Problem to get Web admin access on cisco ISE

Hi,
We are currently having problems to access via Web admin UI to cisco ISE. after we put the password, we get this message on screen:
authentication failed due to zero RBAC group.
The ISE version that we are using is: 1.1.2.145 path 3
Do you have any idea about that?
Thank you for your attention on this matter.
Regards.

In Cisco ISE, RBAC policies are simple access  control policies that use RBAC concepts to manage admin access. These  RBAC policies are formulated to grant permissions to a set of  administrators that belong to one or more admin group(s) that restrict  or enable access to perform various administrative functions using the  user interface menus and admin group data elements. I think there is problem with your RBAC policy configuration. Please follow the below link for help.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1282656
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1283009

Similar Messages

  • How To Migrate Cisco Clean Access to Cisco ISE

    We have a Cisco Clean Access 3.6.3 (3140 Appliance) in which we would love to migrate to Cisco ISE 1.1 (3315 Appliance).  Does anyone have an idea on how to do this?
    I was wondering if I need to upgrade the a later version of Cisco Clean Access and them back it up the CCA.  Backup the CCA and then restore/import the backup to the ISE.
    Any help will be greatly appreciated?
    Thanks.

    Hi Mate,
    Refer to below instructions for hosting licenses on ISRs:
    http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001047
    Rehosting a License
    Prerequisites:
    • Valid Cisco.com account (username/password)
    • Retrieve Product Id and Serial Number with either the IOS "show license udi" command or label tray from both the source and destination devices.
    • Retrieve Source Device Credentials by issue the following IOS commands in exec mode:
    – license save credential flash0:CredentialFileName
    – more flash0:CredentialFileName
    • The source device has rehostable licenses.
    Rehosting a License with Cisco's Licensing Portal
    This process can be used when the source and the destination device cannot communicate directly with Cisco licensing portal
    Summary Steps:
    1. Obtain UDI and device credentials from the source and destination devices using IOS CLI commands
    2. Contact the Product License Registration page on Cisco.com and enter the source Device Credentials and UDI into the license transfer portal tool.
    3. The portal will display licenses that can be transferred from the source device.
    4. Select the licenses that need to be transferred. A permission ticked is issued. You can use this permission ticket to start the rehost process using Cisco IOS c  for any further help.ommands.
    5. Apply the permissions ticket to the source device using the license revoke command. The source device will then provide a rehost ticket indicating proof of revocation. A sixty day grace period license is also installed on the device to allow enough time to transfer the licenses to destination device.
    6. Enter the rehost ticket into the license transfer portal tool on Cisco.com along with destination device UDI.
    7. Receive the license key via E-mail
    8. Install the license key on the destination device.
    You can also email [email protected]
    -Terry
    Please rate all helpful posts

  • Problem with traffic over Remote Access VPN (Cisco ASA5505)

