ISE on UCS Platform with UC

Similar Messages

• ISE reauthenticaiton in wireless with posture

  Hi,
  There is an issue which the wireless reauthentication in our environment. The posture feature has been used and everyone install the Cisco NAC agent. I found that if someone disconnect the wireless SSID, then reconnect the wireless SSID by authenticate the identity & compliant, can't be transfered to the correct the right SSID again. Can anyone help resolve this problem?

  Please follow this link to configure your settings
  https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configuring-posture-services-with-the-Cisco-Identity-Services/ta-p/221702
  also check this for trouble shoot
  https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/ISE-Posture-Agent-Profile-Parameter-Details-NACAgentCFG-xml/ta-p/239024

• UCS integration with vSphere - invalid URI error

  Hi,
  I am struggling to integrate UCS Manager with vSphere vCenter.
  The vCenter extension is being exported from UCSM without any errors, but when trying to install the plugin via vCenter Plug-in Manager I am getting this error:
  "Invalid URI: The URI is empty"
  I've found this on the web, but this doesn't bring me any closer to resolving the problem:
  http://terenceluk.blogspot.com/2010/11/error-message-when-clicking-on-download.html
  Any hints?
  Regards,
  Radek

  Hi Radek,
  So as long as the file is registered in the plugins within vCenter, and they show up in the list of plugins, then that is all you need to do. You do NOT need to click the "Download and Install" button as it will not work, as you have experienced. This is because it is an XML document used to enable and validate communication between UCS/Nexus 1000v and your vCenter server. There is no actual application that is executed and needs to be installed.
  Hope that helps to clarify
  Thanks,
  Michael

• The Fibre Channel Platform Registration Service could not register the platform with fabric

  Hyper-V Cluster. HP StorageWorks 82E 8 Gb PCI-e Dual Port FC HBA.
  Each 15 minutes, eventlog register a warning.
  EventID: 2 Source:2
  The Fibre Channel Platform Registration Service could not register the platform with fabric 10:00:00:05:1e:7f:74:7b.
  I have teste the service. And it's started. Cluster storage validation report without failure.
  Someone suggest any idea.
  Thanks.

  Hi,
  What’s the OS version of your cluster node?
  The Microsoft Fibre Channel Platform Registration Service registers the platform with all available Fibre Channel fabrics and maintains the registrations. A fabric is a network topology where devices are connected to each other
  through one or more high-efficiency data paths. This service is used in support of storage area networks.
  This service is installed by default on Windows Server 2008, and the service startup type is Manual.
  You may try hotfix in KB 978790, and check the result.
  For more information please refer to following MS articles:
  The File Share Witness resource is in a failed state even though the File Share Witness directory is available, and quorum cannot be maintained in a Windows Server 2008 failover cluster
  http://support.microsoft.com/kb/978790
  cluster resources unresponsive
  http://social.technet.microsoft.com/Forums/hu/winserverClustering/thread/886a9cb3-7723-4b64-8c15-602dadf5ced9
  Hope this helps!
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Lawrence
  TechNet Community Support

• How can I develop co-broswing on Windows platform with java language?

  How can I develop co-broswing on Windows platform with java language?
  The function will be realized
  Now I want to develop a co-broswing system with java language on Windows platform.That is to say I will develop
  a application run on client to track the present browser.Wheh the URL address of your present if changed(for example
  when you click a link or submit a form),the application will capture the new URL address and send it to the other
  client that make co-browsing connect with you.The browser on the other client side will catch the new URL and refesh
  the page to show the page.
  The question I fall across and want to ask you
  (1)How to watch system process with java on the Windows platform?Because I want to get the process information of
  the present broswer,and then get the URL address of the present broswer.
  (2)Develop an application to watch the URL address of the present broswer continuance,If the URL address is changed,
  then send the new URL address to the client on the other side,let his broswer to show the new page using the new URL.

  Paulc, A proxy server is not the right thing.
  What our man here is looking for is a solution for two
  users to kind of surf the net "in tandem" - when one
  user navigates to a different web page, so does the
  other user,
  These are typically used in call center applications
  where the advisor guides a caller through , say
  filling in an insurance form or pointing him to the
  right product specification pages.
  Xing, why are you using Java for this ? You need
  something that has better windows integration. If you
  look on MSDN.microsoft.com and search for "explorer
  bar" you will find solutions to the questions that you
  raised.
  There are also commercial products on the market that
  already do this kind of stuff. there is one from
  www.genesyslabs.com which is considered to be the best
  of breed.
  It is difficult or almost impossible to do this in
  Java for a commercial application.
  If you are developing this as an academic exercise,
  give it a try. Post your email address here, and I
  will contact and help you out if you like.my e-mail is below ,I want to contact you and need all of your help.
  [email protected]

• UCS C220 with raid v6 problem(not support any CUCM versions)

  pease help me in the below problem
  after installing UCS C220 with raid 6, i tried to make new v-machine for CUCM but it gives me the below message:
  The hardware you are using is not supported for this product. installation will now halt.

