VMware behaviour with ISE

Similar Messages

• URL is not change after successful authenticate with ISE 1.1.1

  Hi,
  I have setup Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)
  Everything is complete unless the URL redirect. My guest client can join the Guest SSID and also can authenticate to ISE.
  But after they success to authenticate with ISE, the URL in the browser doesn't change to the pre-configure. It still be something like https://ise-ip:8443/guestportal/redir.html . Anyway the content in the browser is changed to the URL that being configured such as http://www.google.com/
  How can I do with this situation cause everything is working fine but only the browser URL that is not change to the preconfigure one.
  Thanks,
  Pongsatorn

  Hi,
  This is the user experience when using central web authentication:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
  Here is the process when you use local web authentication:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_guest_pol.html#wp1295223
  Hope this helps,
  Tarik Admani
  *Please rate helpful posts*

• Limit the number of session per user in the Wired dot1x environment with ISE 1.2

  Hello,
  I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
  I need to check if this feature is available or not to solve the following scenario:
  I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
  If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
  The case, that I need to deny the same user to connect on a different machine with the same credentials.
  The ISE itself does not have this feature currently,  the only feature available is to limit the number of sessions for the guest user.
  Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
  Thanks.

  limit number of session per user using wired dot1x is not available in 1.3

• SNMP integration with ISE 1.2

  Hi Guys,
  Did anyone have a hard time integrating ISE 1.2 with SNMP server for polling system parameters? I'm trying to add ISE 1.2.1 to solarwinds SNMP server but when adding the required parameters like IP address and community string and doing an SNMP test connection it returns a failure message. SNMP configuration on ISE is quit simple. Only two commands are needed which are the SNMP server IP and community string values. Searching on the web, i saw a bug CSCun42967  that documents SNMP problems with ISE 1.2. Could that be the problem? or if there is any limitations for this integration?
  Thanks,
  Mohammad

  Here is the helpful link :
  https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.pdf

• Strange behaviour with Safari.

  Very strange behaviour with Safari this morning.   Pages loading piecemeal or partially.   The content only becomes viewable after the cursor has passed over the area.   Have cleared caches and reported it but I'm wondering if this is a local matter here in the UK.   Anyone suffering similar problems?    Firefox is responding perfectly normally.

  I see a reply has come back via a previous post.   As I am trying to get a response to this one I shan't reply there but I should point out that for me, this is an isolated problem.   I do use open DNS but with no track history of problems there , I can't blame that.
  In the last few minutes normality has returned.

