ISE NICs

Do ISE 3355 and 3315 support etherchannel configuration?
And I see that they have four gigabit ethernet NICs, but two of the NICs need add-on cards? Does that mean that only two (out of the available four NICs) are ready to be used without installing any additional card?
Thanks,
Kashish

Kashish,
The ISE nics do not support ethechannel currently, I do not know if there is planned support for this down the road, traditionally Cisco hasnt released any support for NIC configurations on the ACS, or NAC.
Thanks,
Tarik Admani

Similar Messages

  • ISE 1.2 does not do HTTP profiling ???

    Hi, guys.
    Has anyone ISE 1.2 Patch 1 successfully enabled to do profiling using HTTP on a monitor session/span port ???
    I have tried the following:
    - DMZ switch, which holds a vlan where (only) the central proxy server resides
    - ESX 5.1 host, one nic connected to the DMZ switch
    - configured a virtual switch/network on this host, which uses the nic connected to the DMZ switch (enabled promiscious mode on the vswitch and network)
    - ISE 1.2 Patch 1 installed on the ESX host, two interfaces (Gig 0 and 1), Gig 1 connected to the vswitch and virtual network
    - configured virtual ISE to do http profiling on Gig 1
    Here are some shows:
    #sh moni
    Session 1
    Type                   : Local Session
    Source VLANs           :
        Both               : xx
    Destination Ports      : Gi2/0/48
        Encapsulation      : Native
              Ingress      : Disabled
    #sh run int gig2/0/48
    interface GigabitEthernet2/0/48
    description *** ISE Proxy SPAN Port
    switchport access vlan xx
    The span destination port shows lots of outgoing packets:
    #sh int gig2/0/48
    GigabitEthernet2/0/48 is up, line protocol is down (monitoring)
      Hardware is Gigabit Ethernet, address is 588d.0941.7130 (bia 588d.0941.7130)
      Description: *** ISE-Riker Proxy SPAN Port
      MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
         reliability 255/255, txload 10/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
      input flow-control is off, output flow-control is unsupported
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input never, output 00:22:36, output hang never
      Last clearing of "show interface" counters 03:03:20
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14352300
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 42962000 bits/sec, 13051 packets/sec
         33 packets input, 2436 bytes, 0 no buffer
         Received 33 broadcasts (18 multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog, 18 multicast, 0 pause input
         0 input packets with dribble condition detected
        223104868 packets output, 98731284385 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier, 0 PAUSE output
         0 output buffer failures, 0 output buffers swapped out
    But the interface on ISE hardly shows any incoming packets:
    # sh int gig 1
    GigabitEthernet 1
              Link encap:Ethernet  HWaddr 00:50:56:8D:4A:C1
              inet6 addr: fe80::250:56ff:fe8d:4ac1/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3810 errors:0 dropped:0 overruns:0 frame:0
              TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:347928 (339.7 KiB)  TX bytes:936 (936.0 b)
              Interrupt:67 Base address:0x20a4
    I have tested if the vmware virtual network makes the packets disappear, therefore I have connected a windows virtual machine to the same network as ISE 
    Running Wireshark on this windows machine shows me LOOOOOTS of http packets on this virtual network, seem like the ISE nic just doesn't see them ......
    Any ideas ???
    Rgs
    Frank

    1. it is vm, right?    
    Yepp !!
    can you get netstat -i?
    Executed where ?? On the esx host ?? On the ise vm ??
    What do you expect to see ??
    2. Did you configure an ip for the span receive interface?
    No, why should this be necessary ?? (switchport, wireshark, etc. don't need an ip to capture
    packets on a promiscuous interface, even ISE 1.1.4 didn't need one on the http profiling interface .....)
    Configuration guide doesn't say so anyway ......
    if not, you must configure one to make it work.
    looks like you don't have one,,, pls configure one...
    Ok, ok ..., configured an ip address, checked the profiling attributes ...
    Result: did not make any difference ..... (tadaaaahhhhh !!!)
    tcpdump: WARNING: eth1: no IPv4 address assigned
    Right, but tcpdump shows dozens of live packets as they arrive live on ise, they are just not reflected in the "sh int gig 1" counters
    and furthermore not picked up by the application, that is why I would suspect a nic driver malfunction on the underlying linux os ......
    3. on vswitch make sure the port is in promiscuous mode.
    As I already mentioned before in this thread, it is.
    If the vmware virtual network inbetween ise and the non-virtual network would swallow the packets, why would "tech dumptcp 1" show anything at all ??
    (see screenshots above)
    Rgs
    Frank

  • ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

    Hello guys
    Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
    Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
    I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
    Thanks in advance
    Sayre

    Hello Sayre-
    For Question #1:
    Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
    You can configure Radius and Profiling to be enabled on other interfaces
    Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
    Take a look at this link for more info:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
    For Question #2
    If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
    The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
    –Option 12—HostName of the client
    –Option 60—The Vendor Class Identifier
    After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
    Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
    On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
    http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
    I hope this helps!
    Thank you for rating helpful posts!

  • ISE 1.2 SNS-3415 NIC Bonding / Teaming

    Hello,
    I have installed the SNS-3415 with ISE 1.2 and i'm trying to setup redundnacy (Team) nic modes for the authentication requests and not for management purpose.
    The tests showed that when the one interface was unpluged everything was lost and nobody from our internal users was able to authenticated by the ISE node.
    In contrast when i was unpluged the " second interface " (probably the inactive ) nothing was happened which shows that is a useless  interface
    My purpose is to connect it to my twins core switches and have a full high availability deployment.
    - I have search enough on the WEB but i didn't found any clear and precisely document of saying how this could be achieved.
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_hw_ins_ucs.html#wp1185589
    Themis

    ISE 1.2 does not support NIC teaming.  Especially on appliances.  There is a workaround for VM using the ESXi host to team the NICs so that it is transparent to the VM.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE redundant NICs

    Hello All,
    does somebody know or point me how to configure redundant NICs on ISE Appliance SNS-3495-K9?
    There can be only configured rudundant mode for CIMC, but not for the rest. I want to use Etherchannel or Bonding active-standby, to have the appliance connected to switches for more redundancy.
    I haven't found anything like this in documentation and I cannot believe, that Cisco will not support this feature on theri appliances.
    Thanks!
    Karel

    Hello,
    the only document I found regarding the NIC redundancy is as follows:-
    Step  During boot up, press F8 when prompted to open the BIOS CIMC Configuration Utility. The following screen appears.
    Step Set the NIC mode to your choice for which ports to use to access the CIMC for server management (see Figure 1-3 on page 1-3 for identification of the ports):
    –Dedicated—The 1-Gb Ethernet management port is used to access the CIMC. You must select NIC redundancy None and select IP settings.
    –Shared  LOM (default)—The two 1-Gb Ethernet ports are used to access the CIMC.  This is the factory default setting, along with Active-active NIC  redundancy and DHCP enabled.
    –Cisco  Card—The ports on an installed Cisco UCS P81E VIC are used to access  the CIMC. You must select a NIC redundancy and IP setting.
    Note The  Cisco Card NIC mode is currently supported only with a Cisco UCS P81E  VIC (N2XX-ACPCI01) that is installed in PCIe slot 1. Refer to the  following section in the Cisco UCS C220 Server Installation and Service Guide: Special Considerations for Cisco UCS Virtual Interface Cards.
    Step  Use this utility to change the NIC redundancy to your preference. This server has three possible NIC redundancy settings:
    –None—The Ethernet ports operate independently and do not fail over if there is a problem.
    –Active-standby—If an active Ethernet port fails, traffic fails over to a standby port.
    –Active-active—All Ethernet ports are utilized simultaneously.
    For furhter details please folloe the link below:-
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html

