Porting ACS 4.2 rules to ISE

Similar Messages

• Max authz rules in ISE 1.2 ?

  Hi All,
  Is there any doco on what the current limit is on Auth Z rules in ISE 1.2
  I have read 1.1.x had a limit of 140 authz rules.
  I am also considering using policy sets if that increases the total authZ rules.
  Cheers

  Peter,
  Here are the numbers for both 1.1.x and 1.2.  Hope this helps.
  * ISE 1.1.x
  # ISE 1.2
  Authentication Policy Rules
  * 50
  # 400
  Conditions Per AuthC Policy Rule
  * 3
  # 8
  Authorization Policy Rules
  *140
  # 600
  Authorization Identity Groups
  * 20
  # 1000
  Conditions per AuthZ Policy Rule
  *6
  # 8
  Authorization Profiles
  * 30
  # 600
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Max Authorization Rules in ISE

  Just curious if anyone knew the max number of authorization rules you can have in an ISE deployment?
  Sent from Cisco Technical Support iPad App

  I read a discussion and its says, dev's have tested and support 140 Authorization rules in  ISE 1.1.x.
  Jatin Katyal
  - Do rate helpful posts -

• ACS 'Password Change Rule' doesn't work with telnet

  Hello:
  I am trying to configure that users have to change their passwords when they enter to a network appliance the first time they log in.
  I have an ACS 4.0 appliance, the option "Disable TELNET Change Password against this ACS and return the following message to the users telnet session" is disable. When I try to enter to a Catalyst 6500, for instance, I type user and pass and I get Rejected (RADIUS is the protocol used).
  In the ACS' reports I can see it appears the next error 'Authen Failed - CS Password Expired'.
  I only have enabled the option "Apply password change rule" in Group Settings, the others options for "Password Aging Rules" are deactivated.
  Thanks for your help,
  Francisco

  You'll need to be using TACACS+ to get password change to work.
  Doesnt work with RADIUS.

• ACS VM version migration to ISE

  Hi,
  If a customer bought ACS on VMWare (2 x LCSACS-51-VM) in the past and are interested in migrating to ISE. They would like to consider moving 1 x LCSACS-51-VM to a similar VM based image and the other to an appliance based system. Both act as a redundant pair.
  The ordering guide seems unclear on how to handle this scenario. The customer has an SAS support contract.

  Have you already gone through this guide.
  http://www.cisco.com/en/US/docs/security/ise/1.1/migration_guide/ise_mig_undst_tool.html#wp1027036
  Should you've any specific questions regarding migration from ACS 5.x to ISE 1.x, let us know.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS Express selection rules

  Hi
  Have anyone experience about the selection rule?
  My problem is:
  I've two policy against the same group device:
  One use active dir database and PEAP method and the second use local database and eap fast (wifi phone)
  How I can discriminate the authentication because if I connect in peap and the first polici is for peap work fine but the wifi phone does not work.
  If I put the first policy for eap-fast the wifi phone work fine but the peap device doesn'work.
  I thin that the problem is to identify the correct attribute but I'm not able to do.
  thanks a lot

  You may want to use the Network Access Profile (NAP) feature on ACS, which was introduced starting from version 4.0
  Regards,
  Prem
  Please rate if it helps!

• ISE 1.1.1 firewall rules distributed deployment

  My question is in reference to the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
  Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
  My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
  I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

  Try this for size.
  In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
  You might be able to cut this list down, and you might have to add to it for any specific requirements.
  From PSN to AD (potentially all AD nodes):
  TCP 389, 3268, 445, 88, 464
  UDP 389, 3268
  From PSN to Monitoring nodes:
  TCP 443
  UDP 20514
  PSN to Admin Nodes (2Way):
  TCP 443, 1521
  ICMP echo and reply (heartbeat)
  WLC to PSN:
  TCP 443, 8443, 80, 8080
  UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
  PSN to other PSN’s (2 way)
  UDP 30514, 45588, 45990
  Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
  TCP 8443, 8905
  UDP 8905
  Admin/Sponsor to all ISE nodes:
  TCP 22, 80, 443, 8080, 8443
  UDP 161
  PSN access to DNS servers:
  TCP/UDP 53
  PSN access to NTP servers:
  UDP 123

• ISE 1.2...Nest AuthZ rules?

  Is it possible to nest rules in ISE 1.2? 
  For example, rule 1 matches parent group, then rule 1.1 is a sub-group that applies policy 1, rule 1.2 matches another sub-group that applies policy 2. So on...
  Thanks.

  Yep, Policy Sets would do the trick! Good job on figuring out a solution to your own problem and thank you for taking the time to come back and share it with everyone. (+5 from me)
  You should probably mark the thread as "Answered" now :)
  Thank you for rating helpful posts!