    Hi
    I've changed the VPN IP pool on a previously functioning VPN setup on a Cisco ASA5505, I've updated IP addresses everywhere it seemed appropriate, but now the VPN is no longer working. I am testing with a Cisco IPSec client, but the same happens with the AnyConnect client. Clients connect, but cannot access resources on the LAN. Split tunneling also doesn't work, internet is not accessible once VPN is connected.
    I found a NAT exempt rule to not be correctly specified, but after fixing this, the problem still persists.
    : Saved:ASA Version 8.2(1) !hostname ciscoasadomain-name our-domain.comenable password xxxxxxxx encryptedpasswd xxxxxxxx encryptednamesname 172.17.1.0 remote-vpn!interface Vlan1 nameif inside security-level 100 ip address 10.1.1.2 255.0.0.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group adslrealm ip address pppoe setroute !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone SAST 2dns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNS name-server 10.1.1.138 name-server 10.1.1.54 domain-name our-domain.comsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject-group network utobject-group protocol TCPUDP protocol-object udp protocol-object tcpaccess-list no_nat extended permit ip 10.0.0.0 255.0.0.0 remote-vpn 255.255.255.0 access-list split-tunnel standard permit 10.0.0.0 255.0.0.0 access-list outside_access_in extended permit tcp any interface outside eq https access-list outside_access_in extended permit tcp any interface outside eq 5061 access-list outside_access_in extended permit tcp any interface outside eq 51413 access-list outside_access_in extended permit udp any interface outside eq 51413 access-list outside_access_in extended permit tcp any interface outside eq 2121 access-list outside_access_in extended permit udp any interface outside eq 2121 access-list inside_access_out extended deny ip any 64.34.106.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.20.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.21.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.76.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.77.0 255.255.255.0 access-list inside_access_out extended deny ip any 216.52.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 74.201.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 64.94.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 69.25.0.0 255.255.0.0 access-list inside_access_out extended deny tcp any any eq 12975 access-list inside_access_out extended deny tcp any any eq 32976 access-list inside_access_out extended deny tcp any any eq 17771 access-list inside_access_out extended deny udp any any eq 17771 access-list inside_access_out extended permit ip any any pager lines 24logging enablelogging asdm informationalmtu inside 1500mtu outside 1500ip local pool VPNPool 172.17.1.1-172.17.1.254icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list no_natnat (inside) 1 10.0.0.0 255.0.0.0static (inside,outside) tcp interface 5061 10.1.1.157 5061 netmask 255.255.255.255 static (inside,outside) tcp interface https 10.1.1.157 4443 netmask 255.255.255.255 static (inside,outside) tcp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) udp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) tcp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 static (inside,outside) udp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 access-group outside_access_in in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyaaa-server AD protocol ldapaaa-server AD (inside) host 10.1.1.138 ldap-base-dn dc=our-domain,dc=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn cn=ciscoasa,cn=Users,dc=ourdomain,dc=com server-type auto-detectaaa authentication ssh console AD LOCALaaa authentication telnet console LOCAL http server enable 4343http 0.0.0.0 0.0.0.0 outsidehttp 10.0.0.0 255.0.0.0 insidehttp remote-vpn 255.255.255.0 insidesnmp-server host inside 10.1.1.190 community oursnmpsnmp-server host inside 10.1.1.44 community oursnmpno snmp-server locationno snmp-server contactsnmp-server community *****snmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto dynamic-map dyn1 1 set transform-set FirstSetcrypto dynamic-map dyn1 1 set reverse-routecrypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map mymap 1 ipsec-isakmp dynamic dyn1crypto map mymap interface outsidecrypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa crl configurecrypto ca trustpoint CA1 revocation-check crl none enrollment retry period 5 enrollment terminal fqdn ciscoasa.our-domain.com subject-name CN=ciscoasa.our-domain.com, OU=Department, O=Company, C=US, St=New York, L=New York keypair ciscoasa.key crl configurecrypto ca certificate chain ASDM_TrustPoint0 certificate xxxxxxx    ...  quitcrypto ca certificate chain CA1 certificate xxxxxxxxxxxxxx    ...  quit certificate ca xxxxxxxxxxxxx    ...  quitcrypto isakmp enable outsidecrypto isakmp policy 1 authentication rsa-sig encryption 3des hash md5 group 2 lifetime 86400crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400ssh 10.0.0.0 255.0.0.0 insidessh timeout 5console timeout 0vpdn group adslrealm request dialout pppoevpdn group adslrealm localname username6@adslrealmvpdn group adslrealm ppp authentication papvpdn username username6@adslrealm password ********* store-localvpdn username username@adsl-u password ********* store-localvpdn username username2@adslrealm password ********* dhcpd auto_config outside!threat-detection basic-threatthreat-detection scanning-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server x.x.x.x source outsidessl trust-point ASDM_TrustPoint0 outsidewebvpn port 4343 enable outside svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 svc enablegroup-policy defaultgroup internalgroup-policy defaultgroup attributes dns-server value 10.1.1.138 10.1.1.54 split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value our-domain.comgroup-policy DfltGrpPolicy attributes dns-server value 10.1.1.138 10.1.1.54 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel address-pools value VPNPool webvpn  svc ask none default svcusername person1 password xxxxxxx encryptedusername admin password xxxxxxxx encrypted privilege 15username person2 password xxxxxxxxx encryptedusername person3 password xxxxxxxxxx encryptedtunnel-group DefaultRAGroup general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group DefaultRAGroup ipsec-attributes trust-point CA1tunnel-group OurCompany type remote-accesstunnel-group OurCompany general-attributes address-pool VPNPooltunnel-group OurCompany webvpn-attributes group-alias OurCompany enable group-url https://x.x.x.x/OurCompany enabletunnel-group OurIPSEC type remote-accesstunnel-group OurIPSEC general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group OurIPSEC ipsec-attributes pre-shared-key * trust-point CA1!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum 512policy-map type inspect sip sip-map parameters  max-forwards-validation action drop log  state-checking action drop log  rtp-conformance policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect netbios   inspect tftp   inspect icmp   inspect pptp   inspect sip sip-map !             service-policy global_policy globalprompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxx: end
    I've checked all the debug logs I could think of and tried various troubleshooting steps. Any ideas?
    Regards
    Lionel