  • Expanding the NIC on a Cisco 3315 NAC/ISE appliance

    Hi All,
    Is it possible to add another NIC to the Cisco 3315 NAC appliance. It ships with Four ethernet interfaces, but would like to add at least 1 extra interface i.e. PCI card if possible
    thanks
    LD

    Other interfaces can be used for the various probes, like SPAN, DHCP, etc.  Also for inline posture, you can see there are multiple interfaces needed when using high availability.
    References:
    ISE Config Guide - Configuring Probes (note the various probes that have an interface option)
    http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html#wp1555646
    Cisco Identity Services Engine User Guide, Release 1.1.1, Setting up Inline Posture
    Figure 10-4 Inline Posture Routed Mode High Availability Example
    http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/user_guide/ise_ipep_deploy.html#wp1140749
    Jatin Katyal
    - Do rate helpful posts -

  • NIC config on ISE 3395

    Hi,
    I've read that the 3400-series is running Shared LOM in active/active. Does that mean that it will loadbalance the traffic between the two NICs?
    Does the 3300-series have the same feature?
    Regads,
    Philip

    You cannot load balance the Radius traffic on different ISE interfaces. At least not yet. I know it has been suggested in the past so perhpas Cisco will implement it in a future release. 
    With that being said, the additional interfaces can be used for:
    - Dedicated connection for the "guest" network
    - Deditaceted interface for different profiling probes
    - Dedicated interfaces for span based connections
    Hope this helps
    Thank you for rating helpful posts!

  • Logical Profiles in ISE 1.2.1

    I´m having trouble understanding the Logical Profiles. 
    What I understand from the user guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#58510
    for those to lazy to read: 
    You can use the logical profile in an authorization policy condition to help create an overall network access policy for a category of profiles. You can create a simple condition for authorization, which can be included in the authorization rule. The attribute-value pair that you can use in the authorization condition is the logical profile (attribute) and the name of the logical profile (value), which can be found in the EndPoints systems dictionary.
    so I thought that meant that I can group Different Profiles (Apple Iphone, Ipad, Ipod) together into a logical group e.g. "BYOD_Idevice" and use this logical profile in the Authorization. 
    But I can´t choose this freshly created Logical Group in the Authorization Condition. As for the fact, I can´t choose this logical group ANYWHERE. 
    Leaning back and thinking about it - it somehow makes sense. In the Authorization, you don´t pick Profiles, you choose Identity endpoints. So whats the point about the logical profiles? I was hoping to clean/lean up my authorization rules with them. But for what would I use them else? 
    Or is this a bug in ise 1.2.1? Not sure if I should call tac about this, or if I´m just not getting it :D
    Thanks alot for your help!  

    Nice username! :)
    So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile
    Hope this helps!
    Thank you for rating helpful posts!

  • ISE 1.2 Anomalous Client Detection

    Hi Community!
    ISE 1.2 with patch 8,9.
    On MAB authentication with redirection I have clients that are suppressed by the RADIUS setting mentioned in the title. I have seen this post where suppression can be disabled, the thing is that it's not working at all.
    Testing I have donde this 
    1. Set the fields in Administration > System > Settings > Protocols > RADIUS to default values.
    2. Retired MAC address from Endpoints in Administration > Identity Management > Identities > Endpoints.
    3. Tried to connect with same device until 5434 Endpoint conducted several authentication attempts from same scenario error appears.
    4. In the first test the attribute "IsEndpointInRejectMode" was set to true, added the MAC in Disable Suppression > Result NOT ALLOWED
    5. In the second test the attribute "IsEndpointInRejectMode" was set to false,  added the MAC in Disable Suppression > Result NOT ALLOWED
    So none of these tests have been working at all.
    Am I expecting something that cannot be achieved?
    Why did it work before? Client states that after enabling dot1x it stopped working (We all know this is completely unrelated, unless bug)
    Any thoughts?

