ISE Probe attribute overlap

I'm curious what is the logic in ISE 1.3 when more than one probe report different information for an endpoint. Say an endpoint with a MAC address got identified, and next it gets two different IP addresses for the same MAC from DHCP probe and maybe from SNMP CDP cache probe? Which one will it prefer? It appears that maybe it takes the last probe updated received regardless of the probe, is that correct?

Profiling attributes are constantly collected and stored in the ISE database. One attributed is not preferred over the other. Instead, it is the profiling rules that decide how a device is profiled. More specifically, Profiling rules with higher Certainty Factor are preferred over the others. For instance, a device is profiled as a "Cisco Phone" with a CF=10. Later on, more attributes are collected, and now ISE has enough information to match a Profiling Rule for Cisco-IP-Phone-7945 with CF=30. As a result, the device will be profiled as a Cisco-IP-Phone-7945. 
I hope this helps!
Thank you for rating helpful posts!

Similar Messages

  • ISE Guest webauth error

    Using central web auth 802.1x on a 3560 to ISE.  I get to the web portal fine and was able to login with the guest account and change the password.  Now when I get redirected to the portal everytime I login I get "Your session has expired.  Please login again".  The error in ISE is show up as Guest authentication failed: 86017: Session cache entry missing.
    From the ISE log
    Other Attributes:
    ConfigVersionId=56,PortalName=DefaultGuestPortal,CPMSessionID=0A0A084E0000001B4CCB2B1B
    From the switch show authentication sessions
    ISE-test#sh authentication sessions int fa0/1
                Interface:  FastEthernet0/1
              MAC Address:  5c26.0a38.a800
               IP Address:  172.31.255.15
                User-Name:  5C-26-0A-38-A8-00
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://oranetise01.naismc.com:8443/guestportal/gateway?sessionId=0A0A084E0000001B4CCB2B1B&action=cwa
          Session timeout:  3600s (local), Remaining: 1324s
           Timeout action:  Reauthenticate
             Idle timeout:  900s (local), Remaining: 418s
        Common Session ID:  0A0A084E0000001B4CCB2B1B
          Acct Session ID:  0x000001C8
                   Handle:  0xC400001C
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
                Interface:  FastEthernet0/1
              MAC Address:  0004.f21c.66a9
               IP Address:  10.20.0.177
                User-Name:  00-04-F2-1C-66-A9
                   Status:  Authz Success
                   Domain:  VOICE
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
          Session timeout:  3600s (local), Remaining: 1253s
           Timeout action:  Reauthenticate
             Idle timeout:  N/A
        Common Session ID:  0A0A084E000000161ED6CBD9
          Acct Session ID:  0x000000F2
                   Handle:  0x19000017
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
    The session ID from the browser of the PC seems to match the above session IDs.  I'm at a loss.

    And now it works and I didn't change anything.  How is the session ID generated and for how long does it last? Maybe it finally timed out and generated a new one.  The PC stayed connected to the port the entire time and was not rebooted either.
    From ISE
    Other Attributes:
    ConfigVersionId=56,EndPointMACAddress=5C-26-0A-38-A8-00,PortalName=DefaultGuestPortal,CPMSessionID=0A0A084E0000001B4CCB2B1B
    sh authentication sessions int fa0/1
                Interface:  FastEthernet0/1
              MAC Address:  5c26.0a38.a800
               IP Address:  172.31.255.15
                User-Name: 
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  46
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
          Session timeout:  3600s (local), Remaining: 3357s
           Timeout action:  Reauthenticate
             Idle timeout:  900s (local), Remaining: 657s
        Common Session ID:  0A0A084E0000001B4CCB2B1B
          Acct Session ID:  0x000001C8
                   Handle:  0xC400001C
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
                Interface:  FastEthernet0/1
              MAC Address:  0004.f21c.66a9
               IP Address:  10.20.0.177
                User-Name:  00-04-F2-1C-66-A9
                   Status:  Authz Success
                   Domain:  VOICE
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
          Session timeout:  3600s (local), Remaining: 1644s
           Timeout action:  Reauthenticate
             Idle timeout:  N/A
        Common Session ID:  0A0A084E000000161ED6CBD9
          Acct Session ID:  0x000000F2
                   Handle:  0x19000017
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run