• Bug in cursor behaviour with duplicates

  Dear Oracle guys and girls,
  first of all: it sucks that i HAVE to provide business information (company name, address, even phone number) even if i just want to participate in this forum for private reasons. I even have to "unsubscribe" to the newsletters although i never subscribed. Then i have to re-enter my timezone information and email address for the forum, because the settings in my profile are ignored. I think there's some room for improvement in this registration process.
  OK - back to topic. i think i found a bug in the cursor behaviour with duplicate keys. But the behaviour is very consistent, so maybe it's not a bug, but a bad design. (I call it bad because it's totally unexpected and not logical to me).
  I insert some dupes with DB_KEYFIRST; then i create a cursor and iterate over all items in the reverse order (!) with DB_PREV (i also tried DB_PREV|DB_NEXT_DUPE) - no keys are shown.
  Alternatively:
  I insert some dupes with DB_KEYLAST; then i create a cursor and iterate over all items in the reverse order (!) with DB_NEXT (i also tried DB_NEXT|DB_NEXT_DUPE) - no keys are shown.
  cursor->c_get returns the error code -30989 (DB_NOTFOUND).
  Why is it not possible to traverse duplicates in the reverse order? To me it looks like a bug.
  I tested against db 4.5.20.
  Regards
  Chris
  PS: I would love to hear if the bug i reported here: http://groups.google.com/group/comp.databases.berkeley-db/browse_thread/thread/ed471cf6837cb2a6/dd9cda0ad105f401#dd9cda0ad105f401
  will be fixed in the next version.
  Here's a test program:
  int
  main(int argc, char **argv)
  unsigned i;
  int st;
  DB *db;
  DBT key, record;
  DBC cursor, cursor2;
  unlink("test.bdb");
  st=db_create(&db, 0, 0);
  if (st)
  error("db_create", st);
  st=db->set_flags(db, DB_DUP);
  if (st)
  error("db->set_flags", st);
  st=db->open(db, 0, "test.bdb", 0, DB_BTREE, DB_CREATE, 0);
  if (st)
  error("db->open", st);
  memset(&key, 0, sizeof(key));
  memset(&record, 0, sizeof(record));
  st=db->cursor(db, 0, &cursor, 0);
  if (st)
  error("db->cursor", st);
  st=db->cursor(db, 0, &cursor2, 0);
  if (st)
  error("db->cursor", st);
  for (i=0; i<LOOPS; i++) {
  record.data=&i;
  record.size=sizeof(i);
  st=cursor->c_put(cursor, &key, &record, DB_KEYFIRST);
  st=cursor->c_put(cursor, &key, &record, DB_KEYLAST);
  if (st)
  error("cursor->c_put", st);
  while (!(st=cursor2->c_get(cursor, &key, &record, DB_NEXT))) {
  printf("%d\n", *(int *)record.data);
  st=cursor->c_close(cursor);
  if (st)
  error("cursor->c_close", st);
  st=db->close(db, 0);
  if (st)
  error("db->close", st);
  return (0);
  }

  st=cursor->c_put(cursor, &key, &record, DB_KEYFIRST);
  st=cursor->c_put(cursor, &key, &record, DB_KEYLAST);
  if (st)
  error("cursor->c_put", st);
  please delete the first line, it was a cut and paste error. as i said earlier: insert with KEYLAST, query with NEXT.

• IPhoto behaviour with Albums

  can anyone explain or point me in the direction of the reaoning behind iphotos behaviour with Albums and Smart Albums in 2 situations.
  the first, is when using Airpics App and Server, the second when viewing a shared library.
  my set up is my iPhoto main DB is on a headless Mini. I also have a MBP on the same wireless network that view and controls the Mini.
  in situation 1, when my iPad views my Minis library via thr Airpics apps, it says it only views Albums and Smart Albums, not Events but i can see an item that is an event. it consequently is the last full import i do so is the last import considered an album or smart album?
  in 2, when i view my Mini iPhoto DB on my MBP via sharing, lots of Albums and Smart Albums come up from the past that i have deleted. Where is it gettign this info from? is it old stuff from the Minis DB coming through? Or are these current or old stuf from my MBP somehow? when i open the Minis DB on my MBP using Alt-Open and selecting the DB Directly instead of over sharing, these Albums / Smart Albums dont exist. i only see what i expect to see, Currwnt set up..

  thank you again Terence.
  you see ma bit of an iPhoto Guru, Terence and i dont know how else to contact you and i know its niot right to change a thread half way through but do you have any knowledge on the best way to handle this situation:
  i have my iphoto on my headless Mini, controlled by MBP remotely and within the same Wi fi network when home. Iphoto over both is unusably slow. How could i combat this? im told not to use the Mini Library via MBP sleected via ALT when opening as if WiFi drops out it can corrupt. If i use the Sharing from the iPhoto.Mini to MBP, iPhoto.Mini must be open therefore iPhoto.Mini on Sharing on MBP cant be editted, only viewed. The one utility that helps is the iPhoto Manager but all that essentially does is copy from one to another over WiFi so i dont see the difference in that app doing it or me manually doing it, TBH id rather manually do it.
  And i need to store the iPhoto main DB at home as iTunes and my iPad use it while i'm not there, and its now too big to carry around on a 5 year old MBP.
  I like a lot of others seem lost on how to effectively manage and use iPhoto

