ISE Posture to guest clients

Hi Guys,
i'd like to know if is it possible to make a posture to Guest Clients using the Web Agent  after they had been login into the portal.
thanks

Of Course it is possible. For detailed information please review the following guide
Configuring Client Posture Policies
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html
You can also create posture-specific authorization policies for all wired, wireless, and guest deployments by
specifying the Session:PostureStatus attribute in the authorization policies. This attribute has three
values, unknown, compliant, and noncompliant, which you can use n the authorization policies
Regards,
Ashok

Similar Messages

  • Cisco ISE posture assesment and client provisioning

    Hello,
    I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
    Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
    Also, please provide me logs related to posture assesment and client provisioning.
    Thanks in advance.

    You may go through the below listed link to download a PDF link
    Posture assessment with ISE.
    http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Dynamic Authorization Failed - Posture with Guest Portal - ISE - WLC

    Hello everybody,
    I'm implementing a NAC solution based on Cisco ISE. Unfortunately, I'm facing a problem related to the CoA (Change of Authorization).
    The guest can authenticate successfully via portal and then he is redirected to the page of client provisioning.
    When he is compliant with the policy he gets access without any problem and this means that CoA works perfectly. The issue occurs when he has to remediate (download the file from ISE and install it). In this case, we need a change of authorization profile.
    The authentication logs show that the posture status changed from non-compliant to compliant but the users doesn't obtain access .
    Here are details :
    Authentication Details
    Source Timestamp
    2015-04-30 18:43:13.179
    Received Timestamp
    2015-04-30 18:43:13.18
    Policy Server
    ISE-CISCO
    Event
    5417 Dynamic Authorization failed
    Failure Reason
    11213 No response received from Network Access Device after sending a Dynamic Authorization request
    Resolution
    Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
    Root cause
    No response received from Network Access Device after sending a Dynamic Authorization request
    Username
    User Type
    Endpoint Id
    E0:9D:31:07:**:**
    Endpoint Profile
    IP Address
    Identity Store
    Identity Group
    Audit Session Id
    ca0019ac00000003ae674255
    Authentication Method
    Authentication Protocol
    Service Type
    Network Device
    WLC-1
    Device Type
    Location
    NAS IP Address
    172.25.0.202
    NAS Port Id
    NAS Port Type
    Authorization Profile
    Posture Status
    Compliant
    Security Group
    Response Time
    15002
    Other Attributes
    ConfigVersionId
    4
    RadiusPacketType
    CoARequest
    Event-Timestamp
    1430415778
    AcsSessionID
    50149c2f-08fb-4f9d-b1b5-f655e71d039f
    StepLatency
    3=15001
    Device IP Address
    172.25.0.202
    CiscoAVPair
    subscriber:command=reauthenticate
    audit-session-id
    ca0019ac00000003ae674255
    Session Events
    2015-04-30 18:43:13.18
    Dynamic Authorization failed
    2015-04-30 18:41:44.159
    Dynamic Authorization failed
    2015-04-30 18:35:42.64
    Guest Authentication Passed
    2015-04-30 18:34:39.214
    RADIUS Accounting start request

    You can use LWA for this . he WLC redirects  the HTTP traffic to an internal or external server where the user is prompted to  authenticate. The WLC then fetches the credentials (sent back via an HTTP GET  request in the case of external server) and makes a RADIUS authentication. In  the case of a guest user, an external server (such as Identity Service Engine  (ISE) or NAC Guest Server (NGS)) is required as the portal provides features  such as device registering and self-provisioning.
    Refer to the following link for  configuration  example
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

