Task 2: Configuring NADs for Cisco ISE

Similar Messages

• Configuring NADs for Cisco ISE

  hi all
  I am trying to study Unified access Bootcmap lab in my office. i have made my lab but i'm in the trouble for NAD's
  Boot Camp Lab Guide already configured. so i couldn't know how configuring in my lab.
  as you can in the figure that i want to know. the whole configuration anybody know about that?
  i attached word file.

  Duplicate posts. Go here: https://supportforums.cisco.com/discussion/12136876/configuring-nads-cisco-ise

• Need Step by step installation guide for Cisco ISE in distributed environment.

               Hi Friends,
  If anyone is having  step by step installation guide for Cisco ISE in distributed environment please shere!
  I have user guide from Cisco, but does someone have created at the time of actual installation.
  Thanks,
  Sachin

  There is a trustsec 2.1 how to guide on cisco's website. There is also a TrustSec 2.0 ISE Guide floating around that has step by step instructions for setting up ISE 1.0.4. Which is still pretty accurate for the 1.1.1 guide. But if you go through the below site it should give you all the info you need.
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

• What's "SAVE" configuration command for Cisco switch/ router?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well,
  but so long, any other command that easy to remenber?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well, but so long,
  any other command that easy to remenber?
  yes, here: Switch#write,and want to know more about the Cisco switch, please visit:http://www.3anetwork.com/cisco-switches-price_c1

• Using Rufus to create bootable USB Drives for Cisco ISE 3495 upgrade

  I will give a try in the lab but I just wanted to know if somebody else tried this option before.

  Firstable I have to said that I received a brand new 3495 Cisco ISE with version 1.3.0.876 already installed on it BUT my deployment is running 1.2.1.198 patch 3 so I had to downgrade that box.
  Hi Saurav, using Rufus did NOT work. I got an installation error so I found that using DAEMON TOOL Lite (trial version), I created a virtual DVD drive on my Win 7 Laptop which pointed to the ISO for version 1.2.1.198. Then I could make the downgrade with no issues. This is a Cisco Appliance not VM.
  I think the procedure indicated by cisco in the following link is INCOMPLETE:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig.pdf
  I will post some additional screenshots required on that link when you are using CIMC and upgrading/downgrading the ISE using External/Virtual DVD.
  Important to say that I found this mechanism using Virtual DVD the easiest one instead of the bootable flash drive.

• Cisco prime 2.1 / 2.2 support for Cisco ise 1.3 ?

  Hi, I just tried to connect cisco PI 2.1 to cisco ISE 1.3, but fails.
  I read the release Notes, only ISE 1.2 ist supported.
  But I was wondering that the ssl handshake fails (I have done a packet capture). 
  So PI 2.1 has not tried to connect to ise 1.3 via api, because of the connection fails at the ssl handshake stage.
  Anyway, does anybody know if ISE 1.3 will be supported with PI 2.2 or a version of PI 2.1.x ?

  Why doesn't the REST API communication in Prime 2.1 (2.1.0.0.87) support TLS? The platform itself seem to be able to handle TLS-DHE-RSA with AES-128-CBC-SHA. Why is it trying to use SSLv2 ?
  These protocol is incompatible and very much outdated: http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0
  Can this behavour be reconfigured in CLI or at least be allowed in ISE 1.3 to make a workaround until a working patch or upgrade is done? Could or should adding the Cisco Prime server as managed node in ISE circumvent the incompability?

• How do I skip the Device Registration Portal for Cisco ISE web portal

  I have set up a sponsor and guest portal system for wireless guest access to the internet using ISE v1.2.0.899 virtual and WLC 5500 runninng 7.4. After logging into the intial page, the guest user is directed to the Device Registration Portal. Entering a MAC address value puts the user in a continuous failing loop. But, if they just hit the "continue" button at the bottom of the page, they will be directed onward and have internet access as was intended. I have no requirement for guest users to register their devices. What do I need to do to remove the device registration portal from the log on sequence for guest user access? Thanks!

  Hello Scoot,
  you make a list of the MAC add of coperate devices. and set a rule if authentication doesn't happen only these devices can do the self  registration.
  I hope this works for you

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/

• Cisco ISE 1.2 Patch 6 -- 8 Update failed

  Hi all,
  I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
  Important notice : I though that this error could be an unlucky try but i've tested the update two time.
  Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
  The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
  On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
  The symptoms after this error are :
  - Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
  - The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
  - GUI Unavailable
  - MAB Auth is working
  - Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
  - Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
  The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
  My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
  Thanks for your help.

  This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
  2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
  2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
  2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
  2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
  pl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
  8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
  2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
  2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

• Cisco ISE 1.3

  Good day guys,
  I am trying to configure the new Cisco ISE 1.3. 
  I am using a Vwlc software version 7.4.121.
  My problem is that when a client authenticates with the ISE server, the endpoint is automatically added to the Internal endpoints identity store.
  Because of this, if the client comes off the network and tries to join again, the client is found in the internal endpoints and is rejected access to be redirected.
  Is this a bug or is there a setting that i can disable?

