ISE - posture fails
Hello,
I have a problem at the posture checking phase. NAC agent fails to check for posture compliance and remediation never takes place. The client browser is beeing redirected to the following URL: https://ise.xxxx.yy:8443/guestportal/gateway?sessionId=AC16FA49000000778BF9058D&action=cpp, and then to https://ise.xxxx.yy:8443/auth/provisioning/evaluate (shown below)
Obviously there is a problem on ISE box, missing something. What could be the cause of the problem?
Best regards,
Kreso
Hi Mohammed,
as the TAC engineer and developer said, the problem is in the CA root certificate that was imported in DER format.
Try exporting the root CA certificate (not the one issued to the ISE node by the CA, but the one that is in the Certificate Store), convert it from PKCS#7,DER to X509,PEM format, delete the old CA root cert and import the one you just got as a result of conversion.
You will need some Linux/UNIX box with OpenSSL tools installed. Suppose you exported the original cert to file named cert1.pem, when you try to read it using the following command, you get an error:
# openssl x509 -in cert1.pem -inform DER -text
unable to load certificate
following some ASN error messages. To convert it use the following command:
openssl pkcs7 -inform der -in cert1.pem -print_certs > cert2.pem
Now you can read cert data using the command:
openssl x509 -inform pem -in cert2.pem -noout -text
The file cert2.pem is the one that should be imported as a root CA certificate into the Certificate Store on ISE.
HTH,
Kreso
Similar Messages
-
Cisco ISE - Posturing of a Linux Endpoint - Is it possible?
We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
Any thoughts? Thanks in advance.Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
Thank you for rating helpful posts! -
Cisco ISE authentication failed because client reject certificate
Hi Experts,
I am a newbie in ISE and having problem in my first step in authentication. Please help.
I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
Regards,
RatnaCertificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication. -
Hi,
While reading about ISE posture, I got to know that ISE searches” User Agent” attribute for string “NAC Agent” to confirm that NAC agent is present on particular machine.This information is passed to ISE when user opens Web Browser i.e. user gets redirected
If NAC agent is not present on machine then NAC agent will get downloaded and then Posture assessment starts.
While testing this on ISE, I noticed that
If NAC agent is already present on machine then directly posture assessment starts even without opening web browser.
Now my question is, how ISE does come to know that NAC agent is already present on machine without opening web browser.
Regards,
AdityaI second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
Default Posture Status
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
Jatin Katyal
- Do rate helpful posts - -
ISE posture requirement to check if endpoint's USP port is disabled
Hi,
I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?
Appreciate your input.
MikeIf your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.
Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.
You would have to create a New Posture Condition and Remediations.
The condition that I will use in this example is a Registry Key.
If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled. A value of 4 is disabled.
So set a Posture Condition:
Click Policy > Policy Elements > Conditions
Choose Posture from the left menu:
Then choose Registry Condition from the left menu.
Click +Add to add a new Posture Condition:
Then you have to create Remediation Actions. Click the Results button at the top of the left Menu:
Choose Remediation Actions and choose the Remediation you want to use. I chose Link Remediation.
+Add to add a new Link Remediation:
Then choose Requirements from the left menu and create a new Remediation Result:
Of course, you can choose different remediations as necessary for your environment.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Cisco ISE: Dot1x failing and MAB succeeded (Intermittent) /or Posture Delay
Hi,
We are running the cisco ise 1.1.3 and configured for the Dot1x and MAB authentications. PC's are getting access through MAB while Dot1x failing again and again. But, sometime, same PC is getting authenticating via Dot1x. Connectivity is intermittent. Also, sometimes, stucks longer in Posture
We have three different switches at the moment with the latest IOS version.
1) WS-C4507R-E = 15.1(2)SG,
2) WS-C3560-48PS = 12.2(55)SE7
3) WS-C3750X-24P = 15.0(2)SE1
Could you anyone pitch the idea? or advise about the latest IOS for the switches.
Let me know, if you need more information.
Thanks,
Regards,
MubahserIt seems your PCs are failing dot1x and also failing MAB authentication, the switch by default will start the process again and will again fail dot1x and MAB authentication, and so on.
It will be helpful to see the logs from both the switch and the radius servers (i take it is ACS or ISE). Also the configuration of the radius server. -
Primary administration ISE nodes failed
Hi All,
I'm going to implement 3 ISE with destributed deployment, 1 ISE will configured as Administration & Monitoring node, and the others as dedicated Policy Service node.
My questions are :
1. If the Administration & monitoring node failed, are the authentication, authorization and posture still can be running well on the client ?
2. Can we promote the dedicated Policy Service Node as the new administration & monitoring nodes ? If can, how the procedure for promoting it? it's just as simple as promoting the secondary nodes (in case we have primary and secondary nodes) or there is others effort, such as must restoring the database or etc?
