ISE Trustsec with 6500

Similar Messages

• Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?

  Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
  Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
  I can get a PC on its own to authenticate via dot1x/tls
  I can get a Cisco IP Phone on its own to authenticate via MAB.
  When the two are on the same switchport, the phone will authenticate but not the PC.  ISE logs EAP timeouts.
  The switchport has the LowImpact port ACL of
  ip access-group ACL-DEFAULT in
  The IP Phone gets a dACL that allows it ok.
  I assume MAB phone and dot1x PC is supported?  Any ideas?
  Thanks in advance.

  The ISE log detailed steps are as follows:
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12300  Prepared EAP-Request proposing PEAP with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12501  Extracted EAP-Response/NAK requesting to use EAP-TLS instead
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  5411  No response received during 120 seconds on last EAP message sent to the client

• ISE deployment with subdomains

  Hi Experts,
  we have AD Architecture that parent domain and three subdomain as per the region, and ISE Administration/Monitoring Node will be in one subdomain and each region will have its ISE node with policy persona.
  looking for guidnace on how the ISE design will be, more precisly whic domain the PSN node will join, to their regional sub-domain?
  if yes its supported to have each PSN in their different sub-domain?
  Thanks         

  You  can palace PSN in regional sub-domain but you need to make sure that  all the regional sub-domain are are able to communicate with each other  with out any DNS and NAT issues.

• Cisco ISE integration with SMS passcode Device

  HI Experts,
  i have a scenario where the requirement is to integrate the ISE device with SMSpasscode device which will trigger the OTP to the mobile devices 
  Currently i have my authentication configured to work with the AD 
  When my VPN users connects  its authenticates against AD and the users get the access . 
  Now as per the new requirement once the user is authenticate against AD ,  the user should be prompted for the OTP password send to the users  using SMS passcode device 
  Anyone had worked on similar requirement please help me to resolve the issue .
  Thanks in advance 
  Angus

  Hi all
  I am working exactly for a month on this topic with no success.
  I need to integrate VASCO OTP solution. But VASCO do not support any external authentication backend for virtual/SMS token. Only passcode or local authentication.
  I need to implement an external authentication against LDAP somewhere...
  Gunnar, do CISCO clearly says it is not able to participate to such setup?
  So, my need would be to be able to insert in the flow an authentication in ISE against the LDAP.
  The flow is:
  WebApplication send login+password (LDAP) to ISE
  ISE checks the credentials and if it is OK forward the request to VASCO
  VASCO does not check for password but generate the OTP and send it via SMS
  VASCO replies with a access-challenge
  ISE forward the challenge to Web Application
  WebApplication send login+OTP response to ISE
  ISE forward to VASCO
  VASCO checks for OTP and replies to ISE with accept
  ISE forward to Web Application
  User is logged in...
  All the flow is working if the user enters a passcode
  I would like to implement a Identity source sequences where the user is checked again all the entries not the first match
  First LDAP then VASCO...

• ISE integration with Oracle LDAP

  Does ISE integrate with Oracle OID LDAP (Version 11G)? If yes, which version?

  ISE supports any LDAPv3 compliant servers

• ISE integration with Prime Infrastructure,

  Hi Team,
    I would like to know what are the advantages and Disadvantages of the ISE integration with Prime Infrastructre.Also  how the LAN, wifi, and identity management part (guest access etc) will work together.
  Cheers!!!
  Minakshi

  Prime Infrastructure manages the wired and the wireless clients in the network. When Cisco ISE is used as a RADIUS server to authenticate clients, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to Prime Infrastructure to be visible in a single console.
  When posture profiling is enforced in the network, Prime Infrastructure talks to Cisco ISE to get the posture data for the clients and displays it along with other client attributes. When Cisco ISE is used to profile the clients or an endpoint in the network, Prime Infrastructure collects the profiled data to determine what type of client it is, whether it is an iPhone, iPad, an Android device, or any other device.
  Cisco ISE is assisting Prime Infrastructure to monitor and troubleshoot client information, and displays all the relevant information for a client in a single console.

• Is it possible to enable to VSS with 6500 chassis when only one chassis have the WISM ?

  is it possible to enable to VSS with 6500 chassis when only one chassis have the WISM ?

  thank you very much for the reply, that mean both the chassis no need to have the same modules installed on both the chassis . 

• Cisco ISE Integrate with Airwatch

  Dears,
  I need a configuration guide or video how to integrate Cisco ISE with Airwatch. Please provide me this informations
  Thanks

  If you have a CCO ID, you may be able to see it here:
  ISE integration with AirWatch MDM
  If you cannot, you should be able to osk your Cisco AM for this.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• WLC DHCP issue with 6500

  Hi,
  I configured WLC as DHCP server and is working fine when connected to 3750 core switch. The AP's and clients are getting IP address.
  When the same WLC is connected to 6500 , the DHCP is not working from WLC . The same port of 6500 switch  is verified by connecting a 3750 switch as dhcp server and AP as well as clients are getting IP.
  DHCP snooping and port security is not enabled in the 6500 and the configuration is simple. The WLC is untagged and the 6500 port is a trunk port with 242 as native VLAN.
  Please help