  • Guest client often disconnected

    Hello, all!
    I have an issue - one guest client is disconnecting often. 
    WLC 5508. Open Guest WLAN with redirect to ISE. 50-60 clients working constantly and with no problems. 
    One of them disconnecting every 5 miinutes. Help me please.
    There are logs from client debugging:
    *apfReceiveTask: Jan 29 11:57:50.721: 6c:88:14:f5:38:18 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfReceiveTask: Jan 29 11:57:50.721: 6c:88:14:f5:38:18 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [b4:14:89:d1:d5:c0]
    *pemReceiveTask: Jan 29 11:57:50.721: 6c:88:14:f5:38:18 0.0.0.0 Removed NPU entry.
    *apfReceiveTask: Jan 29 11:57:50.721: 6c:88:14:f5:38:18 Deleting mobile on AP b4:14:89:d1:d5:c0(0)
    *apfMsConnTask_5: Jan 29 11:57:51.011: 6c:88:14:f5:38:18 Adding mobile on LWAPP AP b4:14:89:d1:d5:c0(0)
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Association received from mobile on BSSID b4:14:89:d1:d5:c3
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Max Client Trap Threshold: 0  cur: 12
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 override for default ap group, marking intgrp NULL
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Re-applying interface policy for client
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 In processSsidIE:4796 setting Central switched to TRUE
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 In processSsidIE:4799 apVapId = 4 and Split Acl Id = 65535
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Applying site-specific Local Bridging override for station 6c:88:14:f5:38:18 - vapId 4, site 'MeetingRooms', interface 'guests-internet'
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Applying Local Bridging Interface Policy for station 6c:88:14:f5:38:18 - vlan 480, interface id 21, interface 'guests-internet'
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 override from ap group, removing intf group from mscb
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Applying site-specific override for station 6c:88:14:f5:38:18 - vapId 4, site 'MeetingRooms', interface 'guests-internet'
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 480
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 Re-applying interface policy for client
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_5: Jan 29 11:57:51.012: 6c:88:14:f5:38:18 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 STA - rates (6): 24 36 176 72 96 108 0 0 0 0 0 0 0 0 0 0
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 Central switch is TRUE
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP b4:14:89:d1:d5:c0 vapId 4 apVapId 4 flex-acl-name:
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 apfMsAssoStateInc
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 6c:88:14:f5:38:18 on AP b4:14:89:d1:d5:c0 from Idle to Associated
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 apfPemAddUser2:session timeout forstation 6c:88:14:f5:38:18 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 Sending Assoc Response to station on BSSID b4:14:89:d1:d5:c3 (status 0) ApVapId 4 Slot 0
    *apfMsConnTask_5: Jan 29 11:57:51.013: 6c:88:14:f5:38:18 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 6c:88:14:f5:38:18 on AP b4:14:89:d1:d5:c0 from Associated to Associated
    *apfReceiveTask: Jan 29 11:57:51.014: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *apfReceiveTask: Jan 29 11:57:51.014: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5773, Adding TMP rule
    *apfReceiveTask: Jan 29 11:57:51.014: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP b4:14:89:d1:d5:c0, slot 0, interface = 1, QOS = 0
      IPv4 ACL ID = 255, IPv
    *apfReceiveTask: Jan 29 11:57:51.014: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 480, Local Bridging intf id = 21
