ISE Trust sec Question.

Similar Messages

• Cisco 4500X + VSS + Trust Sec Switch to Switch Encryption

  Hi,
  actually im testing and evaluationg the Cisco 4500X switch as new distribution switch for our Company.... Now i have some issues with one of our requirements.
  For security reasons i need to encrypt the links between the 4500X and the access switches in other buildings (no issue with Trust Sec)
  But ... now i also need to encrypt the link between the two 4500X if i run VSS ... my question is .. is it possible to encrypt the VSL link with TrustSec Switch to Switch encryption?
  BR,
  Florian

  Hi Frloian,
  If you have 2 switches in different data centers than you do not need VSS. In fact this is very bad design as the whole concept of VSS is grasped on dual home design. In the essence the proper design of VSS system is to have every downsteram switch connected with one link to one VSS switch and other link to second VSS switch, so that when one VSS switch would fail other can take over. Please look at the VSS best practises:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109547-vss-best-practices.html#vss_best
  Update:
  There is possibility to encrypt VSL link, but only in 6500 sup2t environment:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/virtual_switching_systems.html#wp1341144

• I want reset my sec questions. I can't change sec question. Please help me

  I want reset my sec questions. I can't change sec question. Please help me

  Click here for information. If the option to have the answers emailed to you isn't available or doesn't work(the email may take a few hours to arrive), contact the iTunes Store staff via the link in the 'Additional Information' section of that article.
  (90265)

• HT5312 I need to reset my security questions, I have my alternate email address but I am unable to reset my sec questions, please help

  I need to reset my security questions, I have my alternate email address but I am unable to reset my sec questions, please help

  Australia ? surely !   

• About ISE 802.1X question!

  Today my colleagues and I deploy ISE found the following question.
  Sometimes, can have the user authentication and authorization success under the same interface, user authentication and authorization is not successful.If restart ISE will be normal.
  Why is that?
  Two ise ,Distributed Deployment，
  I test redundancy。I closed the main equipment，The following error：
  LOG:==============================================
  The normal time：
  6509-vss#show authentication sessions interface g1/9/36
              Interface:  GigabitEthernet1/9/36
            MAC Address:  0021.cc68.a63e
             IP Address:  172.30.60.11
              User-Name:  daiyue
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1E3C02000000410155DA40
        Acct Session ID:  0x0000006C
                 Handle:  0x73000041
  Runnable methods list:
         Method   State
         mab      Failed over
         dot1x    Authc Success
              Interface:  GigabitEthernet1/9/36
            MAC Address:  0026.2df8.a25f
             IP Address:  172.30.60.10
              User-Name:  daiyue
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1E3C02000000400154E52C
        Acct Session ID:  0x0000006D
                 Handle:  0x91000040
  Runnable methods list:
         Method   State
         mab      Failed over
         dot1x    Authc Success
  When there is a problem：
  6509-vss#
  Feb 27 2014 17:43:11: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:43:11: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:43:11: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:43:11: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:43:11: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:47:52: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.2df8.a25f) on Interface Gi1/9/36
  Feb 27 2014 17:47:52: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
  Feb 27 2014 17:48:02: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:48:02: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:48:02: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:48:02: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:48:02: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
  Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
  Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
  Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
  Feb 27 2014 17:48:29: %DOT1X-5-SUCCESS: Authentication successful for client (0026.2df8.a25f) on Interface Gi1/9/36
  Feb 27 2014 17:48:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
  Feb 27 2014 17:48:29: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT APPLY
  Feb 27 2014 17:48:29: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT IP-WAIT
  Feb 27 2014 17:48:30: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.2df8.a25f) on Interface Gi1/9/36
  Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
  Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
  6509-vss(config-if)#
  6509-vss(config-if)#
  Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
  Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
  Feb 27 2014 17:49:02: %AUTHMGR-5-START: Starting 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
  Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
  Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
  Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
  Feb 27 2014 17:49:21: %MAB-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:49:21: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:49:21: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:49:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
  Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
  Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
  6509-vss(config-if)#end
  6509-vss#show
  Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
  Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.authen
  6509-vss#show authentication
  Feb 27 2014 17:49:28: %SYS-5-CONFIG_I: Configured from console by consolese
  6509-vss#show authentication sessions int
  6509-vss#show authentication sessions interface g1/9/36
              Interface:  GigabitEthernet1/9/36
            MAC Address:  0021.cc68.a63e
             IP Address:  Unknown
              User-Name:  0021cc68a63e
                 Status:  Running
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1E3C020000004E01CCCA18
        Acct Session ID:  0x00000086
                 Handle:  0x7300004E
  Runnable methods list:
         Method   State
         mab      Failed over
         dot1x    Running
              Interface:  GigabitEthernet1/9/36
            MAC Address:  0026.2df8.a25f
             IP Address:  Unknown
              User-Name:  shenshu
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1E3C020000004D01CCB640
        Acct Session ID:  0x00000089
                 Handle:  0xB400004D
  Runnable methods list:
         Method   State
         mab      Not run
         dot1x    Authc Success
  LOG:============================================

  Please consider the order of authnetication method fail from here
  http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028

• ISE Sponsor Portal Questions!!!