  Dear Surendra,
  Please see the answers in line.
  1.As per your previous post, if we connect WLC to 3750 core everything works fine.. so in this case, i assume that we have INTERFACE VLAN on the switch and then the management interafce on the WLC are in the same subnet?? correct??
  "Yes , All are in the same Vlan . Interface VLAN and management interface are in same subnet."
  2. Similarly, if we swap the 3750 with 6500, it doesnt work.. in this case.. have you created the interface vlan on the 6500 in the same subnet as that of management interface of the WLC??
  " Yes, the 6500 has vlan interface without IP. The same way we configured 3750 "
  Or
  3.are we not swapping the 6500 and we are connecting the WLC to the WLC to the 6500 and then this 6500 to the 3750??
  "We connected WLC LAP to 3750 and the dhcp of wlc is working fine.. When WLC & AP connected to 6500 , the WLC DHCP is not working. We verified the 6500 port by coonecting 3750 as DHCP server and WLC is connected to 3750 and all were working fine. When WLC is directly connected to 6500 , the LAP is not joing to WLC. When static IP is given to LAP, the LAP joined WLC but the clients were not getting IP."
  4.Layer 2 means... interface VLAN on the switch and the WLC management and the AP DHCP pool are all in the same subnet. correct?
  "Yes all are in the same subnet"
  Thanks for your efforts.
  Regards,
  Savad

• Cisco ISE integration with third-party firewalls

  Can Cisco ISE be integrated with a third-party firewall (such as Checkpoint), to provide authentication/authorization services to remote VPN user devices (based on device MAC address)?
  The remote user would establish a VPN connection to a third-party firewall, based on a username/password authentication, but the user would only be allowed to send/receive traffic to the internal network if the MAC address of the device being used was authorized by Cisco ISE.
  Thank you in advance.

  Rui,
  I do not think the vpn client sends the ip address in a called-station-id, that might be the public ip address that the client is initiating the request from. If you have an existing radius server or can run a packet capture you should be able to verify that.
  If the client does send the mac address in the radius packet then you can create a custom condition that can be used to check the mac address along with the username to allow it access to the session. However in VPN deployments there is no concept of profiling since 802.1x deployments usually include the client's mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE,AD with TLS

  Choose Administration > Identity Management > External Identity Sources
  In the above option, there is something called Binary Certificate Comparison.. Below is the explanation for the same in the User Guide
  Perform Binary Certificate Comparison with Certificate Retrieved from LDAP or Active
  Directory—Check this check box if you want to validate certificate information for authentication
  against a selected LDAP or Active Directory identity source.
  If you check this check box, you must choose the LDAP or Active Directory identity source from
  the available list.
  Can someone tell me how this will impact the TLS configuration..
  Regards
  NikhiL

  NikhiL:
  I don't have ISE but I knwo a little about binary comparison which should be the same concept with all products.
  When EAP-TLS happens, the WLC (assuming using unified wireless infrastructure) will try to authenticate the user. Having EAP-TLS in place, the client will send a certificate as an identity.
  For the server to verify if the trusted certificate provided belongs to a wifi user that is authorized to connect to the wireless it needs to verify that the user that provided the certificate is authorized for wifi access.
  It has to compare the username in the certificate with the username in its DB to make sure that the user is authorized for wireless. (you can choose some attributes to compare the username like  SAN, CN, subject...etc).
  If the username provided is found in AAA server and it is authorized for wifi it will allow it to connect.
  If you are using external DB to auth users and not using the internal DB, i.e. usernames are not saved in AAA server and AAA servers is a proxy to auth from external DB (LDAP or AD for example) then you have an extra option.
  Sometimes the external DB itself has the same certificate for the client saved. in this case when AAA server tries to auth the username via the external DB. If you enable binary comparison, besides the above username test with the certificate username check, the AAA server (ISE in your case) will compare the certificate from external DB to the certificate provided by the client bit by bit and make sure both certificates are identical.
  I hope this makes it clear to. I think you can answer "how this affects EAP-TLS" now. It should not affect it if this is being used correctly and things should be fine.
  Hope this is clear and useful.
  Amjad

• ISE problem with EAP-TLS Supplicant Provisioning

  Hi All,
  I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
  The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
  The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
  Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
  Cheers,
  Richard
  PS - Also using WinSPWizard 1.0.0.28

  Hi Richard,
  This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
  Istvan Segyik
  Systems Engineer
  Global Virtual Engineering
  WW Partner Organization
  Cisco Systems, Inc
  Email: [email protected]
  Work: +36 1 2254604
  Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