    Clients are being blocked even though suppression is disabled. The suppression is disabled via Collection Filters. One case I've seen is that if the MAC is not in the database (manually added) and the suppression enable via collection filters the endpoint no longer triggers the IsEndpointInRejectMode flag, so for me that means suppression is working.
    Yes, retiring is deleting the endpoint from the database and for this particular client I have "disabled" profiling(I mean no RADIUS, DHCP or any checkboxes in deployment tab) .
    I have not checked client exclusion in WLC but that would be a nice place to look next time.
    It's difficult for me to post the screens at the moment, but basically is the same as when the 5434 error shows. One with the flag set to true (IsEndpointInRejectMode) and the other set to false.
    For me it's something about timing and the way the client sees that this worked immediately before.  

  • Disk size in ise

    Hi
    I have a strange problem after instaling licenses in ISE the following information is in a "show tech"
    This info is for 1.3 clean install + license.
    % WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
    % RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 0 GB
    It is the same in the Eval version but in this server there is a 2500 license
    The same is observed in both ISE 1.2.1 and 1.3 (running a POC on ISE)
    When trying to upgrade ISE 1.2.1 > 1.3 the following output
    Getting bundle to local machine...
     md5: ad7d87d383661bce671804a9e125e42b
     sha256: 2a7ebe5196e3d956ac42ec2e5acdf3815a3e0f80db954b58e2c68843bb3c42fd
    % Please confirm above crypto hash matches what is posted on Cisco download site.
    % Continue? Y/N [Y] ? Y
    Unbundling Application Package...
    Initiating Application Upgrade...
    % Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
    -Checking VM for minimum hardware requirements
    % Error: At least 100GB sized hard disk required for upgrade.
    the disk is
    Hard Disk Count(*): 1
    Disk 0: Device Name: /dev/sda
    Disk 0: Capacity: 644.20 GB
    Disk 0: Geometry: 255 heads 63 sectors/track 78325 cylinders
    Thanks 
    Erik Loeth

    Attached is the output from VMware, this is made with the OVA
    ISE-1.3.0.876-virtual-SNS3495-2.ova
    The disk output from show inventory
    NAME: "ISE-VM-K9          chassis", DESCR: "ISE-VM-K9          chassis"
    PID: ISE-VM-K9         , VID: V01 , SN: XXXXXXXXXXXXXXX
    Total RAM Memory: 16467264 kB
    CPU Core Count: 4
    CPU 0: Model Info: Intel(R) Xeon(R) CPU E7- 4870  @ 2.40GHz
    CPU 1: Model Info: Intel(R) Xeon(R) CPU E7- 4870  @ 2.40GHz
    CPU 2: Model Info: Intel(R) Xeon(R) CPU E7- 4870  @ 2.40GHz
    CPU 3: Model Info: Intel(R) Xeon(R) CPU E7- 4870  @ 2.40GHz
    Hard Disk Count(*): 1
    Disk 0: Device Name: /dev/sda
    Disk 0: Capacity: 644.20 GB
    Disk 0: Geometry: 255 heads 63 sectors/track 78325 cylinders
    NIC Count: 1
    NIC 0: Device Name: eth0
    NIC 0: HW Address: XXXXXXXXXXXXXXXXXX
    NIC 0: Driver Descr: Intel(R) PRO/1000 Network Driver
    (*) Hard Disk Count may be Logical.
    Reards
    Erik Loeth

  • ISE 1.2 Error Messages

    Hi forum,
    We have an ISE deployment that we are lab testing.
    This is running v1.2.0.899 with Patch 2 installed.
    We have an authC policy configured for domain-joined computers for 802.1x and domain credentials:
         Condition: Wired_802.1X
         Allow Protocols: PEAP_CHAPv2
         Use: AD
    This works, and authenticates both the machine (pre-login) and user (post-login).
    However, I am seeing some errors int the Auth logs before the 5200 Authentication succeeded message.
    These messages are not shown in the Cisco ISE Log Messages spreadsheet!
        5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session.
        5405 RADIUS Request dropped
        5440 Endpoint abandoned EAP session and started new
    Has anybody else exxperienced this or can explain why I am seeing this behaviour?
    All helpful responses rated!
    Thanks Ash.

