ISE Policies

Similar Messages

• VLAN for WLC interface (ISE Policies Based on SSID)

  I have ISE 1.1 and WLC 2504
  I used this link http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bed902.shtml
  But I am confuse on the WLC configuration
  If I have only one ESSID for corporate user(and many DATA vlan because each AD group is assosiated to one specific  VLAN)
  I have already created Management interface associated with management Vlan
  Wich interface interface should I associate on the corparate WAN ( WLAN  -->General --->Interface/interface group)  ?
  Should I create another interface ? wich Vlan ID should I associate to this interface
  or should I use Management  interface
  Please advise

  check the following links , they are very helpful:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bc8129.shtml
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Please make sure to rate correct answers

• [Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

  Hi everyone,
  After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
  Let me show you what I have,
  interface GigabitEthernet1/0/3
   description AP
   switchport trunk native vlan 999
   switchport mode trunk
   trust device cisco-phone
   authentication event fail action next-method
   authentication host-mode multi-host
   authentication order mab dot1x
   authentication priority dot1x mab
   authentication port-control auto
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x max-req 4
   auto qos voip cisco-phone
   service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
   service-policy output AutoQos-4.0-Output-Policy
  ############################################# switch model - 3850 ##################################################
  SW1#sh mac address-table interface GigabitEthernet1/0/3
            Mac Address Table
  Vlan    Mac Address       Type        Ports
  SW1#sh dot1x interface Gi1/0/3
  Dot1x Info for GigabitEthernet1/0/3
  PAE                       = AUTHENTICATOR
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 4
  TxPeriod                  = 30
  Switch Ports Model              SW Version        SW Image              Mode
  *    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL
  ############################################# Different switch model - 2960 ##################################################
  interface GigabitEthernet1/0/1
   description AP
   switchport trunk native vlan 999
   switchport mode trunk
   srr-queue bandwidth share 1 30 35 5
   priority-queue out
   authentication event fail action next-method
   authentication host-mode multi-host
   authentication order mab dot1x
   authentication priority dot1x mab
   authentication port-control auto
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   mls qos trust device cisco-phone
   mls qos trust cos
   dot1x pae authenticator
   dot1x max-req 4
   auto qos voip cisco-phone
   service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
   SW1#$cation sessions interface GigabitEthernet1/0/1
              Interface:  GigabitEthernet1/0/1
            MAC Address:  xxxx.xxxx.4a38
             IP Address:  172.18.1.170
              User-Name:  xx-xx-xx-xx-4A-38
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-host
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A18129D000060E39DAE8A8A
        Acct Session ID:  0x0000725D
                 Handle:  0x0F00028C
  Runnable methods list:
         Method   State
         mab      Authc Success
         Switch Ports Model              SW Version            SW Image                                                                                             
       1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M      
   SW2#sh dot1x interface Gi1/0/1
  Dot1x Info for GigabitEthernet1/0/1
  PAE                       = AUTHENTICATOR
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 4
  TxPeriod                  = 30
  Am I doing something wrong?
  BR,

  I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :) 
  Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it. 
  Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it. 
  Thank you for rating helpful posts!

• ISE - Guest - permanent access for specific device

  Hello,
  In brief: I'm using ISE 1.2, 5508 wlc and few 3702-I APs - brodcasting 2 SSIDs: Internal and Guest (Internet olny). Guest SSID forces user to provide username and password through guest portal.
  Is there any way to configure some policy on ISE to allow specified mobile device(s) (filtering by IMEI or MAC address) access to Internet via Guest network without necessity of provide username and password? An exception that is avoiding guestportal and/or permanent remember that particular device.

  Hey kkoziarski,
  It sounds like you are looking for the functionality of that known as Web Passthrough.  Where the device can just view some TOC and possibly be presented with a Guest AUP.  This is something that is doable with a Standalone WLC, as I am sure you know.
  Funny thing is that I was coming here to post something along the same lines.  I've spent the past week researching and trying some configs on both ISE 1.2 and ISE 1.3.  It appears that the final answer is no.  This wouldn't be performing any authentication and neither would it be applying any permissions to the device/user, which at that point - it wouldn't be utilizing any of the functionality of ISE.
  What I have found is that there are 2 methods that can offer a similar experience, but will not be a true Webb Passthrough, and it will not be easily configurable.
  1.  Creating a customized HTML page for the WebAuth AUP, that would then have the username and password embedded in the code, and more than likely need to be linked to the Submit button or something of that nature.
  2.  Utilizing ISE policies on a per-WLAN basis and including specific attributes, which would then have to communicate with the above custom HTML page.
  Any other users out there, please feel free to correct me if I am wrong!  I wonder if they will ever come out with a feature as such :/

