ISE Profiling Deployment

Similar Messages

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• ISE Profiler Feed Service Update

  Hey,
  I have tried couple of times so far to update the ISE profiler feed service and it always says " it has been successfully update" after 2 seconds; however, last update feed show 2013-05. (see attached) I'm running ISE 1.2 with all patches installed (1,2,3,4,5,6,7) .Does anyone have some idea about this issue? I'd really like to update the OUI database for the new devices and seems to be this is the only automatic way!
  Thanks,
  Ali

  Cisco update the the OUI as they become available but if you are facing issue regarding specific OUI do mention or you can custom define that device for profiling (for short term solution)
  Also confirm this information.

• ISE profiling on Apple-Device, Apple-iPhone and Apple-iPad

  hi,
  I have a question on ISE profiling, espcially on Apple-device.
  My testing environment: when i use iphone to connect, by default the result profiled me as apple-device.
  But when i try to get it more specific, i mark the identity store as apple-iphone on the authorization rule, it fail somehow. It seem it cannot go deeper to analyze it's iphone, instead of Apple-Device.
  The default of the apple-iphone porfiler condition for apple-iphone is checking the hostname and user-agent. So when i try to use the safari browser to get online, it won't bounce me as apple-iphone profile somehow..
  Question:
  01. what should i do in order the profiler can analyze directly it was the apple-iPhone, or any thing need to configure ? say like authorization rule?
  Thanks
  Noel

  Are you getting redirected to the web portal in ISE? That is the most common way the ISE can get the user agent of the browser in order to profile the device as the apple-iphone. Give that a try and then see if the user agent is learned, you should get a message to refresh your browser momentarily. Then coa should trigger and the wireless controller should get the new authorization profile that you configured for your apple-iphone endpoints.
  Thanks
  tarik Admani

• ISE HA Deployment prerequisite issue.

  I encountered this HA node deployment issue.Actually , I finished this feature with the enviroment of CA and DNS.However,Can I finish ISE‘s HA deployment without CA and DNS.
  When I adding the second ISE node to the first one,I fill the blank with the second ISE's server IP address,the system notification indicates that Unalbe to authenticate xxx.Please check server and CA certificate configuration and try agian.
  After that notification, I deploy the CA and DNS server.Also I signed the certificate and install the root CA for both ISE nodes,DNS records also be done.After that,I fill the blank with second ISE's FQDN and administration account .It can be done successfully.
  So if my enviroment doesn't have CA and DNS.Does that mean I can't finish ISE'S HA function?
  Any help or suggestion will be appreciated!

  Hi,
  You can not do ISE HA deployment without CA and DNS.
  DNS :  When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution is mandatory; otherwise the upgrade will fail.
  CA :  During the split deployment upgrade, before you register the nodes to the new primary Administration node, you must do the following:
  -If you use self-signed certificate, you must import the self-signed certificate of all nodes to your new primary Administration node.
  -If you use different CA certificates for the nodes, you must import all the CA certificates into the new primary Administration node.
  -If you use the same CA certificate for the nodes, you must import that CA certificate into the new primary Administration node.

• A config profile deployed on my devices without my permission.

  I believe a config profile deployed on my devices without my permission to access my information. These are consumer only products (iPads and iPhones). Is this legal  and what can i do to remove them?  Profile does not show in settings. I see info via the diagnostics and usage data. I tried wiping all devices but does not remove it. Please help.

  What profile?  Where are you seeing this?  What's it called?  Is your phone enrolled in an MDM server???  If you don't see anything in Settings -> General -> Profiles, then none are installed.

• Ise distributed deployment upgrade

  My customer has an ISE deployment with 4 nodes: Admin/Monitor Primary and Secondary plus 2 Policy Server. The Admin nodes are VMs, the Policy nodes are 3315 appliances.
  The system was installed almost three years ago with the version 1.1.0 ... It appears the system never had issues so never was patched or upgraded. Why fix something that is working fine?
  Today there was an issue because the certificates expired, so in the review to get the system up and running again, the update issue bring on to the conversation. We like to do an upgrade to the last supported version. So I wonder for some tips and ideas to take care for planning the upgrade.
  I have some doubts:
  Can the 3315 appliance support the release 1.3 without issues?
  I know the upgrade procedure is basically installing a .tar file, but I'm not clear how the process in a distributed deployment should be. I had run upgrades in standalone systems, but never in a distributed deployment. So, I need to upgrade the Primary Admin only and the other nodes would upgrade automatically?
  I would need to upgrade 1.1 to 1.2 first and then 1.2 to 1.3?
  I undertand release 1.1 was in 32 bits, and the version 1.2 and 1.3 are in 64 bits, so I guess the process would take a long time (perhaps a couple of hours), so a maintenance window would need 3 or 4 hours until the full system became stable.
  Can you give me some advice and suggestions to avoid major issues?
  Regards.
  Daniel Escalante.