    *apfReceiveTask: Jan 29 11:57:51.014: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *pemReceiveTask: Jan 29 11:57:51.014: 6c:88:14:f5:38:18 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *pemReceiveTask: Jan 29 11:57:51.014: 6c:88:14:f5:38:18 Sent an XID frame
    *IPv6_Msg_Task: Jan 29 11:57:51.014: 6c:88:14:f5:38:18 Pushing IPv6 Vlan Intf ID 21: fe80:0000:0000:0000:45a0:6c41:35d9:f6a3 , and MAC: 6C:88:14:F5:38:18 , Binding to Data Plane. SUCCESS !! dhcpv6bitmap 0
    *IPv6_Msg_Task: Jan 29 11:57:51.015: 6c:88:14:f5:38:18 Link Local address fe80::45a0:6c41:35d9:f6a3 updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A
    *apfMsConnTask_5: Jan 29 11:57:51.721: 6c:88:14:f5:38:18 Association received from mobile on BSSID b4:14:89:d1:d5:c3
    *apfMsConnTask_5: Jan 29 11:57:51.721: 6c:88:14:f5:38:18 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_5: Jan 29 11:57:51.721: 6c:88:14:f5:38:18 Max Client Trap Threshold: 0  cur: 13
    *apfMsConnTask_5: Jan 29 11:57:51.721: 6c:88:14:f5:38:18 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_5: Jan 29 11:57:51.721: 6c:88:14:f5:38:18 override for default ap group, marking intgrp NULL
    *apfMsConnTask_5: Jan 29 11:57:51.721: 6c:88:14:f5:38:18 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 480
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 Re-applying interface policy for client
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 In processSsidIE:4796 setting Central switched to TRUE
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 In processSsidIE:4799 apVapId = 4 and Split Acl Id = 65535
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 Applying site-specific Local Bridging override for station 6c:88:14:f5:38:18 - vapId 4, site 'MeetingRooms', interface 'guests-internet'
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 Applying Local Bridging Interface Policy for station 6c:88:14:f5:38:18 - vlan 480, interface id 21, interface 'guests-internet'
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 override from ap group, removing intf group from mscb
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 Applying site-specific override for station 6c:88:14:f5:38:18 - vapId 4, site 'MeetingRooms', interface 'guests-internet'
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 480
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 Re-applying interface policy for client
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 STA - rates (6): 24 36 176 72 96 108 0 0 0 0 0 0 0 0 0 0
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 apfMs1xStateDec
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfMsConnTask_5: Jan 29 11:57:51.722: 6c:88:14:f5:38:18 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *pemReceiveTask: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 Removed NPU entry.
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 Central switch is TRUE
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP b4:14:89:d1:d5:c0 vapId 4 apVapId 4 flex-acl-name:
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) pemApfAddMobileStation2 3451, Adding TMP rule
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP b4:14:89:d1:d5:c0, slot 0, interface = 1, QOS = 0
      IPv4 ACL ID = 255, IPv
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 480, Local Bridging intf id = 21
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) pemApfAddMobileStation2 3639, Adding TMP rule
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
      type = Airespace AP - Learn IP address
      on AP b4:14:89:d1:d5:c0, slot 0, interface = 1, QOS = 0
      IPv4 ACL ID = 255,
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 480, Local Bridging intf id = 21
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 6c:88:14:f5:38:18 on AP b4:14:89:d1:d5:c0 from Associated to Associated
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 apfPemAddUser2:session timeout forstation 6c:88:14:f5:38:18 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
