Unable to register secondary node on Cisco ISE 1.1.4

Similar Messages

• Guest Activity on Cisco ISE

  Is it possible to monitor the web pages visited for a guest using cisco ISE?                  

  Hi Gino,
  Yes, you can use the Guest Activity option. The Guest Activity report provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.
  This report is available at: Operations > Reports > Endpoints and Users > Guest Activity.
  To use this report you must first:
  •Enable the passed authentications logging category. Choose Administration > Logging > Logging Categories and select Passed authentications.
  •Enable these options on the firewall used for guest traffic:
  –Inspect HTTP traffic and send data to Cisco ISE Monitoring node. Cisco ISE only requires the the IP address and accessed URL for the Guest Activity report so, if possible, limit the data to include just this information.
  –Send syslogs to Cisco ISE Monitoring node
  Please check the below link for further information,
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_guest_pol.html#wp1056645

• Cisco ISE deregister node not available

  Hello,
  I installed two ISE node and registered the second node. Yesterday I saw an error message: Sync failed, deregister and register the second node.
  I deregistered the second node and tried register again, but not worked. Now, the second node is showing in the first node but I can not deregister or register again, how I can deregister the second node to register again?

  This seems to be an issue with invalid certificates. Have you already checked the certificates on both the sides. Also restart the services of secondary nodes one and check again.
  As a next step, we need to look inside ise-psc.logs to further troubleshoot this issue.
  Regards,
  Jatin Katyal
  **Do rate helpful posts**

• Generating license for ISE high availability primary/secondary nodes

  We have two ISE servers that will act as primary/secondary in a high availability setup.
  The ISE 1.0.4 installation guide, page 93, mentions that "If you have two Cisco ISE nodes configured for high availability, then you must include both the primary and secondary Administration ISE node hardware and IDs in the license file."
  However, after entering the PAK in the licensing page, the only required fields are:
  - Primary Product ID
  - Primary Version ID
  - Primary Serial No
  In this case, how can i include both primary and secondry HW and IDs?
  Thanks in advance.

  I am refering you a Cisco ISE Nodes for High Availability configuration guide, Please check:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1128454

• Cisco ISE inline posture node Posture assessment query

  Hi all,
  i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
  "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
  they are likely to fall into one of the identity groups that already have authenticated and authorized users
  connected to the network.
  For instance, there may be an employee, executive, and guest that have been granted access through the
  outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
  groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
  and authorization uses the existing installed profiles on the Inline Posture node, unless the original
  profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
  with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
  Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
  I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
  Thanks!
  Mario

  I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
  After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
  So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
  If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
  https://communities.cisco.com/docs/DOC-30977
  HTH,
  Ryan

• MAC OS X unable to download Cisco ISE supplicant agent

  Hi,
  I have a problem with MAC OS X clients unable to download the Cisco ISE supplicant agent using Safari browser but able to login on the ISE guest portal. If the same client was to login to the ISE guest portal using Firefox; it has no issues downloading the ise supplicant and posture agent.
  I have tried to update the Java version on the client to the latest; however it does not resolve the issue. As I am new to MAC OS clients; I was wondering what may be the cause of the issue?
  I have summarized the issue as follows:
  1. MAC OS X 10.8 with safari 6 -- unable to download agent but can login successfully on the Cisco ISE guest portal
  2. MAC OS X 10.8 with Firefox -- able to login to Cisco ISE guest portal and download agents; no issues
  3. MAC OS X 10.7 with safari and firefox ---  unable to download agent but can login successfully on the Cisco ISE guest portal
  4. Windows XP & Windows 7 & Iphone/Ipad/Android -- able to login/download agent without any issues
  Any suggestions is appreciated.
  Thanks.

  For Agent Download Issues on Client Machine
  • Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the
  policy identity group, conditions, and type of agent(s) defined in the policy.
  (Also ensure whether or not there is any agent profile configured under Policy >
  Policy Elements > Results > Client Provisioning > Resources > Add > ISE
  Posture Agent Profile, even a profile with all default values.)
  • Try reauthenticating the client machine by bouncing the port on the access
  switch.
  Remember that the client provisioning agent installer download requires the following:
  • The user must allow the ActiveX installer in the browser session the first time an agent is installed
  on the client machine. (The client provisioning download page prompts for this.)
  • The client machine must have Internet access.
  Client Machine Operating Systems and Agent Support in Cisco ISE
  Check the following link
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp95449

• Cisco ISE - line posture node and switch connection.

  I am studying how Cisco ISE - Inline Posture Node working under the Bridge Mode. I learned that I need to configure the vlan mapping between the untrusted and trusted interfaces of IPN device ( http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_ipep_deploy.html - Figure 10-6).
  Does that mean I can setup a 802.1Q trunk link between the switch port and trusted/untrusted interface on IPN? Is there any vlan mapping entry limitation? Thanks.