  Can you give me some advice and suggestions to avoid major issues?
  Documents related to upgarde were given by Venkatesh refer those. Along with that additional information.
  Can the 3315 appliance support the release 1.3 without issues?
  Cisco ISE-3315-K9 (small) 3
  Supports ISE 1.3
  Any
  1x Xeon 2.66-GHz quad-core processor
  4 GB RAM
  2 x 250 GB SATA4 HDD5
  4x 1 GB NIC6
  I know the upgrade procedure is basically installing a .tar file, but I'm not clear how the process in a distributed deployment should be. I had run upgrades in standalone systems, but never in a distributed deployment. So, I need to upgrade the Primary Admin only and the other nodes would upgrade automatically?
  When upgrading to Cisco ISE, Release 1.2, first upgrade the secondary Administration node to Release 1.2. You do not have to manually deregister the node before an upgrade. Use the application upgrade command to upgrade nodes to Release 1.2. The upgrade process deregisters the node automatically and moves it to the new deployment. If you manually deregister the node before an upgrade, ensure that you have the license file for the Primary Administration node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example), contact the Cisco Technical Assistance Center for assistance.
  I would need to upgrade 1.1 to 1.2 first and then 1.2 to 1.3? I undertand release 1.1 was in 32 bits, and the version 1.2 and 1.3 are in 64 bits, so I guess the process would take a long time (perhaps a couple of hours), so a maintenance window would need 3 or 4 hours until the full system became stable
  If you are on a version earlier than Cisco ISE, Release 1.2, you must first upgrade to 1.2 and then to 1.3.
  You can upgrade to Cisco ISE, Release 1.2, from any of the following releases:
  Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)
  Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)
  Cisco ISE, Release 1.1.2, with the latest patch applied
  Cisco ISE, Release 1.1.3, with the latest patch applied
  Cisco ISE, Release 1.1.4, with the latest patch applied
  Type of Deployment
  Node Persona
  Time Taken for Upgrade
  Standalone (2000 endpoints)
  Administration, Policy Service, Monitoring
  1 hour 20 minutes
  Distributed (25,000 users and 250,000 endpoints)
  Secondary Administration
  2 hours
  Monitoring
  1.5 hours
  After upgrading to ISE 1.2, upgrade to ISE 1.3
  Type of Deployment
  Node Persona
  Time Taken for Upgrade
  Standalone (2000 endpoints)
  Administration, Policy Service, Monitoring
  1 hour 20 minutes
  Distributed (25,000 users and 250,000 endpoints)
  Secondary Administration
  2 hours
  Monitoring
  1.5 hours
  Factors That Affect Upgrade Time
  Number of endpoints in your network
  Number of users and guest users in your network
  Profiling service, if enabled

• Cisco ISE profiling - Split Corporate/Guest access

  Hello all,
  I currently deploying a Cisco ISE for my wireless network and I would like to split my WLAN in two different "authorization profile" : Guest and Corporate.
  For the moment, I use my active Directory to authenticate users and profiling to authorize device with the hostname. I would like to classify by domain name with DHCP probe but I can't because there is alway a DHCP message response with the domain name given by the DHCP server, do you have a solution to separate device with domain name or with other attributes ?
  Thanks in advance for your answer!

  Thanks for your answer salodh,
  I've already done two authorization profiles (Guest and corporate) based on rule using Active Directory and profiling condition but I would more profiling conditions (not only hostname) to split clearly corporate and guest devices.

• ISE Profiled devices not being used in authz policy.

  ISE is standalone.
  ver 1.2
  Eval license.
  I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).
  However when this is used in an Authorization Policy it never matches.
  Just a basic Policy:
  if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.
  I can change Identity group to ANY and it works.
  Sure i must be misssing something but I've gone round and round with this.
  Tried deleting enpoints and allowing them to repopulate....failed.
  Tried changing endpoints to static with no luck.
  Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.
  Whatever i've tried just ends with the Authz going to the "Default" policy.

  Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:
  1. Enable the top authentication rule called "MAB"
  2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols
  3. Ensure that "Internal Endpoints" is selected for the Identity Store
  4. Test again
  Thank you for rating helpful posts!

• Using ASA as an Anyconnect profile deployment tool

  I have a requirement to use an ASR router as a IKEv2 headend for Anyconnect clients.  For ease of deployment, I want to use the ASA firewall to enable users (multiple OS - Win/Mac/Linux) to download their respective Anyconnect clients as well as the profile needed to connect to the ASR.  Note that the ASA is only used for AC and AC profile downloads, it takes no part in any VPN termination.  Users will just point their browser to the ASA firewall web page and download both the AC client and the profile, then they will launch the AC and connect to the ASR router. 
  My question is, can this be done? 
  Thank you!