• ISE and SIEM integration

  Hi,
  One of the major concerns regarding security solutions is the way they interact. ISE specifically, is compatible with most of the SIEMs available today, as stated by Cisco (http://www.cisco.com/en/US/prod/vpndevc/ecosystem.html).
  In my particular case, I want to integrate ISE with ArcSight.
  For ArcSight to correctly parse the syslog messages that ISE sends, you have to install/configure an ISE smartconnector.
  What I'm missing though is how does ArcSight instructs ISE to take specific actions on users/devices that are involved in a network attack.
  Please check: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/at_a_glance_c45-728401.pdf
  SIEM/TD partners may utilize ISE as a conduit for taking mitigation actions within the Cisco network infrastructure. SIEM/TD platforms can instruct ISE to undertake quarantine or access-block actions on users and/or device based on ISE policies that have been defined for such actions.
  Thanks!
  Octavian

  There is no such docs available till now for ArcSight integration with ISE. I also found only these two links:
  http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-728401.pdf
  http://www.cisco.com/c/dam/en/us/solutions/enterprise-networks/context-aware-mobility-solution/profile_arcsight_c07-538803.pdf

• ISE and AAA configuration

  Hi Guys,
  I am using ISE only one server as primary and as cisco says it has functionality of (ACS+ NAC). I  want to enable AAA services on the  ISE box rightnow.
  I used the ACS earlier and want to configure the same functions on it.
  Authentication of devices from ISE when remote login to router/switches/firewalls.
  Authorization of commands form ISE based on user login
  Accounting of command and login and logout details of user.
  I have very basic knowledge in ISE but i used ACS througly.
  Please Help  in the above issue.
  Thanks in Advance
  Regards

  Can you give any link where is shows TACACS is not supported.
  You find that amongst others in the Q&A:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Can you tell where need to enable these settings for AAA services.
  That's a quite complex thing ... Best you start with the ISE policies:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html
  Then look at the ACS migration-tool:
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/migration_guide/ise104_mig_book.html
  But don't expect that the tool will migrate your ACS-policies in a usefull way ... There is much handwork involved to end with a good ISE-policy.

• ISE and self register

  Hello,
  Can ISE differentiate and see on which wireless AP a user(MAC) connects ?
  Goal: i want to allow guest self registration, but not from any Access Point. We have a presentation room where presentation for third parties are given regularly. This room is covered with two high-density capable APs. I only want to allow guest in this room to generate their own guest accounts for 1 day from these APs, not every user on every Access Point.
  (and i want to avoid creating a dedicated different SSID for this)
  regards,
  Geert

  This document describes how to configure authorization policies  in Cisco Identity Services Engine (ISE) to distinguish between  different service set identifiers (SSIDs). It is very common for an  organization to have multiple SSIDs in their wireless network for  various purposes. One of the most common purposes is to have a corporate  SSID for employees and a guest SSID for visitors to the organization.  Please check below link for certificates configurations.
  http://www.cisco.com/image/gif/paws/115734/ise-policies-ssid-00.pdf

• ISE posture based upon switch user is connected to

  OK, I am a new ISE user and definitely an early beginner on creating ISE policies. I have successfully created a policy that can determine if you are using a corporate asset or not and using 802.1x authentication grant you access to corporate resources or not. This policy also assigns the VLAN the user is placed into. Seems to work quite well so far at least as a baby step in policy creation.
  Our building has different VLANS based upon floors and the like and I would like the policy(s) take this into consideration when assigning the VLAN. Is there a way to include which switch the postureing process is flowing through to assist in assigning the VLAN? I am thinking I would have separate policies based upon the switch / stack but not sure how to include that in the logic. I figured it would be similar to my policy where I check corporate assets and that you are wireless and that you have a valid AD account but have been unable to figure out the endpoint part. I have created network groups for my network devices but am stumped after that. Is there something else I should or could be doing instead? Do I need a completely different train of thought?    
  Brent

  Hello Brent, using "Network Device Groups" can definitely make this possible for you. For instance, you can create a "Location" based group hierarchy that looks like something like this:
  All Locations > HQ > Floor-1
  All Locations > HQ > Floor-2
  All Locations > DR > Floor-1
  etc
  Then you can reference that group in your authorization policy by using something like this
  If "Conditions > Device > Location" = All Locations > HQ > Floor-1
  then
  Permissions = "HQ_Floor-1-Posture"
  If "Conditions > Device > Location" = All Locations > HQ > Floor-2
  then
  Permissions = "HQ_Floor-2-Posture"
  I hope this helps and addresses your issue. 
  Thank you for rating helpful posts!