  Hi Saurav,
  It seems like that only allowed the device reports to be able to populate more.
  Was looking for a way to stop the endpoints from joining the internal endpoints automatically.
  In the meantime, i have developed some rules so that the "Deny Access" rule is not matched

• CIsco ISE - HP Openview monitoring.

  Hi guys,
  I have a doubt about monitoring Cisco ISE services in the network.
  We can send some alarms notifications to a multiple e-mails, but my doubt is if I can monitoring ISE services with a network monitoring software like HP Open View.
  I didn't find any documentation about it yet.
  Someone knows if I can do this?

  Hi Tarik, How are you?
  The doubt is.... my customer have ise in vmware and he need monitoring availability for cisco ISE. The question is: How can I do that? I did found any document informing if I can send snmp traps or something like that to a Monitoring Server.
  About "link down" and "link Up" he can monitoring the ESX Vmware appliance right?
   There are something that I can do with Cisco ISE. I need to pass a answer to my client if  the Cisco ISE can support this kind of configuration. 
  Thanks for your help.

• Cisco ISE Posture support Symantec or Mcafee AV in one condition

                     Hi Team,
                      Any one help me regarding the configuration of the Cisco ISE. We want to configure one compound condition
                      for mcafee or symantec av server. Can I configure in a such manner that the client pc can have either macfee
                      or symantec server then posture will be compliant.
                      Abhishek Agrawal

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Configuration file for smart view for Hyperion planning

  Hi,
  We are using SmartView for accessing HyperionPlanning application. Please let me know how can we change the provider to use shared services and enable planning it for logging to file. Also which properties file is used for these configurations and where can we locate the configuration file on Hyperion planning installation system.
  Please suggest.
  Thanks
  Edited by: user11189447 on Aug 12, 2010 8:17 AM

  Hi,
  Checkout the below metalink from Oracle.
  Hyperion Strategic Finance Will Not Connect Via SmartView (Doc ID 1561484.1)
  Below Solution  as per doc ---
  1. Run the installation for the HSF Web Application component on the Foundation server where weblogic is for HSF Server.
  (Be sure the HSF Web Application component is also installed on the the HSF Server, if separate from the Foundation server as well.)
  2. Clean up any failed deployments in the WebLogic Console by deleting the HSFWeb Server from WL Admn
  3. Configure the new component on Foundation (target server).
  4. On OHS server run configtool and perform the WebServer config task to configure OHS for HSFweb
  5. Restart OHS and start HSFWeb
  Thanks,
  ~KKT~

• Cisco ISE - multiple AD - trust relationships

  Hello,
  I have a customer who has multple AD forests and an ISE deployment running 1.1.3.
  The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.
  We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.
  1.       Currently  – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest
       a.       The objective here is to use a feature called Selective Authentication  in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE
       b.      Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization
       c.       Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)
  Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?
  2.       We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest
       a.       Same objectives as in  1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)
            i.      External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication
            ii.      Internal Forest has incoming filter to deny access to all resources in External Forest
  In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?
  Thanks in advance for your replies.
  Robert C.

  Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:
  "Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."
  I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly.

• Cisco ISE v1.1

  I'm looking for Cisco ISE v1.1 to use the following licensing feature.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.htmlEndpoint is dynamically profiled by Cisco ISE and assigned  dynamically or statically to an endpoint identity group. Cisco ISE authorization  rules do not use this endpoint identity group.
  End result: As of Cisco ISE 1.0, one license from  Base package is used up and one license from Advanced package is used up. By  Cisco ISE 1.1 scenario this scenario will be fixed to use up only one license  from Base package. Because profiled identity group is not used in the  Authorization Policy, no Advanced license is consumed.
  Last time I heard, v1.1 is due in first week of December, I would like to know if that is true.
  Thanks,
  Vijay

  There is a release that may include some relevant functionality for this licensing issue
  Version on CCO is ise-appbundle-1.0.4.573.i386.tar.gz
  See http://www.cisco.com/en/US/partner/docs/security/ise/1.0.4/release_notes/ise104_rn.html#wp207280
  text from release notes reads as follows:
  The Cisco ISE, Release 1.0.4 implements a change that Cisco ISE cannot consume advanced licenses when endpoints are statically assigned to a profile. The number of endpoints that are dynamically profiled can only be compared against the limit of the advanced licenses. The endpoints that are statically assigned to a profile are now excluded from utilizing licenses included in the advanced license package, but they are still compared against the limit of base licenses. Earlier in the Cisco ISE, Release 1.0, it compares the total number of concurrent endpoints across the entire deployment against the limit of the advanced licenses.