Reauthentication Problem in Endpoints Using Cisco ISE 1.1

Similar Messages

• CWA using Cisco ISE issue

  Good morning everyone,
  I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
  If anyone already had this problem, maybe could tell me more about that.
  Thanks in advance!

  Good news!
  I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
  I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
  Thanks all for your help !!!!

• Posture Assessment passed in Error using Cisco ISE

  Hi all,
  I would like some help trying to understand why a client that has not been connected to the network for just over a month was allowed full network access despite the AV definitions being over 28days old.
  We have 2 mandatory posture requirements,
  1. Symantec Av MUST be installed
  2. the AV definitions MUST be LESS THAN 28 days out of date
  Currently, the machine I have is showing the AV defs as being 25th March 2013.
  When I produce the detailed posture report, it even shows me that the two mandatory requirements as described above were successfully meant meaning the endpoint is posture compliant. Clearly this is not the case though...!
  Is there anything else I can check on the ISE to help debug this?
  Mario              

  Hi,
  You might have two problems:
  1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.
  2. NAC Agent version problem?
  I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.
  Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.
  Check
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131
  Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE) Cisco supports different versions of the NAC Agent for integration with  NAC Appliance and ISE. Current releases are developed to work in either  environment, however, interoperability between deployments is not  guaranteed. Therefore, there is no explicit interoperability support for  a given NAC Agent version intended for one environment that will  necessarily work in the other. If you require support for both NAC  Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in  your specific environment to verify compatibility. Unless there is a specific defect or feature required for your NAC  Appliance deployment, Cisco recommends deploying the most current agent  certified for your ISE deployment. If an issue arises, Cisco recommends  restricting the NAC Agent's use to its intended environment and  contacting Cisco TAC for assistance. Cisco will be addressing this issue  through the standard Cisco TAC support escalation process, but NAC  Agent interoperability is not guaranteed. Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release.

• Delete language template in use Cisco ISE

  Hi I have a problem updating my ise, there is a faulty language template in use as I can see in the log files, its not a system template so I want to proceed to delete it, but I can't because its still in use by a sponsor or a user, the problem is that sponsor grups had this option *Maximum Duration of Account set to 999999.
  Is there a way to logout all sponsors (they are not local users)?
  this is the output log when updating the ise, I had to open a TAC case because my firs support couldn´t update form the latest 1.1.4 to 1.2
  PortalConfigUpgradeUtil: getInstance
  adding default attributes to SponsorUser.
  UpgradeUtil: Add attribute: DefaultGuestRole to object type: SponsorUser
  UpgradeUtil: Added attribute: DefaultGuestRole
  UpgradeUtil: Add attribute: DefaultTimeProfile to object type: SponsorUser
  UpgradeUtil: Added attribute: DefaultTimeProfile
  UpgradeUtil: Add attribute: DefaultLanguageNotification to object type: SponsorUser
  UpgradeUtil: Added attribute: DefaultLanguageNotification
  UpgradeUtil: Add attribute: LoginUsername to object type: SponsorUser
  UpgradeUtil: Added attribute: LoginUsername
  Setting default attributes on SponsorUser ...
  upgrade default attributes for sponsoruser: 175fa0e0-8969-11e1-8db8-005056b00068
  upgrade default attributes for sponsoruser: domainuser1
  upgrade default attributes for sponsoruser: domainuser2
  failed to update sponsor user: Invalid Language Template: Spanish
  com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
      at com.cisco.cpm.guest.impl.SponsorUserImpl.save(SponsorUserImpl.java:916)
      at com.cisco.cpm.guest.upgrade.PortalConfigUpgradeUtil.updateDefaultSponsorUserAttributes(PortalConfigUpgradeUtil.java:149)
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3154)
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgrade(GuestUpgradeService.java:349)
      at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:131)
      at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:184)
  GuestUpgradeService: Failed to upgrade guest defaults Invalid Language Template: Spanish
  Error while applying changes in version: 1.2.0.882 class: com.cisco.cpm.guest.upgrade.GuestUpgradeService
  com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3162)
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgrade(GuestUpgradeService.java:349)
      at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:131)
      at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:184)
  Caused by: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
      at com.cisco.cpm.guest.impl.SponsorUserImpl.save(SponsorUserImpl.java:916)
      at com.cisco.cpm.guest.upgrade.PortalConfigUpgradeUtil.updateDefaultSponsorUserAttributes(PortalConfigUpgradeUtil.java:149)
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3154)
      ... 3 more
  ERROR! isedataupgrade.sh FAILED. ISE GLOBAL DATA UPGRADE FAILED
  After a clean install to 1.2 and installing the backup of 1.1.4 I get the same error
  failed to update sponsor user: Invalid Language Template: Spanish
  com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
       at com.cisco.cpm.guest.impl.SponsorUserImpl.save(SponsorUserImpl.java:916)
       at com.cisco.cpm.guest.upgrade.PortalConfigUpgradeUtil.updateDefaultSponsorUserAttributes(PortalConfigUpgradeUtil.java:149)
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3154)
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgrade(GuestUpgradeService.java:349)
       at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:131)
       at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:184)
  GuestUpgradeService: Failed to upgrade guest defaults Invalid Language Template: Spanish
  Error while applying changes in version: 1.2.0.882 class: com.cisco.cpm.guest.upgrade.GuestUpgradeService
  com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3162)
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgrade(GuestUpgradeService.java:349)
       at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:131)
       at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:184)
  Caused by: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
       at com.cisco.cpm.guest.impl.SponsorUserImpl.save(SponsorUserImpl.java:916)
       at com.cisco.cpm.guest.upgrade.PortalConfigUpgradeUtil.updateDefaultSponsorUserAttributes(PortalConfigUpgradeUtil.java:149)
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3154)
       ... 3 more
  ERROR! isedataupgrade.sh FAILED. ISE GLOBAL DATA UPGRADE FAILED