    Hi
    The bulk of the devices are not even routing through the ASA, internal devices such as IP phones, printers, etc. There is also large wastage of IP addresses which needs to be sorted out at some stage.
    Outside IP address is 196.215.40.160. The DSL modem is configured as an LLC bridge.
    Here are the debug logs when connecting if this helps at all. Nothing is logged when a connection is attempted though.
    Regards
    Lionel
    Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 765Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ISA_KE payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Fragmentation VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  FalseOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal RFC VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 03 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 02 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received xauth V6 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Cisco Unity client VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received DPD VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, Connection landed on tunnel_group OurIPSECOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing IKE SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 2Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ISAKMP SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Generating keys for Responder...Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Cisco Unity VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing xauth V6 VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing dpd vid payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Traversal VID ver 02 payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Fragmentation VID + extended capabilities payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Send Altiga/Cisco VPN3000/Cisco ASA GW VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing notify payloadOct 15 17:08:51 [IKEv1]: Group = OurIPSEC, IP = 197.79.9.227, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT deviceOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Processing MODE_CFG Reply attributes.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary DNS = 10.1.1.138Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary DNS = 10.1.1.54Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: split tunneling list = split-tunnelOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: IP Compression = disabledOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Split Tunneling Policy = Split NetworkOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Setting = no-modifyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Bypass Local = disableOct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, User (person2) authenticated.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg ACK attributesOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 164Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg Request attributesOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 net mask!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for DNS server address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for WINS server address!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received unsupported transaction mode attribute: 5Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Application Version!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Client Type: iPhone OS  Client Application Version: 7.0.2Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Banner!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Default Domain Name!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split DNS!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split Tunnel List!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Local LAN Include!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for PFS setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Save PW setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for FWTYPE!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for backup ip-sec peer list!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Client Browser Proxy Setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Obtained IP addr (172.17.1.1) prior to initiating Mode Cfg (XAuth enabled)Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Assigned private IP address 172.17.1.1 to remote userOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, construct_cfg_set: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Send Client Browser Proxy Attributes!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg replyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 210Oct 15 17:09:03 [IKEv1 DECODE]: IP = 197.79.9.227, IKE Responder starting QM: msg id = c9359d2eOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progressOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completedOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 1 COMPLETEDOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, Keep-alive type for this connection: DPDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P1 rekey timer: 3420 seconds.Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 284Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR ID received172.17.1.1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received remote Proxy Host data in ID Payload:  Address 172.17.1.1, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.0.0.0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received local IP Proxy Subnet data in ID Payload:   Address 10.0.0.0, Mask 255.0.0.0, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, QM IsRekeyed old sa not found by addrOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-TraversalOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Remote Peer configured for crypto map: dyn1Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IPSec SA Proposal # 1, Transform # 6 acceptable  Matches global IPSec SA entry # 1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE: requesting SPI!IPSEC: New embryonic SA created @ 0xCB809F40,     SCB: 0xC9613DB0,     Direction: inbound    SPI      : 0x96A6C295    Session ID: 0x0001D000    VPIF num  : 0x00000002    Tunnel type: ra    Protocol   : esp    Lifetime   : 240 secondsOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got SPI from key engine: SPI = 0x96a6c295Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, oakley constucting quick modeOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing proxy IDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Transmitting Proxy Id:  Remote host: 172.17.1.1  Protocol 0  Port 0  Local subnet:  10.0.0.0  mask 255.0.0.0 Protocol 0  Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Responder sending 2nd QM pkt: msg id = c9359d2eOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 152Oct 15 17:09:06 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + NONE (0) total length : 52Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, loading all IPSEC SAsOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Security negotiation complete for User (person2)  Responder, Inbound SPI = 0x96a6c295, Outbound SPI = 0x09e97594IPSEC: New embryonic SA created @ 0xCB8F7418,     SCB: 0xC9F6DD30,     Direction: outbound    SPI      : 0x09E97594    Session ID: 0x0001D000    VPIF num  : 0x00000002    Tunnel type: ra    Protocol   : esp    Lifetime   : 240 secondsIPSEC: Completed host OBSA update, SPI 0x09E97594IPSEC: Creating outbound VPN context, SPI 0x09E97594    Flags: 0x00000025    SA   : 0xCB8F7418    SPI  : 0x09E97594    MTU  : 1492 bytes    VCID : 0x00000000    Peer : 0x00000000    SCB  : 0x99890723    Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594    VPN handle: 0x001E7FCCIPSEC: New outbound encrypt rule, SPI 0x09E97594    Src addr: 10.0.0.0    Src mask: 255.0.0.0    Dst addr: 172.17.1.1    Dst mask: 255.255.255.255    Src ports      Upper: 0      Lower: 0      Op   : ignore    Dst ports      Upper: 0      Lower: 0      Op   : ignore    Protocol: 0    Use protocol: false    SPI: 0x00000000    Use SPI: falseIPSEC: Completed outbound encrypt rule, SPI 0x09E97594    Rule ID: 0xCB5483E8IPSEC: New outbound permit rule, SPI 0x09E97594    Src addr: 196.215.40.160    Src mask: 255.255.255.255    Dst addr: 197.79.9.227    Dst mask: 255.255.255.255    Src ports      Upper: 4500      Lower: 4500      Op   : equal    Dst ports      Upper: 41593      Lower: 41593      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed outbound permit rule, SPI 0x09E97594    Rule ID: 0xC9242228Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got a KEY_ADD msg for SA: SPI = 0x09e97594IPSEC: Completed host IBSA update, SPI 0x96A6C295IPSEC: Creating inbound VPN context, SPI 0x96A6C295    Flags: 0x00000026    SA   : 0xCB809F40    SPI  : 0x96A6C295    MTU  : 0 bytes    VCID : 0x00000000    Peer : 0x001E7FCC    SCB  : 0x985C5DA5    Channel: 0xC6691360IPSEC: Completed inbound VPN context, SPI 0x96A6C295    VPN handle: 0x0020190CIPSEC: Updating outbound VPN context 0x001E7FCC, SPI 0x09E97594    Flags: 0x00000025    SA   : 0xCB8F7418    SPI  : 0x09E97594    MTU  : 1492 bytes    VCID : 0x00000000    Peer : 0x0020190C    SCB  : 0x99890723    Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594    VPN handle: 0x001E7FCCIPSEC: Completed outbound inner rule, SPI 0x09E97594    Rule ID: 0xCB5483E8IPSEC: Completed outbound outer SPD rule, SPI 0x09E97594    Rule ID: 0xC9242228IPSEC: New inbound tunnel flow rule, SPI 0x96A6C295    Src addr: 172.17.1.1    Src mask: 255.255.255.255    Dst addr: 10.0.0.0    Dst mask: 255.0.0.0    Src ports      Upper: 0      Lower: 0      Op   : ignore    Dst ports      Upper: 0      Lower: 0      Op   : ignore    Protocol: 0    Use protocol: false    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound tunnel flow rule, SPI 0x96A6C295    Rule ID: 0xCB7CFCC8IPSEC: New inbound decrypt rule, SPI 0x96A6C295    Src addr: 197.79.9.227    Src mask: 255.255.255.255    Dst addr: 196.215.40.160    Dst mask: 255.255.255.255    Src ports      Upper: 41593      Lower: 41593      Op   : equal    Dst ports      Upper: 4500      Lower: 4500      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound decrypt rule, SPI 0x96A6C295    Rule ID: 0xCB9BF828IPSEC: New inbound permit rule, SPI 0x96A6C295    Src addr: 197.79.9.227    Src mask: 255.255.255.255    Dst addr: 196.215.40.160    Dst mask: 255.255.255.255    Src ports      Upper: 41593      Lower: 41593      Op   : equal    Dst ports      Upper: 4500      Lower: 4500      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound permit rule, SPI 0x96A6C295    Rule ID: 0xCBA7C740Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Pitcher: received KEY_UPDATE, spi 0x96a6c295Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P2 rekey timer: 3417 seconds.Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Adding static route for client address: 172.17.1.1 Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 2 COMPLETED (msgid=c9359d2e)