    *apfMsConnTask_5: Jan 29 11:57:51.723: 6c:88:14:f5:38:18 Sending Assoc Response to station on BSSID b4:14:89:d1:d5:c3 (status 0) ApVapId 4 Slot 0
    *apfMsConnTask_5: Jan 29 11:57:51.724: 6c:88:14:f5:38:18 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 6c:88:14:f5:38:18 on AP b4:14:89:d1:d5:c0 from Associated to Associated
    *pemReceiveTask: Jan 29 11:57:51.724: 6c:88:14:f5:38:18 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *pemReceiveTask: Jan 29 11:57:51.724: 6c:88:14:f5:38:18 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *apfOrphanSocketTask: Jan 29 11:57:56.416: 6c:88:14:f5:38:18 Orphan Packet from STA - IP 10.10.48.26
    *apfOrphanSocketTask: Jan 29 11:57:56.417: 6c:88:14:f5:38:18 Invalid MSCB state, regType=2, Dhcp required!
    *apfOrphanSocketTask: Jan 29 11:57:56.417: 6c:88:14:f5:38:18 IPv4 Addr: 10:10:48:26
    *DHCP Socket Task: Jan 29 11:58:04.793: 6c:88:14:f5:38:18 DHCP received op BOOTREQUEST (1) (len 308,vlan 501, port 1, encap 0xec03)
    *DHCP Socket Task: Jan 29 11:58:04.793: 6c:88:14:f5:38:18 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 29 11:58:07.793: 6c:88:14:f5:38:18 DHCP received op BOOTREQUEST (1) (len 308,vlan 501, port 1, encap 0xec03)
    *DHCP Socket Task: Jan 29 11:58:07.793: 6c:88:14:f5:38:18 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *SNMPTask: Jan 29 11:58:51.194: 6c:88:14:f5:38:18 Central Switch = TRUE
    *SNMPTask: Jan 29 11:58:51.194: 6c:88:14:f5:38:18 Central Switch = TRUE
    *SNMPTask: Jan 29 11:58:51.198: 6c:88:14:f5:38:18 Central Switch = TRUE
    *SNMPTask: Jan 29 11:58:51.199: 6c:88:14:f5:38:18 Central Switch = TRUE
    *DHCP Socket Task: Jan 29 11:59:17.382: 6c:88:14:f5:38:18 DHCP received op BOOTREQUEST (1) (len 308,vlan 501, port 1, encap 0xec03)
    *DHCP Socket Task: Jan 29 11:59:17.382: 6c:88:14:f5:38:18 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 29 11:59:21.385: 6c:88:14:f5:38:18 DHCP received op BOOTREQUEST (1) (len 308,vlan 501, port 1, encap 0xec03)
    *DHCP Socket Task: Jan 29 11:59:21.385: 6c:88:14:f5:38:18 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *apfReceiveTask: Jan 29 11:59:51.725: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP Discover 0, DHCP Request 0 from client
    *apfReceiveTask: Jan 29 11:59:51.725: 6c:88:14:f5:38:18 Interface Group was NULL.Number of DHCP Discovery 0 from client
    *apfReceiveTask: Jan 29 11:59:51.725: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
    *apfReceiveTask: Jan 29 11:59:51.725: 6c:88:14:f5:38:18 Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
    *osapiBsnTimer: Jan 29 12:00:01.725: 6c:88:14:f5:38:18 apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
    *apfReceiveTask: Jan 29 12:00:01.725: 6c:88:14:f5:38:18 apfMsExpireMobileStation (apf_ms.c:6655) Changing state for mobile 6c:88:14:f5:38:18 on AP b4:14:89:d1:d5:c0 from Associated to Disassociated
    *apfReceiveTask: Jan 29 12:00:01.725: 6c:88:14:f5:38:18 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
    *osapiBsnTimer: Jan 29 12:00:11.725: 6c:88:14:f5:38:18 apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
    *apfReceiveTask: Jan 29 12:00:11.726: 6c:88:14:f5:38:18 Sent Deauthenticate to mobile on BSSID b4:14:89:d1:d5:c0 slot 0(caller apf_ms.c:6749)
    *apfReceiveTask: Jan 29 12:00:11.726: 6c:88:14:f5:38:18 Setting active key cache index 8 ---> 8
    *apfReceiveTask: Jan 29 12:00:11.726: 6c:88:14:f5:38:18 Deleting the PMK cache when de-authenticating the client.
    *apfReceiveTask: Jan 29 12:00:11.726: 6c:88:14:f5:38:18 Global PMK Cache deletion failed.
    *apfReceiveTask: Jan 29 12:00:11.726: 6c:88:14:f5:38:18 apfMsAssoStateDec
    *apfReceiveTask: Jan 29 12:00:11.726: 6c:88:14:f5:38:18 apfMsExpireMobileStation (apf_ms.c:6787) Changing state for mobile 6c:88:14:f5:38:18 on AP b4:14:89:d1:d5:c0 from Disassociated to Idle
    Then client go to authenticate again and this logs repeat