  Please review the below link which might also be  helpful:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml

• Unable to register a secondary ACS 5.2 appliance

  Hello,
       I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
  This System Failure occurred:  Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
  I have tried with both "ACSAdmin" and "admin" users with their respective passwords.
  Am I doing anything wrong?
  Is there any LOG I can check to troubleshoot this?
  Thanks a lot!!!
  Regards,
  Julio

  I finally found the problem. I was using admin user (super user priviledges). I created another user with all permissions and it worked.
  Thanks a lot.

• Connect some users on ISE Secondary node

  Is it possible to connect users on secondary node?
  I tried it. I configure one switch to connect on the secondary node. A computer on that switch communicate with the secondary node and get and IP address from the DHCP. but It cannot download DACL.

  Yes you can point the users to the secondary server and have them authenticate, within ise the primary and secondary status only applies to admin and the monitoring personas, as as the node is running the policy services they are all considered their own standalone radius server.
  please use the "debug radius authentication" and all check the replicstion status and see if it is in sync and completed.
  Thanks
  Tarik Admani
  *Please rate helpful posts*

• Unable to Externally Register Phone Services on Cisco Jabber Client via Expressway E

  Hi,
  I have currently deployed Cisco Jabber along with Expressway C and E for external regeneration without VPN. I have successfully registered IM and Presence service externally on the internet and I am able to chat with other Jabber users.
  I am not able to register phone services for Cisco Jabber client who are registering externally over the internet without VPN.
  I have checked that all the users are able to use IM and Presence along with Phone services in the internal network and over the internet using VPN. I have configured the required DNS SRV records on both the internal and external DNS Servers.
  I am attaching a screen shot of the Jabber Client that is registered over the internet along with this post for your reference.
  Appreciate if you can share your thoughts on the same.
  Please do let me know if you need any further informaiton.
  Thank you.
  Regards,
  Joseph Chirayath.

  I am testing with an android device, and I had to add a "digest user" on the BOT device in order for this to work. Phone services are now connected.

• Cisco ISE 1.1.3 - Node unreachable

  Cisco ISE 1.1.3 is running in standalone mode, when I made any configuration it show me the notification that "Configuration changes has been recorded  but remain pending" any idea experts what could be wrong here.
  Thanks

  For issues regarding this you need to check the Cisco ISE Operations > Troubleshoot > Diagnostic Tools > General Tools > Evaluate Configuration Validator options. It also validate the several check on the  potential network access device (NAD) configuration issues, including AAA,RADIUS, profiler, and web authentication.

• Cisco ISE 1.2 Patch 6 -- 8 Update failed

  Hi all,
  I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
  Important notice : I though that this error could be an unlucky try but i've tested the update two time.
  Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
  The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
  On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
  The symptoms after this error are :
  - Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
  - The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
  - GUI Unavailable
  - MAB Auth is working
  - Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
  - Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
  The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
  My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
  Thanks for your help.

  This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
  2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
  2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
  2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
  2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
  pl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
  8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
  2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
  2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Another kind of error, upgrading Cisco ISE 1.1.4patch3 to 1.2

  I'm failing to upgrade our distributed ISE environment of 3 nodes.
  Using ise-upgradebundle-1.1.x-to-1.2.0.899.i386.gz, MD5 sum is verified.
  All nodes are running 1.1.4 patch 3 and the cluster is in sync.
  Trying to upgrade secondary admin node first and get this error:
  Save the current ADE-OS running configuration? (yes/no) [yes] ?
  Generating configuration...
  Saved the ADE-OS running configuration to startup successfully
  Initiating Application Upgrade...
  % Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
  STEP 1: Stopping ISE application...
  STEP 2: De-registering node from current deployment.
  % Error: De-registering node from current deployment failed.
  Starting application after rollback...
  % Warning: Do the following steps to revert node to its pre-upgrade state.
  -Ensure that node is still present in current deployment from Primary UI, if not present register this node back again.
  error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1

  Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_011.html
  States that
  Before You Begin
  If  you do not have a secondary Administration node in the deployment,  configure one Policy Service node to be the secondary Administration  node before beginning the upgrade process.
  Upgrade the secondary Administration node  from the CLI.
  The  upgrade process automatically deregisters Node Secondary Admin Node from the deployment  and upgrades it to Release 1.2. Node Secondary Admin Node becomes the primary node of the  new deployment when it restarts. Because each deployment requires at  least one Monitoring node, the upgrade process enables the Monitoring  persona on Node B even if it was not enabled on this node in the old  deployment. If the Policy Service persona was enabled on Node B in the  old deployment, this configuration is retained after upgrading  to t

• Cisco ISE Deployment issue

  Hi dears,
  I deployed the ISE primary and secondary mode. Then I did deregister the secondary ISE at Primary ISE. Now i want to register the same second ISE as secondary mode on Primary ISE. but this error occur:
  Unable to register SecondaryISE. Node is not a Standalone node.
  I connect the secondary ISE and see deployement personas
  Administration: Secondary
  Monitoring: Secondary
  Then  I did promote to primary command after that ISE is log out but the problem is not solve.
  version 1.20.8xx of both ISE's
  How i solve this issue?
  Thanks

  try by promoting the secondary ISE which you  have  de-registered to standlone and try registering it on primary now