  • ISE 1.2 Profiling - User Agent attribute incorrect

    Hi all,
    Just troubleshooting some profiling issues and have found that multiple devices are profiling incorrectly eg MAC OSX profiling as Apple-Device. Basically the issue is the user-agent string profiled by ISE is incorrect meaning that only the OUI is matched. During the BYOD onboarding process, non Internet Browser, applications and services (games and OCSP Daemons etc) are presenting their specific user-agent strings eg "OCSPD\1.0.2" to ISE resulting in incorrect profiling.
    Does anybody have any suggestions on how to resolve this issue as it is resulting in about 50% of devices been profiled at the "top level" ie Apple-Device or Windows Workstation (anything based on User-Agent). Can any one explain whether profiler works on the basis of first agent received, last agent received and why it doesn't hold onto a list of presented agents to make a decision? In my mind this is a pretty big issue in that some of the more popular device profiling policies are based on a user-agent string thus potentially preventing you from defining tight Authz policies eg IPAD only etc

    "Unless you have suppression configured, ISE will continue to collect profiling data and will re-profile a device as long as a rule with higher certainty factor is hit. However, if the certainty factor is the same the device will remain at its originally profiled group."
    The suppression feature will not affect the re-profiling of a device.  The suppression only affects the logging on the MnT node.  Since the Profiling is a PSN function the suppression has no affect on the outcome of a profiling event. 
    You are correct in that a rule with a higher certainty factor "wins" and this is the profile that is chosen.  Again, an understanding of how profiles work is not the issue here.  
    For example say only the RADIUS and HTTP probes are being utilized for an endpoint.  There are two endpoints one is a iPad and the other an iPhone.  The endpoint attributes that are known about the device are the MAC OUI and the useragent. 
    Based on the default profiling rules there are two three things that need to be identified either an iPhone or an iPad.  The first common item is that the MAC OUI is identified as apple.  This increases the certainty factor by 10.  The second is either the HTTP User agent containing either iPad/iPhone or the DHCP hostname containing either iPad/iPhone.  Both of those conditions would increase the certainty factor by 20 for a total of 30.  Since DHCP is not being used in this example we can remove that for a possibility and say that for an iPhone to be profiled as an iPhone it must both have a MAC OUI of apple and the useragent must contain iPhone.  Same goes for iPad, but iPad in the useragent. 
    Like smcbridebpc stated every application that uses HTTP will have a useragent string.  The profiler rules assume that the useragent that is being used contains either the word iPhone or iPad to distinguish these types of devices.  If an application on the device sends a useragent string such as  "OCSPD\1.0.2" which is obviously the OCSP Daemon.  This useragent string is "stuck" on the endpoint and no other usable useragents can be used to profile the device.  Therefore a race condition exists and depending on the application that wins determines if the profiler will be accurate or not.   
    The only two solutions that I can think of would be to have a useragent filter that would allow you to manually filter out useragents like "OCSPD\1.0.2" (or the ISE developers could filter known unusable user agents out on the backend)  OR everytime a new useragent is presented to the profiler for a device the useragent is joined to a list of useragents. 
    If the useragent was overwritten everytime a new useragent was presented then it would cause the device to be reclassified everytime the different applications presented useragents which would not be good.  
    It does look like a bug may have been filed and marked as fixed in release pending, but the bug notes do not list enough information to identify if this is the same issue that we are seeing.
    https://tools.cisco.com/bugsearch/bug/CSCuj45373

