ISE versus ACS

Similar Messages

• ISE and ACS?

  Is there any reason why we would need an ACS and ISE, as my understanding is the ISE alone would be sufficient?
  We are looking to deploy a wireless network supporting a mixture of corperate device and BYOD.
  Corperate users would be required to be Authenticated via AD which I believe the ISE can support.
  Other users would be Authenticated via the ISE portal.
  Kind Regards
  Stewart 

  Keep in mind that ISE doesn't do TACACS+, so you can't use it for standard management access and command authorization of Cisco devices as with ACS.

• ACS 1121 to ISE migration

  Hello ALL,
  we have ACS 1121 and are planning to migrate to ISE let me know if its possible if yes what are the license  i need to buy

  Existing NAC and ACS customers with active support contracts on older appliances are entitled to all of the ISE appliance migration SKUs. Given all the potential appliances migration options (NAC 3140 to ISE 3395, ACS 1120 to ISE 3315, NAC 3310 to ISE VM, etc) PMBU decided to not put any restriction on which migration appliances SKUs customers can use. PMBU is not offering credit for older hardware because the focus is on reduced Base or free Advanced migration licenses.

• Cisco ISE 1.1.2 and Certfication Revocation List (CRL) checking

  All,
  I have 4 ISE appliances version 1.1.2  running in my networ called nodeA, nodeB, nodeC and nodeD. 
  - NodeA is Primary Admin and Secondary Monitoring,
  - NodeB is Secondary Admin and Primary Monitoring,
  - NodeC is Policy node,
  - NodeD is Policy node,
  The ISE environment is tightly integrated with the company Microsoft Active Directory Windows 2008R2.  We import the company issue cert into the ISE for PEAP and CRL checking
  Question:  How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server? 
  I also have an ACS environment that also tightly integrated with Microsoft AD.   How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?
  What will happen to the ISE and ACS environment if the CA Server becomes un-available?
  I can't seem to find this question in either ISE or ACS documentation anywhere. 
  Thank you.

  How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server?
            ISE checks CRL based on how you configure it. Admin > Certificates > Cert Store  Select your CA. From there you'll be able to edit the cert info. The last option is the CRL Configuration. You can set the download frequency.
  How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?
           System Config > ACS Cert Setup > CRL    from there you'll be able to see/edit
  What will happen to the ISE and ACS environment if the CA Server becomes un-available?
           Most likely the end of the world, but to be honest I'm not really sure. My assumption is If both the client and the ISE/ACS server already have their respective certs, they should still be able to work. Just no new certs or CRLs would be issued.
  Documentation Sources:
  ACS: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/sau.html
  ISE: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html
  HTH

• ISE - dot1x EAP TLS for Cisco IP Phones

  Hi Gents,
  I have a question about the CA configs for ISE or ACS.
  As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:
  1. Cisco CA Certificate
  2. CUCM Locally signed Certificate or CUCM Identity Certificate
  And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?
  Is there any other configs needed?
  I would highly appreicate if someone can clearify me this process.
  Regards,

  I got the answer, for the first part of the EAP TLS authentication: Phone authentication
  In an IEEE 802.1X authentication, the AAA server  is responsible for validating the certificate provided by the phone. To  do this, the AAA server must have a copy of the root CA certificate that  signed the phone's certificate. The root certificates for both LSCs and  MICs can be exported from the CUCM Operating System Administration  interface and imported into your AAA server
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000412
  As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.
  What is needed for this?

• [Cisco ISE] What is CACS?

  Dear Sir,
  Here is the operation>Authentication detail on my Cisco ISE:
  Result
  State ReauthSession:0a01010100077000545c5b8a
  Class OU=VPN-USER2
  Class CACS:0a01010100077000545c5b8a:psn/203756592/237 
  I searched many documents, but none of them could tell me what is  the meaning of CACS. 
  In my authorization profile result, I only configured following:
  Access Type = ACCESS_ACCEPT
  Class = OU=VPN-USER2;
  It seemed that the CACS was some kind of session code, auto-generated for machine processing. 
  (1)Hope somebody could help clarify “What is CACS”
  (2) My colleague in network team concern CACS in auth response would lead to some unwanted result in ASA VPN authentication and assigning Gp policy to VPN user. To relive his concern, could we clear out the CACS from auth response?
  Million thanks for your kind help.