  Hi Team,
  Few questions!!
  Can we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
  2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE  or in Active Directory?
  3. Advantages of Sponsor portal over NAC guest server?
  Cheers!!
  Minakshi

  Can we integrate ISE with Safenet(Token) for VPN access using Inline Posture?
  Yes you can
  2. When we create user account in Sponsor portal in ISE. By Default Where does the user gets created, In internal database of ISE  or in Active Directory?
  They are updated into Local ISE database
  3. Advantages of Sponsor portal over NAC guest server?
  Sponsor portal allows a person ( can be anyone assigned by Admin ) to manage Guest account.
  Refer http://www.cisco.com/c/en/us/td/docs/security/ise/1-0/sponsor_guide/ise10_sponsor_book/ise10_sponsor.html

• ISE policy creation question - best practices

  Ok, I am a rookie ISE user here and am trying to learn as I go. I have a 802.1x policy for our corporate users on both wired and wireless and a wireless guest policy that redirects to the guest portal to enter credentials created in the sponsor portal. The corporate user has access to corporate resources and the guest basically has access to just the internet.
  I need to make what I am calling a Vendor policy that is basically a hybrid of the corporate user and the guest user. These would be vendors that are on-site to assist with programming and need access longer than what the guest account can be created for. This would also have specific ACLs that grant them access to the specific resources they would nee. I would like to tie this into AD authentication since they have an AD account created to be able to access those corporate resources in most cases. My first question is do I have a single policy that is tweaked as vendors come and go or do I simply create a specific policy for each vendor? My second question is do I or should I create unique SSIDs for each vendor?
  As I said I am just now getting into getting ISE configured. I am just not sure of what is considered a best practice or what is considered a secure way to may things happen. In regards to the policies I have created, they work but I think I have a couple holes to address.
  Thanks ...
  Brent

  Mostly makes sense. I have the AD part just need to get an AD group created for my test subject.
  I created an Endpoint Identity Group to place the vendors devices into so that we can allow laptop to connect but not phone. Got that.
  I think I can handle the Authorization Profile. It will be something like if VendorAsset and AD1:ExternalGroups Equals VendorADGroup then VendorPermissions. VendorPermissions would be the ACL that limits where they can go. I also need to create a non 802.1x based SSID as well and add this to the Authorization profile but can still be generic enough to be useable by all vendors.
  I think it is my Authentication rules that I need to modify for Vendor as my Corporate based policies use Dot1x and I need a policy that does not use dot1x. Right?

• ISE trusted certificates - 1.1.1 bug??

  Hello,
  I'm authenticating a few Cisco Phones towards ISE via EAP-TLS, and all was working on version  version 1.1.
  Now that we've upgraded to 1.1.1, I've reimported Cisco's Manufacturing CA and Root CA certificates into ISE, and marked them for trust for EAP-TLS authentications, but when phones authenticate I keep getting the message that they've presented an unknown CA certificate in their certificate request, and obviously we are failing EAP-TLS, but I'm pretty sure the certificates are well imported into ISE, so they should pass the validation.
  Is anybody aware of a bug of some sort with this?
  I read a post where somebody stated that now ISE would only support one certificate for EAP-TLS auth...
  If somebody can provide further details...
  Thanks
  Gustavo Novais

  The defect that I come across even I had all the certs installed correctly.
  CSCud00831    eap-tls authentications start failing after a while x509 decrypt error
  Symptom:
  EAP-TLS authentications fail with "X509 decrypt error"
  Conditions:
  Visiting backup/restore page or performing an automatic scheduled backup
  without visiting the backup/restore page
  Workaround:
  Do not visit backup page. Disable scheduled backup. Separate Policy
  Services. Node on deployment from Administrative or Monitoring Node.
  The fix will be available in ISE 1.1.3
  Jatin Katyal
  - Do rate helpful posts -