Thanks?
Regards,
RianHi,
When the primary administration node fails. The psns will still continue to function and enforce policies.
Since you have a single administration node and if the that node has to be rebuilt, all other nodes will also have to be reset to factory then re registered once the primary node is ready again.
In that case you can open a tac case yo have them assist in pulling your database from one of the psn nodes.
As always this is my observations and what I would do if I was in the situation, we can wait for a cisco engineer to respond or you can post this question in a tac case to make sure there isn't an upcoming feature which addresses this scenario.
Sent from Cisco Technical Support Android App -
Cisco ISE posture requirements whats the ordering of requirements?
Hi Everyone,
I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
- AV_installed : is the av agent installed ?, if not start installation from a network share
- AV_started : is the av agent started ?, if not try to start the service
- AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd, but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.Abhishek,
This is possible, please use this link for reference:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
Your AV vendor will have to be supported based on the release notes:
http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
Thanks,
Tarik Admani
*Please rate helpful posts* -
Delaying ISE Posture / Remediation
Hi, we have a requirement where we would like to add a small delay for about 10 - 15 seconds to the time it takes for the NAC agent to attempt remediation of the client.
Is this possible?
What seems to happen at the moment is that an error appears on the NAC agent during remediation advising of a Networking issue during remediation. This is because we have a proxy server and you must have elevated priveledges to download certain file types from the internet such as executables.
To get round the limitation of the NAC agent not being able to be configured to use its own Web Proxy settings with a user account with more priveledges, we use different locations in our AV product so that once the AV Product realises that the Laptop is connected to the wireless it changes the location to "wireless" and applies the correct web proxy settings so that AV updates can be downloaded.
However, the NAC agent is trying to remediate quicker than the AV product can change the location and apply the new web proxy settings.
Hope that makes sense.
MarioHello Mario,
You can customize remediation timeout settings for your requirement. Please review the following:
Remediation Timeout Customization
Parameter
Default Value
Valid Range
Description or Behavior
Remediation timer
4
1-300
Specifies the number of minutes the user has to remediate any failed posture assessment checks on the client machine before having to go through the entire login process over again.
Network Transition Delay
3
2-30
Specifies the number of seconds the agent should wait for network transition (IP address change) before beginning the remediation timer countdown.
Note When you use the "Enable agent IP refresh after VLAN change" option, Cisco ISE sends "DHCP release delay" and "DHCP renew delay" settings (as specified below) instead of using the "Network transition delay" setting used for Windows agent profiles. If you do not use the "Enable agent IP refresh after VLAN change" option, Cisco ISE sends "Network transition delay" timer settings to client machines, but Cisco ISE will not send both.
For more detail understanding on this, please visit the section Configure Client Provisioning Policies > Remediation Timeout Customization at the following location in ISE user guide - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1134841
You may also want to review more options that you can customize in Configure Client Provisioning Policies section.
Regards,
Ashok -
ISE Posture Condition for Windows Service Pack and Remediation
Hi,
We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
thanks in advance.1. Windows Server Update Services (WSUS) remediation remediates Windows clients from a locally managed WSUS server, or Microsoft-managed WSUS server with the latest Windows service packs, hotfixes, and patches (WSUS updates) for compliance. You can create a WSUS remediation where a NAC Agent integrates with the local WSUS Agent to check whether the endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete WSUS remediations from the remediations list.
You can configure Windows clients to receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally administered WSUS server for compliance.
The Windows server update services (WSUS) remediations list page displays all the WSUS remediations along with their names, description, and as well as their modes of remediation
check the following link for configuration
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
2.for AV/AS Remidiaton configuration check this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420 -
ISE posture redirect not working
ISE v1.1.0.665, 3395 h/w.
Single Admin/Monitor/Policy node.
WS-C3560-48TS 12.2(55)SE5 C3560-IPBASEK9-M
For Client Provisioning I created an authorisation policy as follows:
download acl "ACL-POSTURE-REMEDIATION"
apply url redirect "ACL-POSTURE-REDIRECT".
"Debug radius" shows all this is downloaded to the switch but:
- Redirect does not work.
- dACL is not applied if the URL redirect is also configured.
Wireshark on the client shows no direct.
Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.
I've also attached screen shots of these policies and wireshark.Grant,
It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of
192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.
Thanks,
Tarik Admani -
ISE Posture Remediation issue with AV client installation
Problem: If user start AV client installation in pc via AV link remediation after some time (while AV client installation not completed yet) trend micro Update windows gets pop up but not start automatic AV or AS def remediation and Cisco NAC agent shows the message AV definition is not up to date.
Also some time NAC agent give message automatic remediation failed or required user intervention to press ok so NAC can complete remediation process.
I am facing this issues when users don’t have Antivirus client in pc and performing client installation.
