN Controller (WLC) 2500 8
7.3.112.0.(ED), 7.4.x, 7.5
Yes 9
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Wireless LAN Controller (WLC) 5500 8
7.3.112.0.(ED), 7.4.x, 7.5
Yes 9
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Wireless LAN Controller (WLC) 7500 8
7.3.112.0.(ED), 7.4.x, 7.5
Yes 9
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Wireless LAN Controller (WLC) 8500 8
7.3.112.0.(ED), 7.4.x, 7.5
Yes 9
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
ISE 1.1 won't support wlc 7.3 :
http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/compatibility/ise_sdt.html
Wireless LAN Controller (WLC) 2100, 4400
7.0.116.0
No6
Yes
No
Yes
Yes
Yes
Yes
No
No
Wireless LAN Controller (WLC) 2500, 5500
7.2.103.0
No6
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
WLC 7500 Series
7.2.103.0 (basic RADIUS auth supported in 7.0.116.0)
Yes6
Yes
No
Yes (local only)
No
Yes
No
No
No -
Cisco ISE Integrate with Airwatch
Dears,
I need a configuration guide or video how to integrate Cisco ISE with Airwatch. Please provide me this informations
ThanksIf you have a CCO ID, you may be able to see it here:
ISE integration with AirWatch MDM
If you cannot, you should be able to osk your Cisco AM for this.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Cisco WLC ISE integration issue
Dear all,
We have wlc 5508 and ISE integration, out wireless clients can connect to Guest or Corporate SSID
When connecting to Corporate SSID, they can obtain IP address and successfully associate, to use internal service like (email, corporate service and etc) user need to download Airwatch agent and etc, but initially he can use ONLY internet connection, so the issue is client randomly reassociate, downtime of client less than a second, for example Android phone shows that periodically it disconnecting and reasociating again to SSID, i dont know if it is bug or some timers need to be configured, any ideas ?There is no problem with non-802.1x SSID
The problem is on ISE timers ?
Maybe you are looking for
-
Error while running web dynpro application
Hi Experts, I have a web dynpro application that is consuming web services from PI 7.1 I have deployed the application on PI 7.1 server and created web service destination also. I have tested the web services and they are working fine. I am geting th
-
Not able to see the adapter types in ID
Hi Friends- I recently installed PI 7.0 . When i try to select the adapter type in ID it says that object not found. I am not able see any adapter list.Can you figure out this problem. Your help in this is highly appreciated.
-
Queries to extract slow moving stock
Hi All, I have the following queries to extract the item list. May I know how to modify this queries to filter slow moving item where Purchase date are over 90 days older than today date. Example, today is 01/05/15 the report will list only item wh
-
BW Statistics vs. BI Administration Cockpit
Hi to All, A question for all the guru's out there. I'm new to 2004s (who isn't). I used to work with BW Statistics on 3.5. We received our first BI 7.0 system last week. As a general prep i want to activate BW statistics on this 2004s system. I got
-
Hacked product photos when online shopping in safari
This morning, when shopping online via Safari on my iPhone 4S, a very weird thing happened. On several sites (bestbuy.com, jcpenney.com and oldnavy.com) some of the product photos were replaced by random candid shots unrelated to the product. They ar