  • RADIUS Probe on WLC for ISE

    I am doing a Proof-of-Concept for wireless, and I'm getting the infamous "Unknown" endpoint for a device that should be getting profiled as a Windows-Workstation based on the info that I received from Identity-Endpoints section.  My question is whether it is possible pull out the information from the attribute list of the endpoint (such as tcp port 135) to use as a profile?
    Here are the attributes:
    Endpoint
    * MAC Address 
    * Policy Assignment      
    Static Assignment        
    * Identity Group Assignment      
    Static Group Assignment           
    Attribute List
    135-tcp msrpc
    139-tcp netbios-ssn
    3389-tcp            ms-term-serv
    445-tcp microsoft-ds
    ADDomain         truncated
    AcsSessionID    ise-poc/133205055/184
    Airespace-Wlan-Id          10
    AuthState          Authenticated
    AuthenticationIdentityStore         AD1
    AuthenticationMethod     MSCHAPV2
    AuthorizationPolicyMatchedRule truncated
    CPMSessionID  0a64001d00000005502568b6
    Called-Station-ID            64-d9-89-43-09-70:NACTEST1
    Calling-Station-ID           18-3d-a2-92-0a-ec
    DestinationIPAddress    
    DestinationPort  1812
    Device IP Address         
    Device Type       Device Type#All Device Types#WLCs
    DeviceRegistrationStatus            notRegistered
    EapAuthentication          EAP-MSCHAPv2
    EapTunnel         PEAP
    EndPointMACAddress    18-3D-A2-92-0A-EC
    EndPointMatchedProfile Unknown
    EndPointPolicy  Unknown
    EndPointProfilerServer    ise-poc
    EndPointSource RADIUS Probe
    ExternalGroups  ad.tdfadfa.org/departments/is/groups/sms-remote\,truncated
    FQDN   lc20-isnetwrk03.ad.xxxxxx.orgg.
    Framed-IP-Address       
    IdentityAccessRestricted            false
    IdentityGroup     Unknown
    IdentityPolicyMatchedRule          Default
    LastNmapScanTime       2012-Aug-10 16:30:41 CDT
    Location            Location#All Locations#
    MACAddress     18:3D:A2:92:0A:EC
    MatchedPolicy   Unknown
    MessageCode   5200
    Model Name      Unknown
    NAS-IP-Address            truncated
    NAS-Identifier    truncated
    NAS-Port          13
    NAS-Port-Type  Wireless - IEEE 802.11
    NetworkDeviceGroups    Device Type#All Device Types#WLCs, Location#All Locations#truncated
    NetworkDeviceName      WLC09
    NmapScanCount            2
    OUI       Intel Corporate
    PolicyVersion    4
    PostureAssessmentStatus         NotApplicable
    RequestLatency 54
    Response          {User-Name=foo\\webb; State=ReauthSession:0a64001d00000005502568b6; Class=CACS:0a64001d00000005502568b6:-poc/133205055/184; Termination-Action=RADIUS-Request; MS-MPPE-Send-Key=9c:b0:32:f4:ec:35:91:8a:6a:fc:87:05:ba:6a:4a:3c:fd:7e:3a:bb:ff:dc:c6:cd:36:ed:14:63:3b:88:34:18; MS-MPPE-Recv-Key=16:62:80:7d:6f:1e:09:5f:24:ed:f5:5e:c5:af:7d:fb:ef:95:c4:12:f8:55:f8:52:da:dd:b0:7b:9f:69:04:ce; }
    SelectedAccessService  Default Network Access
    SelectedAuthenticationIdentityStores       AD1, Internal Users, Internal Endpoints
    SelectedAuthorizationProfiles      PermitAccess
    Service-Type      Framed
    Software Version            Unknown
    StaticAssignment          false
    StaticGroupAssignment  false
    Total Certainty Factor     0
    attribute-52        00:00:00:00
    attribute-53        00:00:00:00
    cisco-av-pair      audit-session-id=0a64001d00000005502568b6
    ip          truncated
    operating-system           Microsoft Windows XP SP2 or SP3

    James,
    That is possible but do you have the dhcp probe enabled and have you thought about setting up an ip helper statement or assigning the ISE node as one of the dhcp servers on the WLC?
    There is a built in check such that if the dhcp class identifier contains MSFT will profile the endpoint as a windows workstation.
    However if this is not the case then you can create the following condition under the Policy Elements > Conditions > Profiling > New Profiler Condition, you will use the create (advanced...) then select NMAP > 135-tcp > then set the operator EQUAL to msrpc.
    Then go under the Microsoft-Workstation and select the option to create a matching identity group (its much easier rather than using the heirarchy option) and set the certainity factor 30. Then add this new condition and set the certainity to 30 also.
    Hope that helps,
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE 1.2 IETF Attribute 88 Framed-Pool not available