    This is an external defect but duplicate of
    CSCui21439    message texts do not reflect 1.2 added/modified value
    I'm going to paste the description/content here from the defect.
    Environment:
    Build: 1.2.0.891
    install from iso and configured from scratch.
    Deployment:
    Node1: pri(A), Pri(M),PDP
    Node2: Sec(A)
    Node3: Sec(M)
    Node4: PDP
    Node5: PDP
    Node4 and Node5 were placed in node group.
    Procedure:
    1. configured multiple nics on node4 and node5 with ip address and host alias.
    2. Configured policy sets to serve requests coming for eth0 and eth1.
    3. tried round-trips ( BYOD flows ) with both eth0 and eth1.
    Observation:
    1. Under live authentications page, admin could see events which are having below failure reasons without event details ( i.e. event column is blank )
    "5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session."
    "5440 Endpoint abandoned EAP session and started new"
    2. But under Operations -- > Reports -- > Auth service status --- > Radius errors report, event details  are getting appeared
    so the problem is in reports admin could able to see event details for above failure reasons but not in live authentications page.
    so, there is no functional impact as admin could see event details from reports section.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ISE 1.2.1 logs full of Identity/Endpoint ID of 00:00:00:00:00:03, authentication failed

    After an upgrade to 1.2.1, I now see a lot of auth failed entries with an Identity/Endpoint ID of 00:00:00:00:00:03.
    I dont see this MAC on the switch port of the NAS where ISE reports it.
    Anybody know what this is and how to stop it from happening?
    thanks

    Answers are:
    Its a HP ESXi server.  2x Win7 VM PC's run on this machine, each with a dedicated NIC.
    I haven't, will shut the VM's and shut the ports and see what happens.
    The auth session shows the MAC, but the switch MAC table doesn't
    SW1-C3750X#show authentication sessions int gi 1/0/19
    Interface MAC Address Method Domain Status Fg Session ID
    Gi1/0/19 000c.2931.54f6 dot1x DATA Auth 0A0A01FE000000870EDF8C3B
    Gi1/0/19 0000.0000.0003 N/A UNKNOWN Unauth 0A0A01FE000000B219576F86
    SW1-C3750X#show mac address-table int gi 1/0/19
    Mac Address Table
    Vlan Mac Address Type Ports
    100 000c.2931.54f6 STATIC Gi1/0/19
    Thanks for replying.

  • ISE url-redirect CWA to Gig1

    Hello,
    say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
    How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
    So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
    But then, why does it let me choose multiple interfaces, what happens if I select all of them?
    Am I missing another spot in ISE admin where I can control this?
    Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
    Thanks!

    Take a look at the following document:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
    Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
    • Cisco ISE management is restricted to Gigabit Ethernet 0.
    • RADIUS listens on all network interface cards (NICs).
    • All NICs can be configured with IP addresses.
    So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with. 
    I hope this helps!
    Thank you for rating helpful posts!

  • Cisco ISE 1.2 MDM Integration Question

    I have a working Cisco ISE 1.2.1 install which I've performed the integration to our MobileIron server. The "integration test" reports that the integration is good, but whenever ISE verifies MDM compliance, registration, etc.. with MobileIron when a mobile device connects it always reports that all statuses are good even if they aren't.
    My test phone is out of compliance on Mobileiron because of an unapproved app, but when the phone connects ISE believes the MDM compliance status is good. I'm not sure if it isn't really checking with MDM or if the Mobileiron server is reporting erroneous results.
    I also saw in a video that the phone has to be registered with MobileIron through ISE. Is this correct? I don't plan to on-board devices with MobileIron through ISE, it will be done directly through MobieIron (not connected to the Wifi network).
    I only want ISE to check the compliance status of the device against MobileIron and quarantine if it isn't compliant or MDM registered.
    Any help would be appreciated