  Hi, Alexander De Menezes from the tac team helped me to solve this issue, it is related to the internal oracle database.
  Kind regards

• Cisco ISE - dot1x behavior after returning from sleep mode

  Hi,
  In ISE deployment, When machine return from sleep mode , it do re-authentication process.
  Is it possible to restore the same session?
  if not ,Is it possible to let the authentication to re-run but making NAC agent not run or run in background?

  similar discussions here
  https://supportforums.cisco.com/discussion/11686306/reauthentication-problem-endpoints-using-cisco-ise-11

• Cisco ISE - Not use FQDN in url-redirect parameter

  Hi,
  I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
  The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
  As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
  Thank you very much.
  Joana.

  Available in 1.2, and available as a "bit of a bodge" in 1.1.x  (read "a lot of a bodge")
  If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
  Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.

• Guest Activity on Cisco ISE

  Is it possible to monitor the web pages visited for a guest using cisco ISE?                  

  Hi Gino,
  Yes, you can use the Guest Activity option. The Guest Activity report provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.
  This report is available at: Operations > Reports > Endpoints and Users > Guest Activity.
  To use this report you must first:
  •Enable the passed authentications logging category. Choose Administration > Logging > Logging Categories and select Passed authentications.
  •Enable these options on the firewall used for guest traffic:
  –Inspect HTTP traffic and send data to Cisco ISE Monitoring node. Cisco ISE only requires the the IP address and accessed URL for the Guest Activity report so, if possible, limit the data to include just this information.
  –Send syslogs to Cisco ISE Monitoring node
  Please check the below link for further information,
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_guest_pol.html#wp1056645

• Cisco ISE - multiple AD - trust relationships

  Hello,
  I have a customer who has multple AD forests and an ISE deployment running 1.1.3.
  The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.
  We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.
  1.       Currently  – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest
       a.       The objective here is to use a feature called Selective Authentication  in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE
       b.      Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization
       c.       Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)
  Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?
  2.       We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest
       a.       Same objectives as in  1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)
            i.      External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication
            ii.      Internal Forest has incoming filter to deny access to all resources in External Forest
  In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?
  Thanks in advance for your replies.
  Robert C.

  Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:
  "Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."
  I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly.

• Guest Wireless Cisco ISE 1.3

  I am setting up guest wireless in my enterprise using Cisco ISE 1.3.
  I have set up Authorization profiles and Authentication conditions for Guest Wireless. I am however not sure of the Authentication results (the allowed protocol section). Since I want to give Guests INTERNET-ONLY access, I have configured WLC with a ACL and tied that ACL-name to ISE. However, when it comes to Authentication results à Allowed protocols, I am unsure of what to include. For instance, I have created an allowed protocol named ‘Wireless_Access’, screenshot attached below..
  Please let me know what options have to be checked to suit a guest environment. Any help would be much appreciated.. thanks!