  Are you using the CUCM OVA?
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• CIsco UCS-C200M2 with Unified Communication Products

  Hi,
  If anybody knows what are the Unified Communication products we can install on Cisco UCS solution with EXS VMware ESXi 4.0 Standard Edition.
  If any other products pls let me know that alo.
  Thanks in Advance.
  Regards,
  Sunish

  Yes, the DocWiki covers this on the Supported Applications page. It is worth mentioning that only there are specific hardware component requirements of the C200M2 for VTG support.
  Please rate useful responses.

• UCS C24M3 with UCS-RAID9270CV-8I battery missing ???

  Hello,
  We bought 5 UCS C24M3 standalone servers for one of our customer with raid controller UCS-RAID9270CV-8I but the Supercap (battery) seems to be missing so only write through cache policy is possible (instead of write back cache policy) ==> result : pool performance on VMware VMFS...
  How should I contact Cisco for this problem (I think of a forget during the factory assembly of the servers) ?
  Thank you for your feedback.
  Best Regards,
  Boris
  MegaRAID9270 CV with 8
  internal SAS/SATA por
  MegaRAID9270 CV with 8
  internal SAS/SATA ports
  with Supercap

  Hi Boris, 
  Could you please unicast me your contact information along with the Sales Order Number? I had the platform product manager reach out to me about this already and I can put you in contact with her. 
  My contact e-mail is: jeffoste at cisco dot com
  Jeff

• ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired

  Hi all.
  I have a (2) Policy Services Nodes (PSNs) in an ISE 1.2 deployment running patch 1. We are using Wireless MAB and CWA on 5760 Wireless LAN Controllers running v3.3.3.
  We are hitting an issue wherein a client first passes MAB and then gets redirected to a CWA custom portal. The client then receives a Session Expired message. This seems to be related to the fact that CWA is technically a 2-stage authentication (MAB by the WLC and then CWA by the client). Specifically, it seems to happen when the WLC makes its MAB RADIUS access-request to PSN-1 and then the client comes in to PSN-2 to complete the CWA. This issue does not happen when only one PSN is in use and all authentication traffic (both MAB RADIUS and CWA) is directed at a single PSN.
  Clients resolve the FQDN in the redirect URL using public DNS and a public DNS zone file (call it cwa-portal.example.com). cwa-portal.example.com has two A records for the two PSN nodes. DNS is responding to queries using DNS round-robin.
  I have the PSNs configured in a Node Group for session information replication between PSNs, but this doesn't seem to make a difference in behavior.
  So I ask:
  What is the recommended architecture for CWA when using more than one PSN? It seems that you would need to keep the two authentication flows pinned together so that they both hit the same PSN when using more than one PSN in a deployment. A load balancer balancing on the SessionID string comes to mind (both the RADIUS MAB request and the CWA URL contain this unique per-client SessionID), but that seems terribly overbuilt for a seemingly simple problem. On the other hand, it also seems like using a Node Group setup should easily be able to replicate client SessionIDs to all nodes in the deployment so that this isn't an issue. I.e., if the WLC authenticates MAB on PSN-1, then PSN-1 should tell the Node Group about it such that when the client CWA's on PSN-2, PSN-2 doesn't respond with a Session Expired message.
  Is there any Cisco documentation that talks about this?
  Possibly related:
  https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
  Justin

  Tim,
  Thanks for your reply and confirming my suspicion. Hopefully a future version of ISE will provide automated SessionID synchronization among PSNs so that front-end finagling in a multi-PSN environment won't be necessary.
  For anyone else with this issue who for whatever reason can't implement a load balancer(s), I built an automated EEM applet running on a "watchdog" switch (3750 running 12.2(55)SEE9) using IPSLA tracking that senses when PSN1 is down and then
  modifies an ASA to change its client-facing NAT statement for PSN1 to PSN2
  modifies the primary and HA wireless LAN controllers to change its MAB RADIUS aaa server group to use PSN2
  reverts the ASA and WLCs to using PSN1 when PSN1 is detected up and running again
  The applet ensures the SessionID authentications stay "glued" together so that both WLCs and the client hit the same PSN for both stages of authentication. It's failover only, not a load balancing solution, but it meets our current project's need for an automated HA environment.
  PM me if you want the code. I'm have a little too much going on ATM to sanitize and post it. :)
  Justin