  Hi David. I did some research but could not find much outside of this being a Cisco specific Radius attribute that is also used by ACS. With that being said, I don't think that this is something that you need to worry about. I don't think an ACS/ISE attribute can trigger a GP policy update on your endpoints. I have done many VPN deployments where the endpoints are authenticating against ISE or ACS and I have never had any problems nor I had the need to filter any attributes. 
  Feel free to reach out to Cisco TAC for more details as that is all I have :) Also, feel free to have your network team chime and provide more details with regards to their concerns. You can also test this with some test workstations and confirm weather or not you will see any undesirable results :)
  I hope this helps!
  Thank you for rating helpful posts! 

• ISE : Authentication for IKEv2

  Just to check if anyone might be able to assist me regarind an issue that I am trying to work out a solution for.
  My Requirements are: Multitenant deployment using ASR1K with IKEv2 vpn authenticated with ISE or ACS and user databases in most cases will be in Active Directory. And authentication has to be with User and Password.
  EAP-MD5: does not work with LDAP integration with Active directory, it does however work in Radius proxy mode but security level of password storage in AD has to be degrated alot by allowing AD to store reversible passwords.
  EAP-GTC: As far as I understand from everything I read, this might be the holy grail for U/P authentication for IKEv2. But in ISE and ACS EAP-GTC is only supported as an inner method in PEAP and EAP-FAST will this change in the near future ?
  And is there possibly something else that I am missing which might be a solution to this design criteria ?

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• Interface with SQL backend (foreign schema)?

  I'm looking for a Radius or LDAP solution using (foreign schema) SQL storage as backend.
  I do have a large user database (that must stay as-is, I only have read-only sql access) that resides on an Oracle SQL server. I know the schema and how the passwords are salted and hashed, but on the gateway I can only use Radius or LDAP as authentication protocols. This is purely for authentication, not authorization (i.e. no group memberships need to be resolved) or accounting.
  Is this possible with either ISE or ACS? I know that ACS may use Oracle, but afaik only for accounting or use it as its own underlying database (which is not what I want as the users already exist in a given schema).

  Hi All
  Do we need to download a separate DB Adapter for Connecting to SQL Server 2005.
  I have created a BPEL process using the DB Adapter provided in JDev 10.1.3.1.0
  The process deploys successfully but is erroring out at point it is trying to fetch the data from SQL Server.
  Error:
  file:/ora1/SOASuite/oraFUSNweb/bpel/domains/default/tmp/.bpel_RealInvoiceBPEL_2_de4c0630077583d27bcc9a9054da80f9.tmp/SQLServerDB.wsdl [ SQLServerDB_ptt::SQLServerDBSelect(SQLServerDBSelect_inparameters,XxdummyTestCollection) ] - WSIF JCA Execute of operation 'SQLServerDBSelect' failed due to: Could not create/access the TopLink Session.
  Please help
  thanks
  - debashis

• Cisco sns-3415 configuration

  Hi Team
  we brought new Cisco sns-3415 ACS configuration somebody please help to configure this on first time. I am simply first time on this device so I look forward first level configuration guide. find below the configuration details.
  SNS-3415-K9
  Small Secure Network Server for ISE  NAC  & ACS Applications
  CON-SNT-SNS3415
  SMARTNET 8X5XNBD Small Secure Network
  CSACS-3415-K9
  ACS application & BASE license for SNS-3415-K9 appliance
  CSACS-5-BASE-LIC
  Cisco Secure ACS 5 Base License
  CSACS-ACCYKIT
  Accessory Kit for Access Control System SW on 3415-appliance
  SFS-250V-10A-ID
  SFS Power Cord - 250V 10A  India
  SNS-4GBSR-1X041RY
  4GB 1600 Mhz Memory Module
  SNS-600GB-HDD
  600 GB Hard Disk Drive
  SNS-650W-PSU
  650W power supply for C-series rack servers + cord (configur
  SNS-CPU-2609-E5
  2.4 GHz E5-2609/80W 4C/10MB Cache/DDR3 1600MHz
  SNS-N2XX-ABPCI01
  Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI
  SNS-RAID-ROM5
  Embedded SW RAID 0/1/10 8 ports SAS/SATA
  SNS-UCS-TPM
  Trusted Platform Module for UCS servers
  Thanks
  Sreejesh S

  check Cisco how to guides for step by step configuration just follow the instruction and you can easily  configure the setup also when you first open the ISE there is an option for express setup (Auto config) but i would suggest for the guide (link given below)
  https://www.cisco.com/en/go/trustsec.
  **********Do rate Helpful posts************************