  • Pix 501 PDM 30 - can't get web browser access

    I just got two used Pix 501 units, and cannot get the web browser working. OK to first login box with blank username and password per manual, click Yes to certificate popup, "Loading Startup Wizard" prompts for username and password - blank is NOT accpeted here.
    Get java.security.AccessControlException: access denied in lower border of browser window.
    How do I get past this?

    Phil, this is a known issue with certain old versions of PDM.
    Refer to this link for work around.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_field_notice09186a008046c805.shtml
    also try java update
    Java runtime environment version 6 update 2 is available , try this and see if it resolves the issue
    http://www.java.com/en/download/index.jsp
    Jorge

  • Issues getting url-redirect working with Cisco ISE

    Hi,
    I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch  which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
    DEVLABSW01#show epm session ip 10.0.1.104
        Admission feature:  DOT1X
                  ACS ACL:  xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa
    I have also attached my switch config. Any help would be greatly appreciated.
    Dan

    So im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.
    everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......
    my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....
    if anyone can explain why, it would help out a great deal..
    My setup BTW is
    1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)
    2. ISE 1.2 - Doing simple Wireless only implementation
    3. 3650 - Just acting like a switch - no ACLs etc - just a switch
    4. Integrated into AD
    Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...
    thanks again how i can get some feedback

  • Cisco ISE 1.1 and IE9

    Is anyone else having problems with ISE admin/monitoring pages not working properly under IE9?  I just completed an upgrade to ISE 1.1, and it seems more and more, when I try to manage the system with IE9, I will get the following error (host name changed to protect the inocent). I dont know if this is truly an IE9 issue, or the chrome plug-in we are forced to use.  Works perfect under Firefox 11.0.
    This webpage is not available
    The webpage at https://iseserver.domain.com/mnt/pages/dashboard/dashboard.jsp?mnt_config_write=true&token=BEGIN_TOKENXspmm4x5AwFsV6NExIBAVA==END_TOKEN might be temporarily down or it may have moved permanently to a new web address.
    Error 103 (net::ERR_CONNECTION_ABORTED): Unknown error.

    Supported Administrative User Interface Browsers
    You can access the Cisco ISE administrative  user interface using the following browsers:
    •Mozilla Firefox 3.6 (applicable for  Windows, Mac OS X, and Linux-based operating systems)
    •Mozilla FireFox 9 (applicable for Windows,  Mac OS X, and Linux-based operating systems)
    •Windows Internet Explorer 8
    •Windows Internet Explorer 9 (in Internet  Explorer 8 compatibility mode)
    Cisco ISE GUI is not supported on  Internet Explorer version 8 running in Internet Explorer 7 compatibility mode.  For a collection of known issues regarding Windows Internet Explorer 8, see the  "Known Issues" section of the Release Notes for the Cisco Identity Services  Engine, Release 1.1.

  • Unable to register secondary node on Cisco ISE 1.1.4

    Hello,
    I have a problems with registering the secondary node on Cisco ISE 1.1.4.
    I did all like described on User Guide:
    - Primary ISE is promoted to PRIMARY.
    - DNS entries are added and resolved for both ISEs
    - The "Certificate Store" on both ISEs are populated with self-signed certificates from both ISEs.
    Durring the registration process (from Primary node), when I add the IP, username and password for secondary node, an empty popup message displayed with only button "OK".
    So, I cannot proceed to far and don't see the error indicated what's wrong.
    In attachment - screenshot with popup message.
    I use IE 8.0.6001.
    The lattest patch (1.1.4.218-7-87377) applied on both ISEs.
    Is somebody had the similar problem?
    Thanks,
    PC