    Using ISE 1.2 and setting up a new Radius Server Sequence, I am unable to use IETF Radius attribute 88 (Framed-Pool) as it is not displayed in the Radius IETF Dictionary.
    Is there a reason for this? Most other IETF attributes are available, I am curious as to why this one is missing
    Thanks

    Can you please provide me the output of "show version" from ISE CLI.
    Regards,
    Jatin Katyal
    ** Do rate helpful posts**

  • ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

    Hello guys
    Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
    Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
    I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
    Thanks in advance
    Sayre

    Hello Sayre-
    For Question #1:
    Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
    You can configure Radius and Profiling to be enabled on other interfaces
    Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
    Take a look at this link for more info:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
    For Question #2
    If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
    The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
    –Option 12—HostName of the client
    –Option 60—The Vendor Class Identifier
    After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
    Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
    On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
    http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
    I hope this helps!
    Thank you for rating helpful posts!

  • How to add attribute to ISE 1.2

    The authentication details page shows under "Other Attributes" an attribute called SelectedAuthenticationIdentityStores
    Is there a way I can create rules based on this attribute? I can't find it anywhere in the policy conditions options.
    Thanks in advance!

    I need to create an authorization condition that includes an external identity source. That does not appear to be an option so I want to add the SelectedAuthenticationIdentityStores attribute so I can create authorization conditions based on which identity store is used.
    This would be very simple if ISE would let you choose an external identity source in your second screenshot, but unfortunately it only allows you to select internal identity groups.
    Unless I'm missing something? Thank you for the help.
    EDIT:
    I actually need to create a authorization policy based on the "Identity Store" attribute, see picture. Is there a way to add this to the dictionary?

  • Cisco 2960-X & ISE accounting- username Radius attribute missing

    Hi,
    I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
    - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
    - Authentication protocol : wired  MAB 
    - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
    the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
    while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
    The same configuration is working on 3750 switch  with no issue .
    Here is my Switch config:
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius 
    aaa authorization auth-proxy default group radius 
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting update periodic 5
    username admin password 
    username radius-test password 
    aaa server radius dynamic-author
     client 172.16.2.20 server-key 7 04490A0206345F450C00
     client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
    radius server ISE-RADIUS-1
     address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key 7 111B18011E0718070133
    radius server ISE-RADIUS-2
     address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key 7 0214055F02131C2A4957
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server attribute 31 mac format ietf upper-case
    radius-server attribute 31 send nas-port-detail
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    any help  !!!

    Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
    as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

  • ISE Not Identifying AD Group Attributes when using Multiple ISE Servers

    So we have multiple ISE Servers with differing personas. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules.
    We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running  v1.1.1.268 with the latest two patches.
    I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurance nor do we have Smartnet to call support for other reasons. I thought this might be useful to someone who is having the same issue and is unable to figure it out with TAC
    -CC

    Absolutely. All units said in-sync after setting their personas.
    Here is our layout:
    ISE-ADM-01  Admin-Primary, Monitoring-Secondary
    ISE-ADM-02  Admin-Secondary, Monitoring-Primary
    ISE-PDP-01  Policy Only
    ISE-PDP-02  Policy Only
    I synced one at a time starting with ADM-02. After completing the other two boxes. Active Directory Attribs were pulled down when using them in the Ext Group within my Authz rules.
    -CC