• How ti use MS DirectAccess to connect ECC platform with 2 instances

  We have a ECC Platform (6.0 Ehp4)  with 2 instances. we connect us to this Platform throught SAP GUI (7.30 SP7).
  Currently we supply remote access service via an SSL gateway. We want to implement the comosant Mircosoft DirectAccess to provide this service.
  Our platform 2 instannces is made ​​from a microsoft cluster.
  When we configure the SAPGui with instances, the DirectAccess works very well. When we use two instances with a logical there is an error name: the connection is established, the system load distribution of SAP means a node and receives a message "address xx.yy.zz.uu don 't reache "
  Does anyone has a similar configuration?
  Someone he found the solution to work with DirectAccess in SAProuter.
  Thank you for your answers Thierry

  Hi Thierry,
  Did you find a solution to connect to an SAP logon group?
  Regards,
  Diane Szmurlo

• ISE 1.2 issue with CWA (Error : Your session has expired)

  Hii
  we have ISE deployment with two administration nodes and two service policy nodes running 1.2.1.198 , with CWA for wireless guest users (Cisco WLC) . Suddenly , many guest users faced an issue where login page is redirected but after inserting user/password  it gave ""Your session has expired. Sign on again""
  authentication logs on ISE shows:
  Event  5418 Guest Authentication Failed
  Failure Reason  86017 Session Missing
  Resolution  Please contact your Administrator
  Root cause  SessionID is missing. Please contact your System Administrator
  we suspected the bug CSCul10677 , but it is fixed in 1.2.1.198 . We reloaded the two service policy nodes and that resolved the issue temporarily , but it showed back after couple of hours . The issue appeared with some users not all , and with no specific devies or operating systems.
  Any idea ?
  Regards,
  Mohammad

  Please refer the link : https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
  Workaround:
  Terminate session from admin UI and type in the original URL to redirect to guest portal with a new session-id.
  Disconnect SSID, wait for a few minutes, reconnect and enter the original URL to redirect to guest portal with the new session-id.

• Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

  Hi,
  I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
  My authentication and authorization rules relating that case are as on following screenshots:
  So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
  Looking in ISE's Authentication section I can see following:
  Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
  So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

  Hi,
  -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
  -- Then try to add the ISE.
  -- Once it fails, collect the logs from Administration > Logging > 
  check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• Cisco ISE 1.2.x with Posture Configuration - Windows Patches

  Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
  With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
  pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
  Thanks.

  Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.

• ISE 1.2 Profiling with iPAD Mini and Chromebooks

  Anyone run into issues with profiling device properly with iPAD mini and Chromebooks.  Recent testing with customer shows that ISE was not able to identify the devices properly.  We have a case opened with Cisco, they came out with a patch for Chromebook last week but still broken, continuing to pursue with TAC.  Just wondering what others have came across.                  

  Hi Tarik,
  Thanks for the reply. I am testing this for Mike. We have setup ISE 1.2 ( running latest patch 4) for wireless BYOD
  Issue: Chrome Book Device Registration - Not Supported
  Issue: Chrome Book Profile - Unknown
  Probes Enabled - DHCP / RADIUS / HTTP / SNMP

• ISE 1.1.2 with Bluecoat ProxySG

  Hi,
  As I understand that Cisco ISE performs function as RADIUS server. So, if I use Bluecoat ProxySG as a RADIUS client. The authentication should work as it should, right.
  I have try this with FreeRADIUS and Bluecoat ProxySG and its working fine.
  Does anyone try this integration between ISE and Bluecoat ?
  Sent from Cisco Technical Support Android App

  Hi,
  I am exeperiencing the same issue described above, with a similar network layout:
       BlueCoat1---N2K---2*N5K(vPC)---2*C6880(VSS)---Inter Datacenter Links---2*C6880(VSS)---2*N5K(vPC)---N2K---BlueCoat2
  I have configured an IGMP querier in the BlueCoat VLANs on both 2*N5K(vPC), even if on one 2*N5K(vPC) should be enough. 
  For each VLAN I've used the same free IP-Address on all 4 N5K:
       Is that correct?
  I am asking, bacause the Cisco-documetation says, that only the one with the "lowest IP-Address (?)" will be active:  
       How should the IGMP-Querier-election work in my case?
  Any help will be really appreciated.
  Many thanks