We have the following posture policies,
1 AV installation check: if AV is not installed in PC then perform link remediation and let user to download the Antivirus client from provided link.
2 AV definition & AS definition version check (both remediation requirement I putted in one policy): if AV or AS definition version found old then perform automatic remediation.
3. WSUS check
4 SP check
Actually I want, first user install AV client via link remediation once installation complete then move to AV & AS def remediation if required (because in first time AV client installation it automatically download all update from the AV server) otherwise def remediate policy wait for AV client installation completion.
Please can anybody let me know how remediation work internally ? like if "AV inst" remediation start so nac agent wait for it completion and don't start other remediation process e.g AS & AV def?
Second question:what is remediation process sequence ?
Third question: is there anyway we can configure timer in remediation process e.g 5 min for AV inst then 3 min for AV & AS def remediation and then go to other posture remediations ?Please check the below guide for Posture Configuration:
http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080c15540.shtml -
ISE authentication fail during windows re-logon
Background:
Deployed a Cisco ISE 1.1.2. that is used to authenticate and posture validate for wired users, attached to Cisco IP Phones. Backend database is Microsoft AD.
Problem:
At the first time both, users and IP Phones, pass authentication and posture validation steps successfully. When the user logs off from windows, the log off is done whithout any problem, and I can see it switch.
The problem takes place when the user try to log on again. The ise does not match the configured authenticion rules as in the first time, and put the user directly to default "DenyAccess" policy (rule).
Anyone out there experienced something similar or have any ideas on why this is happening?
Thanks.Hi
Possible Causes
• This could be either a MAB or 802.1X authentication issue.
• The authorization profile could be missing the Cisco av-pair=”device-traffic-class=voice” attribute. As a result, the switch does not recognize the traffic on the voice VLAN.
• The administrator did not add the endpoint as static identity, or did not allow an unregistered endpoint to pass. create a policy rule to (“Continue/Continue/Continue” upon failure).
Resolution
• Verify that the Authorization Policy is framed properly for groups and conditions, and check to see whether the IP phone is profiled as an “IP phone”or as a “Cisco-device.”
• Verify the switch port configuration for multidomain and voice VLAN configuration.
• Add the continue/continue/continue to allow the endpoint to pass:
Choose Policy > Policy Elements > Results > Authentication > Allowed
Protocols to create a Protocol Policy. MAC authentications use PAP/ASCII and EAP-MD5 protocols. Enable the following MAB Protocols settings:
– Process Host Lookup
– PAP/ASCII
– Detect PAP as Host Lookup
– EAP-MD5
– Detect EAP-MD5 as Host Lookup
• From the main menu, choose Policy > Authentication.
• Change the authentication method from Simple to Rule-Based
• Use the action icon to create new Authentication Method entries for MAB:
– Name: MAB
– Condition: IF MAB RADIUS:Service-Type == Call Check
– Protocols: allow protocols MAB_Protocols and use
– Identity Source: Internal
– Hosts: Continue/Continue/Continue -
Hi,
I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
Error is enclosed & here is the port configuration.
Port Configuration.
interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Please help.The error message means that Active Directory server Reject the authentication attempt
as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
Event Logs why did the user account got locked.
Under Even Viewers, You can find it out
Regards
Minakshi (Do rate the helpful posts) -
In ISE, does anyone know if the count for the Maximum Login Failures for Guest accounts (found under the Settings>Guest>Portal Policy page) is a per session setting or cumulative for the lifetime of the account? Does the count ever get reset and is there a way to view current failed login count?
Our use case is that we have guest accounts that get handed out to multiple guests (say for a hosted conference or a special event). We've had a couple of these type accounts get suspended because of hitting max failed logins. We've increased the setting, but would like to understand the settings further has some of the guest accounts need to exist over a significant period of time.It is per session, when once successfully logged in, the counter is reset.
Maybe you are looking for
-
HP Mini 210-1010NR PC Not Booting
My sister found her HP Mini 210-1010NR PC recetly. She was using more her phone and a desktop. She ask me to check it but the computer don't boot. Don't give me any error messages or let me access the f keys options posted in another posts. When
-
Even after i reset my iTunes password i still cant access my account?
Even after resetting my itunes password I still cant access my account
-
MobileMe deleted, but wont go away
After our MobileMe family account expired (was not renewed), I deleted the MobileMe email account from the Settings of my iPhone. While it's gone from Settings, the MobileMe is still showing up in the Mail app (both under Accounts and Inboxes). As a
-
I can go into a apple store and swap sides of my iPhone 5?
I can go into a apple store and swap sides of my iPhone 5?
-
Distribution of a report failed
Hello All, I tried running Journal Entry Detail report in General Ledger/General Reports which generated a PDF report but the distribution failed. Here is the message that I had in the transfer agent log file Copying C:\PT8.49\appserv\prcs\FSDMO\log_