  Yes, I want to deploy the software independant of any ASA VPN connection.  From the Admin guide:
  When deployed from the ASA, remote users make an initial SSL connection to the ASA. In their browser, they enter the IP address or DNS name of an ASA configured to accept clientless SSL VPN connections. The ASA presents a login screen in the browser window, and if the user satisfies the login and authentication, downloads the client that matches their computer's operating system. After downloading, the client installs and configures itself and establishes an IPsec (IKEv2) or SSL connection to the ASA.
  On the last sentence, I need the client to establish an IPSEC connection to the ASR, not the ASA.  Just wanted to confirm that this can be done. 
  Thank you

• IOS Device-Sensor and ISE profiling not working

  Hello,
  I configured IOS device-sensor on one 2960CG-8-TCL switch. IOS is 15.2(2)E.
  Switchconfig:
  device-sensor filter-list dhcp list dhcp-list
   option name host-name
  device-sensor filter-spec dhcp include list dhcp-list
  device-sensor accounting
  device-sensor notify all-changes
  Switch does DHCP-Snooping and "show device-sensor cache all" shows the DHCP name:
  Device: b2b5.2fff.sa43 on port GigabitEthernet0/1
  Proto Type:Name                       Len Value
  DHCP    12:host-name                   17 0C 0F 11 31 22 41 50 43 33 31 32 30 30 30 37 38
                                            38
  RADIUS probe on ISE is activated and TCPdump shows the accounting packets from the switch (see attachment).
  I configured a profiling rule ot check for DHCP-Hostname with "contains". This rule does not work however. The device is getting profiled with a MAC-OUI via RADIUS-probe but the DHCP-Profile is not working.
  Is this supposed to work?

  That is interesting. I haven't worked with the "Device Sensor" much so I am running out of ideas. I really thought the certainty level was going to fix your issue as I have had issues similar like yours in the past where the certainty level of my custom rule was the same as a default one so mine custom rule was never hit. . I thought this was the case with you since your device was hitting the parent policy of "HP-Device" but not moving any further. With that being  l would still recommend keeping your custom conditions with higher certainty levels to avoid such situations.
  Couple of more things:
  1. What profiling probes do you have enabled?
  2. Have you tried retrieving the DHCP hostname via another sensor/method. For example, via the DHCP probe and ip-helper?
  3. Do you have the following commands entered on your switch:
  access-session template monitor
  no macro auto monitor
  device-sensor accounting
  device-sensor notify all-changes

• ISE Guest deployment

  Hi 
  Im setting up a ISE (1.3) in distributed deployment with a primary and secondary node.
  Both nodes are running admin and PSN role.
  The 2 nodes are up and running and synchronised, and now i want to set up a CWA guest solution.
  So my question is:
  In case I need to do a failover to the secondary node how do we need to do the DNS registration of the portal url ? 
  Do I have to have a uniqe url for each ISE or do I need to set up the DNS pointing to both of the ip addresses that is set up on the interface of the ise that is used for the guest portal.
  And also a seperate public cert on each ISE pointing to the CN ?
  Hope my question was understandable :)

  Redundancy for the sponsor portal falls into two categories.  With load-balancers and without load-balancers.  In both two node environments and and more than two nodes the design is the same.
  With network loadbalancers you simply create a VIP for port 8443 and use the PSNs as member servers.  Then simply configure the DNS hostname that is configured in the sponsor portal to the VIP.  
  The other options are DNS based.  You can simply have two A records for the sponsor.example.com and DNS will naturally round robin between the records.   The last option is to use a DNS load-balancer to accomplish the same task as the round robin, but with more control over which record is used when. 
  As for the cert the recommendation for using loadbalancers is to have a shared cert on all of your PSNs.  the cert should contain both the FQDN of the sponsor portal and the hostnames of all of your PSNs if you are planning on using the same cert for EAP and not just HTTPS.
  Here is the documentation on how to use F5 Big IP load-balancers 
  http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf

• ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

  Hi,
  We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
  Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
  When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
  Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
  Thanks
  Pranav

  Hi Tarikh,
  I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
  Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
  What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
  Thanks
  Pranav

• ISE Profiling options for VPN clients

  I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

  Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
  I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
  I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
  Sent from Cisco Technical Support Android App

• ISE Distributed Deployment

  Hi All,
  Deploying multiple PSN's with a  distributed deployment, do all the PSN's have to be in the same domain? I  have 8 set up in one domain, and would like to run a few more through  firewalls and using a different dns domain.
  Also interested to see  how AD integration works with this. I'd still expect to join the nodes  to the common AD domain. Would they be able to join an AD domain which  isn't linked with their FQDN?
  I'm hoping that running the other policy nodes on an external domain, I can use a standard CSR for the external public certs.
  All comments, suggestions, spoliers welcomed! Question is out to Cisco but I know the value of these forums too.

  Hi,
  You will have to join all ISE nodes to the same AD domain since the policy for user enforcement (for any external conditions) is configured at the Primary Admin node and replicated down to the PSNs. However, if you choose to configure a different dns domain for one PSN and then join it to the command AD domain, the only issue I see with this is SAMAccount name being sent in the username and not the UPN.
  If a user requests authentication with johndoe and your AD domain is abc.com but your dns domain is def.com, then ISE will try to authenticate [email protected] (from my experience), there have been some improvements where ISE should be able to note that this is an authentication request and should suffix the request with [email protected] but I am not 100 percent sure.
  If you have a cisco account rep (with your deployment size I am absolute sure you do) have them ping the BU on this issue and see what the official response is.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*