    Hello,
    In the debug logs "ise-psc.log" I see :
    2013-11-11 08:43:47,534 ERROR 2013-11-11 08:43:47,534  [http-443-7][] cpm.admin.infra.action.DeploymentEditAction- An exception occurred during the registration of a deployment node: java.lang.NullPointerException
    java.lang.NullPointerException
    at com.cisco.cpm.admin.infra.action.DeploymentEditAction.registerSubmit(DeploymentEditAction.java:455)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.cisco.webui.action.common.PojoActionProxy.performExecution(PojoActionProxy.java:176)
    at com.cisco.webui.action.common.PojoActionProxy.execute(PojoActionProxy.java:89)
    at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
    at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
    at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
    at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
    at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
    at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.xmp.wap.dojo.servlet.filter.DojoIframeSendFilter.doFilter(DojoIframeSendFilter.java:58)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.WebCleanCacheFilter.doFilter(WebCleanCacheFilter.java:35)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.rbacfilter.AccessCheckFilter.doFilter(AccessCheckFilter.java:71)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.UserInfoFilter.doFilter(UserInfoFilter.java:110)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:113)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.LoginCheckFilter.doFilter(LoginCheckFilter.java:188)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.cisco.cpm.admin.infra.utils.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:121)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
    at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:316)
    at org.apache.catalina.valves.LocalAddrValve.invoke(LocalAddrValve.java:43)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:394)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.valves.MethodsValve.invoke(MethodsValve.java:52)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Unknown Source)
    2013-11-11 08:44:00,226 INFO  2013-11-11 08:44:00,226  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- editPreload() triggered. Selected hostname is BB1NACEASTP01
    2013-11-11 08:44:00,226 INFO  2013-11-11 08:44:00,226  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- ParameterNames in load()= BB1NACEASTP01
    2013-11-11 08:44:00,226 INFO  2013-11-11 08:44:00,226  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- editPreload(): userName= adminhostname= BB1NACEASTP01
    2013-11-11 08:44:01,017 INFO  2013-11-11 08:44:01,017  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- ParameterNames in load()= BB1NACEASTP01
    2013-11-11 08:44:01,017 INFO  2013-11-11 08:44:01,017  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- Inside load() API : hostNameBB1NACEASTP01 userName : admin
    2013-11-11 08:44:01,017 INFO  2013-11-11 08:44:01,017  [http-443-1][] cpm.admin.infra.action.SupportBundleAction- Inside fetchFile() API : hostName: BB1NACEASTP01 userName : admin
    2013-11-11 08:44:01,018 INFO  2013-11-11 08:44:01,018  [http-443-3][] cpm.admin.infra.action.SupportBundleAction- ParameterNames in sbfCreationPercentage()= BB1NACEASTP01
    2013-11-11 08:44:01,021 INFO  2013-11-11 08:44:01,021  [http-443-3][] cpm.admin.infra.action.SupportBundleAction- Got hostAlias= BB1NACEASTP01
    2013-11-11 08:44:01,021 INFO  2013-11-11 08:44:01,021  [http-443-3][] cpm.admin.infra.action.SupportBundleAction- Ping node: BB1NACEASTP01 for connectivity
    2013-11-11 08:44:01,181 INFO  2013-11-11 08:44:01,181  [http-443-3][] cpm.admin.infra.action.SupportBundleAction- Received pingNode response : Node is reachable

  • Cisco ISE - General Info. & capabilities

    Hello All,
    I've read quiet a bit of ISE features, but would like to know the following:
    1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
    2. Can it provide details of how much data was transferred from a particular server to a specific client?
    3. For a 1500 user env. (1000 desktops and 500 wireless devices) which model of ISE would be appropriate?
    4. How would having ISE be different from already deployed authentication services like Active Directory or built-in application authentication for solutions like Oracle ERP systems?
    5. I see ISE as being marketed primarily for wireles devices (BYOD), but how would it help for wired devices (or does it become and unecessary authentication level apart from AD, switch based 802.1x, etc)
    Thank you.
    Regards,
    Adnan