• Cisco ISE integration with AD fails

  Cisco ISE Ver: 1.1.2.145
  Windows : Win 2003 Server
  I am attempting to integrate ISE with AD, but ISE won't join AD and joining attempts fails, though I am able to add same domain as external LDAP identity store ?
  1.user used to join the domain has admin permission on AD
  2. ISE resolved the domain correctly
  3.There is a firewall inbetween ISE (192.168.100.10) & AD (172.16.100.1), but all the traffic are permited.
  4. No NATing taking place, Firewall is forwarding all trafic between ISE & AD
  Can't really understand why AD connection fails
  From ISE Interface - Detailed Test Connection
  Adinfo (CentrifyDC 4.5.0-357)
  Host Diagnostics
    Uname: Linux Iseadn 2.6.18-274.17.1.el5PAE #1 SMP Wed Jan 4 22:49:48 EST 2012 I686
    OS: Linux
    Version: 2.6.18-274.17.1.el5PAE
    Number Of CPUs: 1
  IP Diagnostics
    Local Host Name: Iseadn
    Local IP Address: 192.168.100.10
    FQDN Host Name:iseadn.gnet.cp
  Domain Diagnostics
    Domain: Gnet.cp
    Subnet Site: Default-first-site-name
      DNS Query For: _ldap._tcp.gnet.cp
      Found SRV Records:
        Gnet.cp:389
    Testing Active Directory Connectivity:
      Domain Controller: Gnet.cp
        Ldap:      389/tcp - Good
        Ldap:      389/udp - Good
        Smb:       445/tcp - Good
        Kdc:        88/tcp - Good
        Kpasswd:   464/tcp - Good
        Ntp:       123/udp - Good
    Domain Controller: Gnet.cp:389
      Domain Controller Type: Windows 2003
      Domain Name:            GNET.CP
      IsGlobalCatalogReady:   TRUE
      DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
      ForestFunctionality:           0 = (DS_BEHAVIOR_WIN2000)
      DomainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Forest Name: GNET.CP
      DNS Query For: _gc._tcp.GNET.CP
    Testing Active Directory Connectivity:
    Forest Name: GNET.CP
  Kerberos Error: Rc=-1765328377 SASL Bind To Ldap/[email protected] - GSSAPI Mechanism With Kerberos Error  : Server Not Found In Kerberos Database
  Computer Account Diagnostics
    Not Joined To Any Domain
  System Diagnostic
    Not Joined To Any Domain
  Centrify DirectControl Status
    Not Joined To Any Domain
  Licensed Features: Enabled
  SELinux Status:                 Disabled
  Amavis1.1.0
  Ccs1.0.0
  Clamav1.1.0
  Dcc1.1.0
  Dnsmasq1.1.1
  Evolution1.1.0
  Ipsec1.4.0
  Iscsid1.0.0
  Milter1.0.0
  Mozilla1.1.0
  Mplayer1.1.0
  Nagios1.1.0
  Oddjob1.0.1
  Pcscd1.0.0
  Postgrey1.1.0
  Prelude1.0.0
  Pyzor1.1.0
  Qemu1.1.2
  Razor1.1.0
  Ricci1.0.0
  Smartmon1.1.0
  Spamassassin1.9.0
  Virt1.0.0
  Zosremote1.0.0
  From Ad-agent log

  Hi Jallaluddin
  I work for Centrify Support and saw your posting. Here our analysis on checking the adlogs.txt.zip:
  Server not found in Kerberos database" (reference base/adbind.cpp:495 rc: -1765328377)
  That error is likely coming from the KDC - meaning there is some problem with server side SPNs
  We need the following:
  1) A network trace.
  2) adcheck output.
  3) adinfo --support output
  4) Run dcdiag or netdiag on the server side.
  Also we partner with Cisco and so would it possible to work with your partners and I am pretty sure they have seen this before with DC issues etc. Can you please work with them and see?. TIA
  Best Regards
  Raghu Srinivasan

• ISE authentication with windows hibernate

  i have ISE 1.2 , machine can't authenticate during hibernate so user must logoff and login again.
  is this applicable on ISE or not?

  If you are using windoze native supplicant, try using anyconnect nam. There is a bug (feature) in the native supplicant that causes it to go brain dead after returning from sleep mode/hibernation. Microsoft has hotfixes for vista and later, but not xp. I've had hit and miss success with these, and that's why I suggest trying anyconnect.
  Sent from Cisco Technical Support Android App

• ISE Issue with DNS

  Hello Techies,
  I am facing challenge while configuring ISE to join AD. Domain Name lookup fails. DNS is working perfectly fine;
  nslookup works fine on ISE for simple domain names, but on long domain  names it fails while throwing the following error;
  ;; Truncated, retrying in TCP mode.
  ;; connection timed out; no servers could be reached
  Upon searching on google, may threads discuss that it a common issue with linux, when multiple IP's are returned for DNS query. Solution is to make static entries in;
  /etc/resolv.conf
  Not able to find it in ISE, as it does not give access to the OS. I am running it on VMware.
  Looking forward to get your valuable inputs to resolve this.
  Thanks

  Thanks for your response. Port 53(TCP) was opened on firewall & voila........nslookup was able to resolve the hostname.
  Now there is another challenge because of huge environment. Active Directory forest contains  more than 50+ child domain controllers. Policy is open for one particular hostname/ip. But authentication is not successful & ISE is not able to join domain. CISCO forums says that ports for all server should be open for ISE on the intermediate firewall, but it is a huge challenge for testing.
  While I tried to give the FQDN of specific server(from whom ports are open on firewall), it is not getting resolved again.
  Please sugeest