  • ISE External RADIUS proxy remove attributes

    Hi all,
    I setup external RADIUS for authenticating external users on ISE 1.2  - I need to remove all attributes received from the external RADIUS but I cannot find how to do it.
    I checked the option
    On Access-Accept, continue to Authorization Policy
    in RADIUS server sequense Advanced Attribute settings 
    and in Authorization policy I setup proper attributes but I found the attributes from external RADIUS server are in the Access-Acceept response too.
    This is RADIUS debug from the switch:
    Apr 10 09:35:51 CEST: RADIUS: User-Name [1] 17 "xxxxxxxxxxxxx"
    Apr 10 09:35:51 CEST: RADIUS: Session-Timeout [27] 6 3600
    Apr 10 09:35:51 CEST: RADIUS: Termination-Action [29] 6 1
    Apr 10 09:35:51 CEST: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
    Apr 10 09:35:51 CEST: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
    Apr 10 09:35:51 CEST: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
    Apr 10 09:35:51 CEST: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
    Apr 10 09:35:51 CEST: RADIUS: EAP-Message [79] 6
    Apr 10 09:35:51 CEST: RADIUS: 03 08 00 04
    Apr 10 09:35:51 CEST: RADIUS: Message-Authenticato[80] 18
    Apr 10 09:35:51 CEST: RADIUS: BA 8C BC 8D 69 23 2B 7D 8A 70 20 D4 DE 96 0B E2 [ i#+}p ]
    Apr 10 09:35:51 CEST: RADIUS: Tunnel-Private-Group[81] 4 "17"
    Apr 10 09:35:51 CEST: RADIUS: Tunnel-Private-Group[81] 7 01:"v230"
    Apr 10 09:35:51 CEST: RADIUS: Vendor, Cisco [26] 22
    Apr 10 09:35:51 CEST: RADIUS: Cisco AVpair [1] 16 ""ssid=eduroam""
    Apr 10 09:35:51 CEST: RADIUS: Vendor, Cisco [26] 37
    Apr 10 09:35:51 CEST: RADIUS: Cisco AVpair [1] 31 "termination-action-modifier=1"
    Apr 10 09:35:51 CEST: RADIUS: Vendor, Microsoft [26] 58
    Apr 10 09:35:51 CEST: RADIUS: MS-MPPE-Send-Key [16] 52 *
    Apr 10 09:35:51 CEST: RADIUS: Vendor, Microsoft [26] 58
    Apr 10 09:35:51 CEST: RADIUS: MS-MPPE-Recv-Key [17] 52 *
    As you can see a lot of attributes are twice in the response. I need only "v230" set as VLAN ID
    I looked for removing the attributes but "Modify attribute" settings (iether "in the request" or "before access-apccept") offer only subset of RADIUS attributes - I need to remove attribute 81 - Tunnel Network Private Group - but it is not offered there.
    Can somebody advice me, how to (idealy) remove all atrributes from external RADIUS or at least remove set of attributes at minimum with attribute 81?
    Thank you for any help

    Thank you,
    I duplicated the Dot1x Authentication Rule, and changed allowed protocols to "RADIUS Server Sequence : MySequence"
    In the RADIUS Server Sequence under the advanced tab I have it set to "Continue to Authorization Policy'.
    Which Authorization rule would match?
    Network Access:RADIUS Server Sequence EQUAL MySequence
    OR
    Network Access:UseCase EQUALS Proxy
    OR
    None of the above?
    Thanks

  • CSCui57775 - ISE 1.2 Cannot use some of the Radius Dictionary attributes

    ISE 1.2 as it's currently shipping does not allow the use of the Radius->IETF dictionary for test attributes.
    One of the things this broke was the ability to sort wireless locations by VLAN and SSID - in other words the ability to determine which AP group a session came from.  We set up some tests in our POC to use the SSID from Called-Station-ID and the VLAN tag from Tunnel-Private-Group-ID to determine the AP group.  We haven't found a good replacement even with TAC looking for one.
    Does anyone have a way of determing the AP group besides building tables of access points?

    Hi,
    Forgot to write in this thread, I did a reboot of both ISE servers and after that it works as it should.
    Not the best solution but it worked.
    Might be something with the AD connection that hang, dont realy know. But I have seen wired errors between ISE and AD before.
    Thanks

  • Machine Attribute Check in ISE. CAN IT BE DONE?

             Hello,
    I'm trying to build a BYOD policy in ISE 1.2. I would like ISE to get machine attributes as part of the authorization policy. Can this be done? I'm not talking about machine authentication. I need something that could be checked at anytime.
    Thanks for any help!         