• WLC and dACLs

  Does anyone know if dACLs on a WLC controller using the latest code require a pre-configuration of the ACLs on the controller? All documentation seems to indicate the ACLs must be created first on the controller and the policy engine (ISE or ACS) push down the name of the ACL to be used.

  I create a policy that say is the user using "employee" SSID and is part of the "wireless employee" OU... And some others (device group, device location, EAP type, etc). So if a domain user tries to access the "employee" SSID using his or her domain credential and is not part of the "wireless employee" OU, ACS or ISE will send a reject to the WLC. That username is also accounted for in the failed attempts.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Single SSID & DHCP

  If possible, how would a Single SSID on a Aironet AP be able to provide LAN access to two different subnets?
  I beleive a routing (router) needs to be present to route between two subnets.
  In example,
       SSID "Visitor" can send IPv4 mobile devices to either subnet 192.168.1.0 or to subnet 10.0.0.0
  Thank you!                  

  yes its is possible using dynamic VLAN assignment using ISE or ACS. 
  Plus that mode normally works if you want to group multiple APs (placed in different places) and you want that when ever client move to any locaiton SSID remain same but behind the scene VLAN changes, even the security can be same.
  Hope this helps.

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Can ISE 1.2 Virtual Appliance assign VPN address pool like ACS does?

  Dear friends,
  I have observed that Cisco ISE Virtual Appliance (VMware) can act as a RADIUS server in the same manner as ACS does, but I cannot find the way of assigning an IP address to a remote VPN client (only assigning a VLAN).
  At this point I don't know if it is strictly necessary to have the IP address assignment for the remote VPN clients done in the external firewall (i. e. Cisco ASA) in this case.
  Is there any way of defining an IP address pool in the ISE itself for VPN clients authenticated against that ISE?
  If the answer is not, which ones could be the options for that assignment other than the ASA pool assignment? Could it be possible defining the corresponding address pool in an internal DHCP server that could provide the IP address to the VPN client after successful authentication through ISE?
  Any help would be really appreciated to clarifying these questions.
  Thank you and best regards.

  Please find the link below for the may help you to get the answer related to comparision and even for deployment.
  http://pmbuwiki.cisco.com/Products/ISE/Technical/Design-Config/Guest_and_Web_Portal_Services

• ACS 5.3 to ISE 1.2 Migration

  Hi Experts,
  Good Day!
  I really need help I already did some troubleshooting but the issue I'm encountering still exists.
  I am trying to migrate my ACS 5.3 to ISE 1.2 using the migration tool. I;m able to extract the data from ACS however, when I tried to import it in the ISE it shows me always the error in the attached file. It is using FQDN to detect the ISE however, I don't have any DNS server to translate my ISE IP to FQDN.
  Please help.
  Thank you.
  niks

  Migration Tool Installation Guidelines:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/migration_guide/ise_migration_guide/ise_mig_install.pdf

• ACS 5.4 to ISE 1.2 migration

  Hi,
  does somebody have an idea how to migrate users from ACS 5.4 to ISE?
  I tried with migtool, but it's telling me that migration from ACS 5.4 is not supported.
  However if I install older ACS 5.1 and restore a backup from ACS 5.4 then it fail because it doesn't match installed application.
  I don't want to use backup from older ACS as we put since that time so many users ...
  Thanks for any hint.
  Karel

  Hi Karel,
  As I see this is not supported so far. What you can do is to export your users from 5.4 and import them on 5.3 then proceed with the backup and migration process.
  If you still need to go with 5.4 you better communicate the TAC. They may help you better (they may probably have a patch to fix the issue with the migration from 5.4 to ISE).
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"