• Cisco ISE 1.3 MAB authentication.. switch drop packet

  Hello All,
  I have C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1) switch..
  and ISE 1.3 versoin..
  MAB authentication is working perfectly at ISE end.. but while seeing the same at switch end.. I am seeing switch is droping packet on some ports..
  while some ports are working perfectly..
  Same switch configuration is working perfectly on another switch without any issue..
  Switch configuration for your suggestion..!!
  aaa new-model
  aaa authentication fail-message ^C
  **** Either ACS or ISE is DOWN / Use ur LOCAL CREDENTIALS / Thank You ****
  ^C
  aaa authentication login CONSOLE local
  aaa authentication login ACS group tacacs+ group radius local
  aaa authentication dot1x default group radius
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+ group radius
  aaa server radius dynamic-author
   client 172.16.95.x server-key 7 02050D480809
   client 172.16.95.x server-key 7 14141B180F0B
  aaa session-id common
  clock timezone IST 5 30
  system mtu routing 1500
  ip routing
  no ip domain-lookup
  ip domain-name EVS.com
  ip device tracking
  epm logging
  dot1x system-auth-control
  interface FastEthernet0/1
   switchport access vlan x
   switchport mode access
   switchport voice vlan x
   authentication event fail action next-method
   --More--         authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip tacacs source-interface Vlan10
  ip radius source-interface Vlan10 vrf default
  logging trap critical
  logging origin-id ip
  logging 172.16.5.95
  logging host 172.16.95.x transport udp port 20514
  logging host 172.16.95.x transport udp port 20514
  snmp-server group SNMP-Group v3 auth read EVS-view notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F access 15
  snmp-server view EVS-view internet included
  snmp-server community S1n2M3p4$ RO
  snmp-server community cisco RO
  snmp-server trap-source Vlan10
  snmp-server source-interface informs Vlan10
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
   --More--         snmp-server enable traps tty
  snmp-server enable traps cluster
  snmp-server enable traps entity
  snmp-server enable traps cpu threshold
  snmp-server enable traps vtp
  snmp-server enable traps vlancreate
  snmp-server enable traps vlandelete
  snmp-server enable traps flash insertion removal
  snmp-server enable traps port-security
  snmp-server enable traps envmon fan shutdown supply temperature status
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps bridge newroot topologychange
  snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
  snmp-server enable traps syslog
  snmp-server enable traps mac-notification change move threshold
  snmp-server enable traps vlan-membership
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.95.x version 2c cisco
  snmp-server host 172.16.5.x version 3 auth evsnetadmin
  tacacs-server host 172.16.5.x key 7 0538571873651D1D4D26421A4F
  tacacs-server directed-request
   --More--         tacacs-server key 7 107D580E573E411F58277F2360
  tacacs-server administration
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 25 access-request include
  radius-server host 172.16.95.y auth-port 1812 acct-port 1813 key 7 060506324F41
  radius-server host 172.16.95.x auth-port 1812 acct-port 1813 key 7 110A1016141D
  radius-server host 172.16.95.y auth-port 1645 acct-port 1646 key 7 110A1016141D
  radius-server host 172.16.95.x auth-port 1645 acct-port 1646 key 7 070C285F4D06
  radius-server timeout 2
  radius-server key 7 060506324F41
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
   exec-timeout 5 0
   privilege level 15
   logging synchronous
   login authentication CONSOLE
  line vty 0 4
   access-class telnet_access in
   exec-timeout 0 0
   logging synchronous
   --More--         login authentication ACS
   transport input ssh

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• ACS / NAC phase 2 / posture validation with symantec AV