    Machine Access Restriction for Active Directory User  Authorization
    Cisco ISE contains a Machine  Access Restriction (MAR) component that provides an additional means of  controlling authorization for Microsoft Active Directory-authentication  users. This form of authorization is based on the machine authentication  of the computer used to access the Cisco ISE network. For every  successful machine authentication, Cisco ISE caches the value that was  received in the RADIUS Calling-Station-ID attribute (attribute 31) as  evidence of a successful machine authentication.
    Cisco ISE retains each  Calling-Station-ID attribute value in cache until the number of hours  that was configured in the "Time to Live" parameter in the Active  Directory Settings page expires. Once the parameter has expired, Cisco  ISE deletes it from its cache.
    When a user authenticates from an  end-user client, Cisco ISE searches the cache for a Calling-Station-ID  value from successful machine authentications for the Calling-Station-ID  value that was received in the user authentication request. If Cisco  ISE finds a matching user-authentication Calling-Station-ID value in the  cache, this affects how Cisco ISE assigns permissions for the user that  requests authentication in the following ways:
    •If the Calling-Station-ID value  matches one found in the Cisco ISE cache, then the authorization profile  for a successful authorization is assigned.
    •If the Calling-Station-ID value is  not found to match one in the Cisco ISE cache, then the authorization  profile for a successful user authentication without machine  authentication is assigned.
    Please check the below link.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wpxref41479

  • ISE is unable to retrieve groups and attributes

    Hello guys,
    I have Cisco ISE installed on EXSi in a lab. I was able to join the ISE server to my test Active Directory server, and under the OU=Computers, I can see my ISE hostname.
    However, when I go to Administrator > External Identity Sources > Active Directory > Groups > Add > Select Group from Directory:
    I have my domain entered in Domain box and an * for filter. When I clicked the "Retrieve Groups" button, I always received "Number of Groups Retrieved: 0 (Limit is 100)"
    It seem like ISE is unable to retrieve the groups that I have on my AD. I checked the status of my ISE server and it says that it is still connected to the domain. When I search for attributes, it keep saying that the user is not found.
    I disabled my AD's firewall and still getting the same results. I ran the detailed test connection, and it was a success and the port connections are all good. At this point, I am pretty much stuck.
    Any help would be greatly appreciated.
    Thanks

    I am sorry Jatin. I have another question.  I am working on Motorola RFS7000 WLC and Cisco ISE v1.1.1.
    I am not sure if I should create a new thread about the new issue I am having now.  I have successfully added my RFS controller and one AP7131 to ISE Network Devices. And I am able to login to these devices using my AD account. However, it is not allowing me to manage these devices.  I believe I am at exec mode. I SSH to my RFS and I can't even get to enable mode.

  • Problem with getting LDAP attributes on ISE when EAPChaining is enabled

    Hi All,
    has anybody and idea how to set LDAP attributes retrieval with EAPChaining enabled?
    My scenarios is:
    - user with AnyConnect (EAP-FAST) connects to WLAN and sends it's credentials
    - ISE authenticates username and password against Active Directory
    - ISE should check if the same userid contains in LDAP Directory (not AD, different store) special attribute which controls access to our WLAN
    - If the attribute is found, then authorization profile is matched.
    This works when I disable EAP-Chaining Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols ...
    In logs I've found that the user was not found in LDAP, but the user exists.
    Maybe the workaround can be if just user from EAPChaining is used and not also the hostname, then it could match. But I cannot find any similar parameter which returns only user.
    Does anybody have an idea how to solve this?
    Thanks!
    K.

    Hi,
    This seems like a corner issue, because eap-fast with ldap is not supported. LDAP as the protocol doest support hash based authentication hence the reason ISE is failing to hit the ldap database.
    Referencing acs material since ise docs are not complete:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html
    Sent from Cisco Technical Support Android App

  • ISE 1.1.1. and additional LDAP attribute retrieval

    Hello All,
    I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
    When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
    Can anyone help me how this can be set on ISE?
    Thanks!
    Regards
    Karel Navratil