    i like it when i get debugs :).
    *apfReceiveTask: Jan 29 11:59:51.725: 6c:88:14:f5:38:18 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
    your issue is the client is not doing DHCP. is the dhcp required checkbox enabled on the wlan advanced tab?

  • Cisco ISE posture check for VPN

    Hello community,
    first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 
    Thank you!

    The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
    The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
    http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

  • ISE 1.2 Guest Portal Profiling Certainty Factor not Increase

    Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
    Profiling Configure and Endpoint Detail in attachment below

    Hi salodh
    as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

  • WLC to ISE authentication for Guest

    Hi Experts,
    Hope if you could guide me with our setup for Guest users. Below is what we are doing
    a)     Guest connects to SSID
    b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
    c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
    The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
    'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
    Appreciate your help

    The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
    Please follow below guide for step by step configuration:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

  • Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

    We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
    They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
    From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
    Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
    One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
    I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
    Any thoughts? Thanks in advance.

    Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
    Thank you for rating helpful posts!

  • ISE 1.3 Guest API - using custom fields for guest creation?

    I am currently working with the new ISE 1.3 guest api, i have most everything working, i can create guests fine, with the basic information entered into the guest account like first name, last name, company, email, phone and so on. Now i need some more fields to enter other information in for that guest, and i have created 5 extra custom fields called option1-option5, and enabled them for the "Known Guests" page on my sponsor portal. I can however not figure out how they should be adressed in the xml input sent in the api request...anyone tried this ?
    Regards
    Jan

    Hi Johan,
    Sure i can lead on the way, the stuff i am doing is part of a complete system i build and sell, that integrates with ISE to give customers the ability to create guest accounts using a number of different social media facebook, google and so on, to self-provision accounts for guest acces (and many other things :-)
    I mainly use PHP for this, and for simplicity you can use a curl command line executed by any scripting you prefer, or use any curl library you might have available to you.
    So, you need an ise sponsor account that has the "api usage flag" allowed in the sponsor group it is a member of. Then you need to know a few things about the ise setup, that needs to be sent with your request to ise, to allow the creation of a guest account.
    If you need some code examples, send me a pm and we can figure something out
    API Reference :
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_guest.html

  • Cisco ISE or NAC Guest with web security (IronPort) integration

    All,
    We have a scenario where guests will be authenticated against the ISE or NAC Guest server, and customer will place an IronPort to provide web security, however, we can not find referentes whether IronPort can or cannot integrate with Guest Server, so that guests are not requested to be authenticated twice, one by the Guest Server, a one by the proxy. The idea is to keep it transparent for the guests with a single authentication.
    Has anyone there implemented such scenario?
    Thank you!

    I see. So, lets say we disable proxy authentication for the guest segment, can I still provide content filter for the segment, even though there is no proxy authentication? I assume customer will lose the reportinga and tracking granularity, but the scenario will work withou proxy authentication. This may be some sort of "man in the middle" only, but with content filter. Does it make sense?
    Thank you!

  • Maximum number of wired guest clients ??

    Does anybody knows which is the maximum number of simultaneous wired guest clients on a 5508? And in a 2112 controller?
    Wired clients count as wireless clients??
    What about anchoring limitations, what is the effect of wired guest clients on the anchor controller?

    2100 series WLC do not support Wired Guest Access.. 5500 wlc supports.. and i guess 5508 WLC can support max 150 simultaneous logins..
    Lemme know if this naswered ur question and please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • ISE Posture Assessment

    Hi,
    While reading about ISE posture, I got to know that ISE searches” User Agent” attribute for string “NAC Agent” to confirm that NAC agent is present on particular machine.This information is passed to ISE when user opens Web Browser i.e. user gets redirected
    If NAC agent is not present on machine then NAC agent will get downloaded and then Posture assessment starts.
    While testing this on ISE, I noticed that
    If NAC agent is already present on machine then directly posture assessment starts even without opening web browser.
    Now my question is, how ISE does come to know that NAC agent is already present on machine without opening web browser.
    Regards,
    Aditya

    I second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
    Default Posture Status
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
    Jatin Katyal
    - Do rate helpful posts -