  Hi,
  We encounter problem to implement NAC phase 2 with symantec.
  ACS is an appliance one, version 4.0
  We?ve installed the Symantec AV pair on the ACS : that?OK.
  The following softwares are installed on the client PC:
  - Cisco CTA : ctasetup-win-2.0.1.14.exe
  - Aegis SecureConnect 2KXP-4_0_4.msi
  - Symantec client security posture plug-in.msi together with the associated setup.exe
  Moreover, client PC is configured to use EAP-FAST with mschapv2.
  We?ve defined an internal posture validation on the ACS.
  The first rule of this posture is performed on the following Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.
  When the first rule of this posture matches, then the posture token associated (radius authorization component) doesn?t return the associated vlan, so the user must be placed into the vlan associated by default on the port.
  The default rule is associated with another authorization component that returns the quarantine vlan.
  Problem is that we don?t manage to match on this posture.
  It?s as if the client doesn?t send the parameters.
  Logs on the ACS indicates the following:
  - message type : authen failed
  - authen failure code : posture validation failure (general)
  - eap type name : EAP-FAST
  - reason: no matched required credential types in any posture validation rule
  - cisco:PA:OS-type : OK, well retrieved (windows XP professional)
  - cisco:Host:ServicePack: OK, well retrieved (service pack 2)
  - but none of the Symantec AV could be retrieved.
  Symantec indicated to us that their AV server isn?t yet compatible witch ACS.
  So external posture validation isn?t possible in our case.
  Only internal posture validation should work.
  But no way to retrieve Symantec information from CTA.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi.
  Please examine the following directory of client pc. Is Plugins File of Symantec installed?
  \Program Files\Common Files\PostureAgent\Plugins
  \Program Files\Common Files\PostureAgent\Plugins\Install
  Plugin Installation and Upgrade
  Each NAC-compliant application is responsible for installing its own posture plugin on end systems.
  Plugins for Windows environments are installed in this directory:
  \Program Files\Common Files\PostureAgent\Plugins\Install
  When CTA receives a posture request, it scans the PostureAgnt\Plugins\Install directory for new or updated posture plugins. If there are new or updated posture plugins in the PostureAgnt\Plugins\Install directory, CTA performs one of the following actions:
  " If the .dll plugin does not exist in the PostureAgent\Plugins directory, CTA moves the plugin files from the PostureAgent\Plugins\Install directory to the PostureAgent\Plugins directory.
  " If the .dll plugins does exist in the PostureAgent\Plugins directory, then CTA checks to see if the plugin, in the PostureAgent\Plugins\Install directory, is newer than the one in the Plugins directory. CTA then moves the newer plugin to the PostureAgent\Plugins directory and overwrites the older one. If the plugin in the PostureAgent\Plugins\Install directory is older than the one in the Plugins directory, CTA deletes it, and continues to use the original plugin.
  " If the plugin creates an error during registration, CTA moves the plugin to the following directory (if the logging is enabled, the error information is logged):
  http://www.cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870db.html
  best regards,
  sahase

• ISE wireless design

  Hi all,
  Designing on an ISE wireless case, i would like seek idea about:
  1. My design goal is differentiate domain user are only capable to connect to Employee_AP; while guest connect to Guest_AP. What rule's condition should i do ?
  2. What is the best practice for BYOD's policies to permit each employee access are only able to use 2 units of personal devices. Says one notebook and one handheld device. Anyway i can enforce this rule on ISE?
  Million thanks
  Noel

  If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.  
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
  You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.  

• ISE dot1x working BUT ..... client is getting "PROXY SERVER unreachable"

  Dear Experts,
  From ISE 2.x I am able to ping the proxy server but once windows user authenticated and logs in, he cannot go to the internet and gets proxy error.
  Let me know some points and vectors to look into !!!
  waiting.

  The only time ISE would perform traffic redirection is when you doing things like CWA (Central Web Authentication), Posture Assessment, etc. If you are just doing basic dot1x/mab authentication then ISE just decides who gets on the network and what type of access that person/devices gets. 
  With that being said, what happens if you remove dot1x authentication from the port? Can the client reach ISE then? (you can quickly remove dot1x by issuing no authentication port-control auto)
  Other things to try:
  1. Remove the dACL
  2. In the authorization rule, return the default "permit access"
  3. Remove the ACL on the FW
  4. Anything else that might be affecting the connection
  With the process of elimination you should be able to find the root cause of the issue
  Thank you for rating helpful posts! 

• ISE 1.2 - AV/AS Remediation missing vendors

  Trying to create a remediation rule in ISE 1.2 patch 3 and the drop down list for the AV/AS Vendor Name is not scrollable so I am not able to select our AS/AV vendor. See picture below:

  You're right.    I just tested this and was able to scroll down using the down arrow on the keyboard.

• ISE 1.0 Posture and Client provisioning

  I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
  1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
  2. How can I bind existing 802.1x authorization profile and posture policy?
  3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
  4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• ISE: dACL to switch

  Hi,
  I am trying to figure out the syntax for dACL to a switch running 12.2(55)SE7.
  In the switch we have used the following static ACL:
  ip access-list extended TEST
  10 permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
  It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a certain device connects the port.
  I added it to ISE like this:
  permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
  But that doesn't work. However, when I change the source to any then it works:
  permit tcp any 10.0.0.2 0.3.255.0 range 1025 2000
  By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates.
  Why does it work with source any?
  Regards,
  Philip

  Hello,
  check if the IOS version and hardware platform (switch) you're using  is mentioned in TrustSec document (page 6):
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
  The minimum IOS version to use with ISE should be 12.2(55),  but generally it's better to use 15.x.
  Also, check if you have  configured everything that is recommended for switch devices in TrustSec  (page 59), including "ip device tracking".
  There's also a very nice  document for troubleshooting:
  "Cisco  TrustSec How-To Guide: Failed  Authentications and Authorizations"
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf
  If it  doesn't work, can you post the output of  the following commands after authorization:
  show  authentication session interface
  sh ip  access-lists interface
  show running-config  interface
  show access-list
  sh  ip access-lists