• ISE MAB authentication license usage

  Hello all. If I need ISE to authenticate wireless user MAC addresses (MAC Address bypass) in order to facilitate central web authentication - does every concurrent device MAC address that accesses my guest wireless SSID and gets forwarded to ISE for authentication use up a license?
  I have many users with smart phones and tablets that have the guest wireless SSID profile already saved and automatically connect to the guest SSID when in range. Most of these users do not go on to log in via central web authentication, but their MAC addresses get forwarded to ISE for authentication. Does ISE use up a license per MAC address?
  Thanks,

  Hello-
  Please take a look at the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html
  So, in your situation, a license will be consumed even though the user never authenticates. This is because a license is consumed as soon as a session hits a rule in your AAA ISE policies. However, you can from the document that as soon as the session times out the endpoint would free the license. If for some reason an "accounting-stop" message is not received then after 5 days of inactivity the system will automatically free the license. 
  Hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE - Expired certificates cannot be deleted.

  We just renewed our public cert, which I installed on my ISE nodes.  I have attempted to delete the expired cert, but get various errors and cannot delete them.  I did not see any related bug.   Ideas?
  Errors on the PSNs
  I am not sure how I change the portal configuration?...
  Error on the PANs

  So you cannot disable EAP...You can decide to not use it in your ISE policies but the protocol is always there and it needs a certificate coupled to that function.
  For the guest portal: You can delete all of the guest portal that you don't use and thus removing the need for that function.
  To make things easier, you can just generate a self-signed cert and assign all of services that you are not using to it.
  Thank you for rating helpful posts!

• ISE: PEAP-TLS

  Hi,
  I want to setup ISE for certificate authentication of the device + AD credentials (PEAP+TLS) as far as I understood it.
  I can't find any good example of how to setup ISE policies for this scenario.
  Client will use Microsoft CA and he will deploy certificates on the domain computers before they can join wireless, so I don't need self enrollment and hopefully no any kind of supplicant (just windows native one).
  If you can point me to some design or configuration guide, I would be thankful.
  Best regards,
  Michael

  Refer to the following links this  might be  of help
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1146236
  https://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

• FlexConnect & ISE ACLs - AAA Overide/RADIUS NAC

  Hi Chaps,
  I have 3 ACLs configured on a WLC for CWA, Corp and Guest users. On local mode APs, theses are called up using the Airespace fields in the ISE policies dependant on what rule is hit.
  ACL-WEBAUTH-REDIRECT
  ACL-PERMIT-CORP-TRAFFIC
  ACL-PERMIT-GUEST-TRAFFIC
  Will FlexConnect APs call up the ACLs in the same way as a local mode as the WLAN will be AAA Override/RADIUS NAC or will FC ACLs be required.
  Cheers,
  N

  I believe you need to create Flex ACLs on the fWLC.  These Flex ACLs can be called the same as regular ACLs so in ISE you wouldnt have to change the auth profile.

• Domain user authentication for 3650 Wireless Access point

  Dear All,
  I have got new proposal inorder to configure the wireless access points by managing with the 3650 wireless controller. 
   We wanted to block the Wifi Access to mobile users.
  Only domain users need to be authenticate to the corporate wireless access.
  We have 3650 switch as a wireless controller and ISE in place. Kindly guide me the achieve the same. Attached the setup diagram.
  If possible share the sample configuration and it would be helpful. 

  Please refer
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115734-ise-policies-ssid-00.html

• ISE Authorization Policies

  Hi All
  Has anyone successfully used a Guest Role in an ISE authorization policy?
  I'm using 2 different Guest Roles that get assigned by the Sponsor on the account creation page.
  I want to differentiate between the 2 roles in my authorization policies to ensure separation between the 2 types of user.
  I've had a suggestion to use an Option field on the sponsor's account creation page - this will work but it would be more secure if the Guest Role could be used.
  ISE version is 1.2.198.0
  Regards
  Roger

  Exactly.
  If I create a sponsored account I can use the credentials to authenticate to either SSID.
  Similarly if I create a self-registered account I can use the credentials to authenticate to either SSID.
  The correct policy set is selected each time based on the SSID.
  It seems to me as if the guest roles effectively do nothing and that all users get assigned to a single group. Of course, as an administrator you simply can't ever see the accounts and where the user has been assigned to. Any attempts to differentiate based on the group simply fail.
  It looks like the assignment of a guest role for self-registration is actually a global setting that is applied to all portals and therefore over-rides the guest role assigned within the sponsor group settings. See the attached image.

• Client Exclusion Policies on WLC not working with ISE as RADIUS Server

  Hi,
  for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
  Am I missing any settings here or do you have some tipps on how to troubleshoot this?
  Thanks very much!

  Hi Renata,
  If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
  If your Guest WLAN has the following:
  SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
  I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
  You can try and dull the noise a few ways.
  Option 1. create and ISE log filter on those alerts so they don't cluter the console.
  Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
  Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
  Option 4 - both 2 and 3
  The most effective option would be 3.
  Good Luck!