    Yes that's what I've tried as I wrote in my first post, but the ISE does not retrieve the attribute from LDAP
    Here are some screenshots:
    authorization rule:
    ldap attribute in external identity source:
    and the logs:
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12100  Prepared EAP-Request proposing EAP-FAST with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12102  Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12810  Prepared TLS ServerDone message
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12812  Extracted TLS ClientKeyExchange message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12149  EAP-FAST built authenticated tunnel for purpose of PAC provisioning
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12209  Starting EAP chaining
    12218  Selected identity type 'User'
    12125  EAP-FAST inner method started
    11521  Prepared EAP-Request/Identity for inner EAP method
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12212  Identity type provided by client is equal to requested
    11522  Extracted EAP-Response/Identity for inner EAP method
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - Internal Endpoints
    22043  Current Identity Store does not support the authentication method; Skipping it
    24210  Looking up User in Internal Users IDStore - test,host/test-pc
    24216  The user is not found in the internal users identity store
    24430  Authenticating user against Active Directory
    24402  User authentication against Active Directory succeeded
    22037  Authentication Passed
    11824  EAP-MSCHAP authentication attempt passed
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814  Inner EAP-MSCHAP authentication succeeded
    11519  Prepared EAP-Success for inner EAP method
    12128  EAP-FAST inner method finished successfully
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12126  EAP-FAST cryptobinding verification passed
    12200  Approved EAP-FAST client Tunnel PAC request
    12219  Selected identity type 'Machine'
    12125  EAP-FAST inner method started
    11521  Prepared EAP-Request/Identity for inner EAP method
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12212  Identity type provided by client is equal to requested
    11522  Extracted EAP-Response/Identity for inner EAP method
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    Evaluating Identity Policy
    11055  User name change detected for the session. Attributes for the session will be removed from the cache
    15006  Matched Default Rule
    15013  Selected Identity Store - Internal Endpoints
    22043  Current Identity Store does not support the authentication method; Skipping it
    24210  Looking up User in Internal Users IDStore - test,host/test-pc
    24216  The user is not found in the internal users identity store
    24431  Authenticating machine against Active Directory
    24470  Machine authentication against Active Directory is successful
    22037  Authentication Passed
    11824  EAP-MSCHAP authentication attempt passed
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814  Inner EAP-MSCHAP authentication succeeded
    11519  Prepared EAP-Success for inner EAP method
    12128  EAP-FAST inner method finished successfully
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    12126  EAP-FAST cryptobinding verification passed
    12201  Approved EAP-FAST client Machine PAC request
    Evaluating Authorization Policy
    15004  Matched rule
    15016  Selected Authorization Profile - DenyAccess
    15039  Rejected per authorization profile
    12855  PAC was not sent due to authorization failure
    12105  Prepared EAP-Request with another EAP-FAST challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    11105  Request received from a device that is configured with KeyWrap in ISE.
    12104  Extracted EAP-Response containing EAP-FAST challenge-response
    11514  Unexpectedly received empty TLS message; treating as a rejection by the client
    12512  Treat the unexpected TLS acknowledge message as a rejection from the client
    11504  Prepared EAP-Failure
    11003  Returned RADIUS Access-Reject
    So no any information that ISE tries to retrieve something from LDAP.
    Regards
    Karel

Maybe you are looking for

  • Final Cut Timeline Feed as video source for iChat?

    I was at the Apple NAB presentation in Vegas a few weeks ago, and one of the things they showcased in regard to iChat AV was the ability for an editor to videoconference with several other people at once and one of the video feeds in the chat window

  • My Internet Connection Dropping Issues...

    I too am having the occasional Internet connection dropping issues.  Phone and TV continue to work. Since I had Fios installed last November I am on my third ONT and 2nd router.  When I called in my latest drop yesterday the call center person told m

  • How to implement JAAS With Weblogic 10.3

    I am working on a migration project. A project is to be migrated from JBOSS to Weblogic 10.3. JAAS has been used in JBOSS for security purpose. Required classess like LoginModule, CallBackHandler are customized and put into a jar file. Next a Login p

  • How to cancel an existent backup copy on a Ipad2?

    I try to do a synchronistaion between my Ipad2 and the laptop and I get the following message: Can't synchronise due to an error. Destroy the actual backup copy as this is one is either corrupt or bad. Where do I have to go to cancel or destroy this

  • Port fowarding not working and Max Payne 3

    I have had a proble with this game badly lagging and some things not being applied to my account while playing etc etc etc Now the ports that I've already opened ( or seemingly not ) are :- UDP 6672 UDP 27900 UDP 27901 443 I have put the Hub 3 ( 3A )