• Trusted.certs question with regards to Installation and Upgrading Java

  Greetings,
  Thank you to all who take the time to read this especially those who can provide some answers!
  Question #1:
  I read that trusted.certs was not backwards compatible for Java. By this I mean that a "Java Runtime 6 Update 11" generated trusted.certs could not be read / used by "Java Runtime 6 Update 26". Is this correct?
  Question #2:
  Part A: Does a fresh install of Java create the trusted.certs file upon installation or at the time Java is first run after install?
  Part B: When the trusted.certs is created does it do a file check to see if trusted.certs file already exists? If so does it delete and generate a fresh trusted.certs or does it leave the existing file?
  Reason I ask this is that we are getting a java.io.FileNotfoundException for the trusted.certs file. This I believe to be caused by a failed upgrade of Java. When uninstalling "Java Runtime 6 Update 26" it displays "Java Runtime 6 Update 11". This leads me to believe that the trusted.certs is still for Update 11 and not Update 26 which would cause this error even after a fresh install of Java.
  I would love your input and knowledge! Thank you again for your time!

  I am not aware of any trusted.certs file being distributed with Java. Are you referring to the cacerts file?

• How can i restore my iphone 5s as i forgot my icloud password and sec questions

  I bought a new iphone 5s  (32G Gold)
  and when I connect it to itunes asked me to restore from my old iphone 4
  with all my account settings and passwords.
  but I have a problem with my account for icloud password and security questions because my cloude id is *************** and with no problem with my apple id "*****************", I tried to restore my new iphone after I turned off find my iphone from icloud setting and when its restore was finished the iphone is locked and asked me to unlock the iphone with a ****************** that I forget the password and security questions and when I tried to enter my account id "**************** with no problem with its password it says to me "this account can't unlock this iphone"
  when I visit tradeline (Apple products dealer) I found no answer and they adviced me to contact apple directly.
  Name : Alaa Rashed Abd el Hafiz
  Country : egypt
  <Personal Information Edited by Host>

  First, remove your personal information from your post.  That's not needed here.  This is a public forum, and it is unwise to provide your personal data online.
  Second, here's how you reset your password and/or security questions.
  How to reset your Apple ID password.
  Go to iforgot.apple.com and type in your Apple ID, then click 'Next'.
  Verify your date of birth, then click 'Next'.
  You'll be able to choose one of two methods to reset your password, either E-Mail Authentication or Answer Security Questions.
  If neither method works, then go to https://getsupport.apple.com
  (If you see a message that says 'There are no products registered to this Apple ID, simply click on 'See all products and services')
  Choose 'More Products & Services', then 'Apple ID'.
  A new page will open.
  Choose 'Other Apple ID Topics', then 'Lost or forgotten Apple ID password'.
  Click the blue 'Continue' button.
  Select the contact option that suits your needs best.
  How to reset your Apple ID security questions.
  Go to appleid.apple.com, click on the blue button that says 'Manage Your Apple ID'.
  Log in with your Apple ID and password. (If you have forgotten your Apple ID password, go to iforgot.apple.com first to reset your password with a password recovery email)
  Go to the Password & Security section on the left side, and click on the link underneath the security questions that says 'Forgot your answers? Send reset security info email to [email]'.  This will generate an automated e-mail that will allow you to reset your security questions.
  If that doesn't work, or  there is no rescue email link available, then click on 'Temporary Support PIN' that is in the bottom left side, and generate a 4-digit PIN for the Apple Account Security Advisor you will be contacting later.
  Next, go to https://getsupport.apple.com
  (If you see a message that says 'There are no products registered to this Apple ID, simply click on 'See all products and services')
  Choose 'More Products & Services', then 'Apple ID'.
  A new page will open.
  Choose 'Other Apple ID Topics', then 'Forgotten Apple ID Security Questions'.
  Click the blue 'Continue' button.
  Select the contact option that suits your needs best.