    Saurav and others,
    Unfortunately, on-boarding sets some attribute fields on the endpoints that will then allow them to participate in a policy. It is nice that we all have MDM integration working but we almost need another class of on-boarding for corporate devices that are already in the MDM of choice (where we prefer to manage them!) 
    There is a little documented feature in ISE. 
    It appears to me that;
    the on-boarding turns on the following states for the endpoint;
    BYODRegistration
    No   ( No becomes Yes)
    DeviceRegistrationStatus
    NotRegistered   (becomes Registered)
    ( The device is actually registered in MobileIron - this means did ISE register with MI. )
    No MI attributes will work without this magic. TAC engineers I have dealt with don't seem to understand this feature.
     This is definitely an enhancement that is needed.   

  • ISE 1.2/1.2.1 license consumption issues

    Hi all, I know this topic is somewhat done to death but I want to know whether anyone else is experiencing this issue. In summary my ISE deployment (right this minute) has 17 Active sessions with 17 base and 17 plus licenses consumed. My issue with this is that of the 17 active sessions only 8 of these sessions are utilising a plus feature ie the registration status in the authorisation policy. In short at all times the plus license consumption always matches the base license consumption.
    I have continually had this issue with all ISE deployments whereby the license consumption does not reflect Cisco documentation and my configurations. Without giving screenshots I can say with certainty that the only plus feature been used is the BYOD onboarding and subsequent registration status in the authz policy. The rest of my policies are straight forward CWA guest and EAP-TLS machine cert authorisations with no profiling information used in the policy. I have gone so far as to turn off profiling and removing BYOD policies with the same results.
    The following document clearly states what should and shouldn't consume a license:
    http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.pdf
    Any input would be appreciated.

    The bug is listed as fixed, but I don't see which software it is fixed in. I must admit I've seen this problem for months, probably over a year now. It was already the case on 1.1.4 at least. I have some customers using 1300 of 500 advanced licenses.
    It would be nice if it functioned exactly as the documentation always said. It would give you a warm feeling that things will keep working when the advanced license expires entirely (I'm sure we'll find out soon).
    At one point I was told it was under discussion whether to fix the problem, or to fix the documentation to fit the problem, but last I heard it would be fixed at some point in the future. Every time we get a call regarding new software (1.2.1, 1.3) I make sure I ask them that the trust based licensing continues. We're OK as long as trust based licensing continues, but it's scruffy and hard to explain to customers why it shows 3 times as many advanced users as they already have. And then on occasions you see their eyes light up when they realise they can run 3000 advanced and Cisco will be none the wiser, or alternatively that they could have got away with a 100 user license and you've just cost them a 5000 user license that nobody can tell if they are using or not.

Maybe you are looking for

  • Hard Drive Encryption & Backup

    What product performs encryption for Windows 7 (NOT the Server OS), and will it work on external (both USB 2 AND eSATA) drives as well as internal ones?  Also will Windows 7 Backup retain the encryption when backing up files AND system image to an ex

  • Blackmagic Intensity Pro Question

    I am working on simple tradeshow videos... mostly type and stills. They will be played on Blu Ray. I am building the videos in 1080p. Right now I am viewing the work on the Canvas on my 24" single monitor FCP system. Sure would be nice to better see

  • I can not import pictures from iPad into Aperture

    I have an iPad 1, latest iOS. I shoot Nikon RAW files that I import unsingh the camera connector kit (CCK). I use Aperture, again latest version. All of that in OS X latest and greatest on an iMac (March 2009). I simply can not import pics from the i

  • Mac pro 8 core, flashing cursor please help

    I have a 8 core mac pro, and now when I go to start the system, all I get is a blinking cursor on the upper left hand side. It happened after I took out my 2 nd HD which was just storage and a partition of bootcamp. My main OS X 10.5.4 never left the

  • Get element from container

    I have created a container which contains numbers and strings elements. I would like to pass the element one by one to a vi. But I don't know how to extract the element respectively. Is there a way to get the container's element one by one? Something