    Cisco ISE is a consolidated policy-based access control system that  incorporates a superset of features available in existing Cisco policy  platforms. Cisco ISE performs the following functions:
    •Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance
    •Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both
    •Enforces  endpoint compliance by providing comprehensive client provisioning  measures and assessing device posture for all endpoints that access the  network, including 802.1X environments
    •Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network
    •Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed
    •Employs  advanced enforcement capabilities including security group access (SGA)  through the use of security group tags (SGTs) and security group access  control lists (SGACLs)
    •Supports scalability to support a number of deployment scenarios from small office to large enterprise environments
    The following key functions of Cisco ISE enable you to manage your entire access network.
    Provide Identity-Based Network Access
    The Cisco ISE solution provides context-aware identity management in the following areas:
    •Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
    •Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
    •Cisco  ISE assigns services based on the assigned user role, group, and  associated policy (job role, location, device type, and so on).
    •Cisco  ISE grants authenticated users with access to specific segments of the  network, or specific applications and services, or both, based on  authentication results.
    ISE 3315 can support 1500 users with appropriate license.

  • I previously uploaded images onto my desktop to work on in Lightroom 5.2. I worked on a few of the images days ago and just now getting back to them. My problem is I can only access the images I previously worked on and all the rest it says images not ava

    I previously uploaded images onto my desktop to work on in Lightroom 5.2. I worked on a few of the images days ago and just now getting back to them. My problem is I can only access the images I previously worked on and all the rest it says images not available but all the images are still right on my desktop.

    ... and all the rest it says images not available
    Normally this happens because you moved, renamed or deleted these photos (or the folders that contain them) outside of Lightroom. This is how to fix the problem: Adobe Lightroom - Find moved or missing files and folders

  • I have admin access to the main router in our LAN, so how can i telnet or get access to other LAN members in LAN without using third party software?

    I have admin access to the main router in our LAN, so how can i telnet or get access to other LAN members in LAN without using third party software?
    its linksys3500 router and  i login as admin using the gateway address in address bar..
    i want to access the c drive of my colleague in same subnet in same office and i know his ip address.but he not configured telnet accept request.so without it how can i open his telnet port and access him

    Duplicate post. 

  • Photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin acc

    photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin access?

    Danny,
    Topic or subject titles should be clear, pertinent and concise so that individual users can tell at a glance if they can help or not.
    That field is not for attempting to fit your entire question in there.
    Please keep this in mind next time you post.  Thank you.

  • I cannot get firefox to access any web pages, main menu appears frozen

    I have downloaded the most up to date firefox but cannot get the Start page to search for anything

    A possible cause is security software (firewall) that blocks or restricts Firefox or the plugin-container process without informing you, possibly after detecting changes (update) to the Firefox program.
    Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process.
    See:
    * https://support.mozilla.com/kb/Server+not+found
    * https://support.mozilla.com/kb/Firewalls
    Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
    * Don't make any changes on the Safe mode start window.
    * https://support.mozilla.com/kb/Safe+Mode
    * https://support.mozilla.com/kb/Troubleshooting+extensions+and+themes

  • I have a new printer which behaves OK except it will not print directly from a web site accessed via Firefox. We do not have this problem if accessed via another browser. Suggestions?

    New printer is Brother MFCJ615W. OS is XP. Computer is quite old Dell. Printer also refuses to print pictures from .jpg files - but the fact that I can print direct from web sites accessed via another browser suggests some of the problem is with Firefox. I asked this a few days ago and got an email reply giving me a link to click on - but this only produced an error message.

    I think I solved the wifi connection problem, just by switching off completely the router! sounds trivial, but in this case it worked!!!
    the funny behaviour of the trackpad/cursor still persists. any suggestion???
    thanks again

  • WAP4410N - Problems logging in to web admin from Apple MAC

    I recently installed a WAP4410N for a customer without any problem, but a few days later I received a call requesting assistance as the customer could not login to the web admin page.
    The login screen was showing, but it wasn't acceptingthe username and password that I had set.
    Today I visited customer to investigate.
    I discovered that I could login without any problem using my Windows laptop, but that customer could not use any of their Apple MACs to login.
    Apart from one Windows PC, all customer computers were Apple OS.
    Customer could login using their Windows PC without any problem.
    Can anyone advise a solution to this problem?
    Thanks
    Stephen Killen
    www.premitel.com