  Hi,
  Below you can find a configuration example for guest access using ISE1.3.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Hope this helps.
  Regards

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• Ordering Cisco ISE

  Hi Everyone,
  We are a Small company with 400-Users and currently we are using ACS 4.2  at our company.  we want to upgrade and use Cisco ISE Appliance instead.
  I want to know is there any major changes in configurtaion between  ACS 4.2 and the ISE Latest Verison..............?
  Is there any Hardware (Switch or Cisco AP ) compatibility issues with using Cisco ISE.    (we are currently using Cisco Cat 3550 and Cisco Aironet 2600 APs  with the existing ACS4.2)
  What ISE Series & what Soft version are the latest so i can order ?
  Thank You

  Imran,
  When ordering cisco ISE there are certain SKUs that will allow you purchase and deploy the equipment, however there are conditions where you will have to rely on an ATP to prepare, plan and implement the solution for you. Here is the information that you are looking for along with the hardware compatibility matrix.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html
  Q/A - (column indicates which ISE skus are ATP madantory)
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Network component compatibility matrix -
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE Active Endpoint Usage Reset

  Hi,
  I have a Cisco ISE running version 1.1 and I was wondering if it may be possible to reset the license usage/active endpoint shown on the dashboard? This was noticed after a restore of ISE due to replacement of hardware and I noticed that the license usage count/active endpoints does not seems to go down.
  The following methods have been tried however without any success:
  1. Reboot ise server/service
  2. Disable all network devices making use of ise such that there are no clients/devices accessing it; example switch/wlc/etc...
  3. Deleted all endpoints usage in identies/identies group
  4. Disable profiling on ise
  As the ise has been installed with a base license; not too sure if it may be either a bad restore (all service/application are working though) / bad radius accounting which does not timed out on the ise / etc...
  Any help is appreciated on how to reset the active endpoint/license usage.
  Thanks.                  

  Here is a method for removing the stale records. Please give this a try:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1072950
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• AD Machine Authentication with Cisco ISE problem

  Hi Experts,
  I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
  Authentication policy:
  Allowed protocol = PEAP & TLS
  Authorization Policy:
  Condition for computer to be checked in external identity store (AD) = Permit access
  Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
  All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
  Switchport configuration:
  ===============================================
  ip access-list extended ACL-DEFAULT
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  permit ip any host (AD)
  permit icmp any any
  permit ip any host (ISE-1)
  permit ip any host  (ISE-2)
  permit udp any host (CUCM-1) eq tftp
  permit udp any host (CUCM-2)eq tftp
  deny ip any any
  ===============================================
  switchport config
  ===============================================
  Switchport Access vlan 10
  switchport mode access
  switchport voice vlan 20
  ip access-group ACL-DEFAULT in
  authentication open
  authentication event fail action next-method
  authentication event server dead action authorize vlan 1
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity 180
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 100
  ====================================================
  One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
  Your help will highly appreciated.
  Regards,

  You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
  I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
  I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

• Cisco ISE AD (Windows Server 2013) Authentication Problem

  Background:
  Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
  Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
  Problem:
  Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
  Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
  xxdc01.xx.com (10.21.3.1)
  Pinged:0 Mins Ago
  State:down
  xxdc02.xx.com (10.21.3.2)
  Pinged:0 Mins Ago
  State:down
  xxdc01.xx.com
  Last Success:Thu Jan  1 10:00:00 1970
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:0
  Failures:11006
  xxdc02.xx.com
  Last Success:Mon Mar 11 09:43:31 2013
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:25
  Failures:11006
  Domain Controller: xxdc02.xx.com:389
      Domain Controller Type: Unknown DC Functional Level: 5
      Domain Name:            xx.COM
      IsGlobalCatalogReady:   TRUE
      DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
      ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
  Action Taken:
  Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
  2)     Tested wireless authentication using EAP-FAST but same problem occurs.
  3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
  12304  Extracted EAP-Response containing PEAP challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - AD1
  24430  Authenticating user against Active Directory
  24444  Active Directory operation has failed because of an unspecified error in the ISE
  4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
  5)     Tested wireless on different laptos and mobile phones with same error
  6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
  7)     Restarted ISE services
  8)     Rejoin domain on Cisco ISE
  9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
  10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
  Other possibilities/action:
  1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
  2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
  Anyone out there experienced something similar of have any ideas on why this is happening?
  Thanks.
  Update:
  1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
  2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
  This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

  Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
  Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!