  • ISE posture requirement to check if endpoint's USP port is disabled

    Hi,
    I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?
    Appreciate your input.
    Mike

    If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.
    Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.
    You would have to create a New Posture Condition and Remediations.
    The condition that I will use in this example is a Registry Key.
    If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.  A value of 4 is disabled.
    So set a Posture Condition:
    Click Policy > Policy Elements > Conditions
    Choose Posture from the left menu:
    Then choose Registry Condition from the left menu.
    Click +Add to add a new Posture Condition:
    Then you have to create Remediation Actions.  Click the Results button at the top of the left Menu:
    Choose Remediation Actions and choose the Remediation you want to use.  I chose Link Remediation.
    +Add to add a new Link Remediation:
    Then choose Requirements from the left menu and create a new Remediation Result:
    Of course, you can choose different remediations as necessary for your environment.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Total throughput and client limitations per guest anchor controller; 7,000 guest clients

    When I read the specs of a Cisco 5508WLC I read the following : 
    Cisco 5508 Wireless LAN Controller (WLC) – 8 Gbps and 7,000 guest clients
    What happens when client 7001 tries to connect ? Is this a hardcoded like the max 500AP's limit ? Or is this just a guideline ?

    7000 is the number of entries it can handle in its client database. So you cannot have more than 7000 clients in single 5508.
    HTH
    Rasika
    **** Pls rate all useful resposnes ****

  • ISE, BYOD: guest clients provisioning

    Hello!
    The question is about provisioning different types of wifi clients through the ISE Guest portal.
    ISE 1.1.4, WLC 7.4.100 (Guest WLAN uses MAB)
    Suppose, there are two groups of wireless clients:
    1) guest user, which credentials are created through the ISE Sponsor Portal
    2) domain user, who has credentials in ActiveDirectory
    The aim is to provision domain user, and not provision guest user.
    When client connects to Guest SSID and opens the browser, he is redirected to ISE Guest portal.
    When client uses domain user, he is provisioned, and when uses guest credentials he is not provisioned
    How ISE understands, that domain user must be provisioned and guest user must not be provisioned if Web portal is configured to provision everyone?
    (Web Portal -> Settings -> Enable Self-Provisioning flow)

    The answer is that typically you either know that MAC address or you have someting installed (NAC agent?) and fulfill some requirements.
    Alternative, you can perform CWA first (and...)
    Then if user is part of guest users -> allow internet only access
    If user is part of AD -> send him to do registration.
    Authorization policy allows you to use "identity group" as part of condition.
    If device registered -> allow full access. (just an idea).
    M.

Maybe you are looking for

  • Please help me about an error of JBO-26022

    My jdev version is 11.1.2.3 and weblogic server version is 10.3.5. I test a example from oracle jdev code corner, which is "68-contextual-event-table-selection-262529", and it is about table selection event handling. Then I tried the method in my own

  • What is the best way to archive and store old mail using Apple Mail?

    Hi, I have a number of older emails that I would like to archive and store for potential future access. Even though I have mails from earlier Lotus Notes accounts and Microsoft Office accounts, I am referring in this case only to apple mail data that

  • Not able to create a parameter of type STRING_TABLE in BOR

    Hi All, I want to send a table of type STRING_TABLE from webdynpro to workflow. I have created this table of type STRING_TABLE in webdynpro as well as in workflow successfully. But i am not able to create a parameter of type STRING_TABLE in BOR event

  • Drag and Drop between Jlists

    Hello, I have two JLists, one containing music tracks (not actual tracks, just info like name, artist duration etc), and the other is a Playlist. So I want to be able to drag items from the database of tracks (Jlist one) to the playlist (Jlist two).

  • Update feature and upgrades for 2011 macbook pro Help!!

    if i use the update feature does that update my entire computer bios and all? is there any reason to manually download anything? i have a early 11 macbook pro with all the new software and latest running system. if anybody knows of any upgrades that