    Thanks Stephen
    They were using Safari and Firefox does indeed work!
    Thanks again for prompt response

  • Problem in getting parameter value from selection screen in web dynpro abap

    Hi,
    I am facing problem in getting parameter value from selection screen.
    Please find my code below:
    DATA LT_PAR_ITEM TYPE IF_WD_SELECT_OPTIONS=>TT_SELECTION_SCREEN_ITEM.
    FIELD-SYMBOLS:<FS_PAR_ITEM> LIKE LINE OF LT_PAR_ITEM,
                                 <FS_OBJ_USAGE>    TYPE REF TO data.
      WD_THIS->M_HANDLER->GET_PARAMETER_FIELDS( IMPORTING ET_FIELDS = LT_PAR_ITEM ).
      LOOP AT LT_PAR_ITEM ASSIGNING <FS_PAR_ITEM>.
        CASE <FS_PAR_ITEM>-M_ID.
          WHEN `OBJ_USAGE`.
             ASSIGN <FS_PAR_ITEM>-M_VALUE->* TO <FS_OBJ_USAGE>.      
    [ Here, sy-subrc is 4,  <FS_OBJ_USAGE> is not assigning.]
        ENDCASE.
      ENDLOOP. 
    So, can any one solve this problem.
    Thanks in advance,
    Radhika

    Hi Radhika,
    Try using GET_RANGE_TABLE_OF_SEL_FIELD...
    Please Refer below code..
       DATA: NODE_FLIGHTS TYPE REF TO IF_WD_CONTEXT_NODE.
      DATA: RT_CARRID TYPE REF TO DATA.
      DATA: ISFLIGHT TYPE TABLE OF SFLIGHT.
      DATA: WSFLIGHT TYPE SFLIGHT.
      FIELD-SYMBOLS: <FS_CARRID> TYPE TABLE.
    Retrieve the data from the select option
      RT_CARRID = WD_THIS->M_HANDLER->GET_RANGE_TABLE_OF_SEL_FIELD( I_ID = 'S_CARR_ID' ).
    Assign it to a field symbol
      ASSIGN RT_CARRID->* TO <FS_CARRID>.
      CLEAR ISFLIGHT. REFRESH ISFLIGHT.
      SELECT * INTO CORRESPONDING FIELDS OF TABLE ISFLIGHT FROM SFLIGHT
                           WHERE CARRID IN <FS_CARRID>.
      NODE_FLIGHTS = WD_CONTEXT->GET_CHILD_NODE( NAME = `FLIGHTS` ).
      NODE_FLIGHTS->BIND_ELEMENTS( ISFLIGHT ).
    Thanks,
    Regards,
    Kiran

Maybe you are looking for

  • Can't install Windows 7 on my Macbook pro.

    Hi, I've been trying to install Windows 7 on my Macbook pro, with no luck. I have been able to create a Windows Partition via Bootcamp. And after the Windows 7 installation guide started to expand my Windows files, my Windows 7 CD suddenly stopped sp

  • ODBC to export SAGE Line 100 Legacy Data

    Hi guys, I need an ODBC for the SAGE Line 100 to export legacy data into excel to do migrations using DTW. The customer cant find the origanal CD's and I cant wait for it. Does any1 know where I can get it? Thanks

  • Unable to delete the contents of the Cube.

    Hi All,   I am trying to delete the contents of the cube selecting the option<b>(Delete Data</b>) from the context menu of the cube. I am getting the error message as Database Table /BI0/F0PA_C01 Could not be deleted or recreated. is there a way to s

  • How to config N5K as NTP server

                       I am testing N5K as NTP server feature. I have found a CLI in N7K: ntp master, but I have not found the similar command in N5K. I am running Nexus OS 5.2.1.N(1). Any config example would be greatly appreciated. Thx. gy

  • Equipment usage list-Reg

    Dear PM Guys, Is there is any standard report in which I can see the equipment usage list for sub equipments.Because the scenario is FL-MAIN EQUIPMENT-SUB EQUIPMENTS.They always keep on move sub equipments from one main equipment to other main equipm