• ISE Authorization Profile Question

  Hi,
  We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.
  A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.
  Anyone have any ideas how I might achieve my goal?
  Thanks
  Alan              

  Hi
  Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
  An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:
  • A profile name
  • A profile description
  • An associated DACL
  • An associated VLAN
  • An associated SGACL
  • Any number of other dictionary-based attributes

• ISE AD join question

  Hello, we have recently purchased ISE and are in the process of intial configuration. We have joined the applainces to our AD. Now in our firewall rules, we see the ISE applaince sending LDAP (389) traffic to all of our DC's. Is there a way to limit what DC's ISE will query, or does it just pull up a list of DC's from the domain that is joined? If I do an NSLOOKUP on just the domain, I see numerous DC's listed, but ISE is sending to DC's that are outside of this list as well. I am not an AD guy, so forgive me if I do not understand how this is populated, but I am very confused on how ISE is getting the IP's of all the DC's. ANd would really like to restrict if possible, since many of the DC's are behnid firewalls that we did not open up for ISE to talk to, so the traffic is just being denied and filling up our syslog with denies.
  Also, is there a show command, CLI or GUI, to show what DC's the ISE applainces knows about?  
  We are running 1.1.1.268 code.
  Thank you all in advance for your help.                 

  Hi,
  If you are using sites and services in your DNS environment then ISE should only query the domain controllers that are sent in the dns response for GC and DC resolution requests. You may need to consult your AD and DNS folks in order to insure that the ISE is only given the correct domain controllers.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE VM install question related to Disk Space on VMDK

  Hi all, and thanks in advance for any help/advice you can offer.
  We recently licensed for 10 ISE VM instances in our environment. We are trying to install the 3945 OVA file and it is forcing us to allocate 600GB for the appliance in the VMDK.  Per the install guide, however, the PSN only requires 200GB of disk space. This install will be for a PSN persona eventually, once its built and added to a deployment. So do we have to burn 400Gb for this? I am being told by the VM team that once the 600GB is allocated in the VMDK, it will not be able to be changed later to 200GB. I am told it can expand, but there is no option to shrink the disk size to 200GB. Almost seems as though the OVA should have been made to require a 200GB partition, then you could expand that to 300GB for Admin persona's and more for Monitoring persona's. As it stands, without the option to shrink the drive size, we are wasting 400GB unless I am missing something. Thus I am asking for your help!
  Install guide where VM disk sizing is specified is located at:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_011.html#ID-1417-000000d9
  Thank you,
  Jeff

  Hello Prasad,
  I am not sure what database are will be using in your system.
  Check SAPnotes # 799639 "Hardware Requirements" and  # 956921-  IDES ERP 2005 ECC 6.0.
  Here are databse approximations :
  The database sizes are:
    ORACLE: 200 GB
    MaxDB:  180 GB
    MSSQL:  150 GB
    DB2-UDB 150 GB
    DB2 on iSeries 240 GB
  I can't comment on RAM size as i am not aware number of users, functionalities you will be using etc.
  for this you can create a project under http://service.sap.com/sizing. You will get a close approximation.
  This is a easy self guided procedure and its good, you can get a close hardware approximation thought this quick sizer tool.
  Regarding processor its up to you. You can call vendors and check according to your budget.
  Best Regards
  NIraj

• HT5868 Update software for the Mac and now my phone keeps asking the Trust Computer question.  I tap trust and nothing.  It asks me repeatedly

  My phone will not allow me to connect to my computer.  It asks me repeatedly if I "trust" the computer and I tap trust each time; and nothing.  I did upgrade the computer to Snow Leopard yesterday and was able to connect the Ipad mini, but not the phone.

  I finally was able to solve my problem. I'm not sure why it happened but after updating my iPad to the most recent iOS, it works just fine. I had iOS 8 before, but it was the first release, not the update. I have the latest iTunes on my computer so maybe they weren't compatible. Anyway, if anyone else is having this problem, make sure everything is up to date.

• ISE domain PC question

  I am trying to figure out how to grant access to users based on user authentication and computer accounts. I am trying to setup our ISE so that if a user on our domain connects to the wifi it will check to see if the PC they connected from is a member of our domain. If the computer is a member of the domain they will get full access to our network. If they are not s member of our domain they will get put into a different vlan than only has Internet access. Ultimately I would like to have a group in active directory for computer accounts that are allowed on the wifi. Is a setup like this possible? I have tried a few things and i can not get the computer account part to work.
  Sent from Cisco Technical Support iPhone App

  Hi Eric,
  We  can create different rules in the authorization policies as per the  your scenarios. For you query we can setup the following rule
  step1
  : Prior to user enetering theri credentials.....machine will get authorized access when machine  boots up
  iselabin.local:ExternalGroups==Domain  Computers
  step2
  :User will enter credentials and he will get  authorized access because of  2nd Rule.
  Network Access:WasMachineAuthenticated ==True
                                AND
  iselabin.local:ExternalGroups==Domain Users
  Also you need to go through the MAR as you are using Macine+User  authentication.Below is the link for the same in which you can find MAR  section.:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354105.