• CWA with ISE and 5760

  Hi,
  we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
  I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
  aaa authentication login Webauth_ISE group ISE
  aaa authorization network cwa_macfilter group ISE
  aaa authorization network Webauth_ISE group ISE
  aaa accounting network ISE start-stop group ISE
  aaa server radius dynamic-author
  client 10.232.127.13 server-key 0 blabla
  auth-type any
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 31 send nas-port-detail mac-only
  wlan test4guests 18 test4guests
  aaa-override
  accounting-list ISE
  client vlan 1605
  no exclusionlist
  mac-filtering cwa_macfilter
  mobility anchor
  nac
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security dot1x authentication-list Webauth_ISE
  no shutdown
  wc5# debug aaa coa
  Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
  Feb 27 12:19:08.444: RADIUS:  authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
  Feb 27 12:19:08.444: RADIUS:  NAS-IP-Address      [4]   6   10.232.127.11
  Feb 27 12:19:08.444: RADIUS:  Calling-Station-Id  [31]  14  "40f308c3c53d"
  Feb 27 12:19:08.444: RADIUS:  Event-Timestamp     [55]  6   1393503547
  Feb 27 12:19:08.444: RADIUS:  Message-Authenticato[80]  18
  Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  41
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  43
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37  "subscriber:reauthenticate-type=last"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  49
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0aea2001530f2e1e000003c6"
  Feb 27 12:19:08.444: COA: Message Authenticator decode passed
  Feb 27 12:19:08.444:  ++++++ CoA Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444:
  Feb 27 12:19:08.444:  ++++++ Received CoA response Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
  Feb 27 12:19:08.444:
  wc5#

  Reason for this are two bugs which prevent this from working:
  https://tools.cisco.com/bugsearch/bug/CSCul83594
  https://tools.cisco.com/bugsearch/bug/CSCun38344
  This is embarrassing because this is a really common scenario. QA anyone?
  So, with ISE and 5760 CWA is not working at this time. 

• Unsupported Browser on iPhone / iPad with ISE 1.3

  I'm playing around with ISE 1.3 and the self provisioning flow.  I'm able to provision a Windows client, but an iPhone or iPad with IOS 7.1.2 gives me an "unsupported browser" error when I try to sign on.  I have an IOS client provisioning profile set up.  Is IOS 7 no longer supported with ISE 1.3?
  Thanks!

  After issuing the command:
  config network web-auth captive-bypass enable
  The iOS devices can on board. The registration page does not pop up now. It requires you to open a web browser and it appears that chrome for IOS will not work as it still gives an unsupported error but if you open in safari, which I never use, it does work. 

• Cannot Open the URL of CWA with ISE

  Hi Folks,
  I have a problem when doing the CWA with ISE so that I can Provide the access of the network for the guests.
  Everything goes fine except the URL of the CWA: When the guests open the explorer and enter a domain after connecting the SSID, they will be redirected to the URL like "https://hostname.demo.com:8443/guestportal/..................." which starts with the hostname of the ISE and the domain-name of the ISE, but for us, we don't have any AD and LAN DNS for our network so that we cannot translate the hostname.demo.com into the IP of the ISE, so can I just change the URL into IP type like "https://10.10.10.70:8443/guestportal"?

  Screenshot of a screenshot (sorry) attached.
  Basically it's in authorization policy, allows you to use a static DNS or IP address

• Does Cisco ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 support command accouting like ACS

  Hi
  Can Anybody can update whether   ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting
  Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting ..
  has succeed in  command level accounting on  Cisco ISE ..
  Please update
  Cisco ISE doesn't have TACACS feature ...

  Command Accounting is a TACACS+ feature so not for ISE....yet.
  However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory.  The notify syslog is what sends it via syslog.
  conf t
  archive
  log config
  logging enable
  logging size 200
  hidekeys
  notify syslog
  end
  wr mem
  Remember, syslog is clear text  :-)  log away from user traffic when possible.  Or use TLS based syslog when possible.
  I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.
  Please rate post you consider useful.
  -James

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• Flexconnect with ISE Issue

  Hi Everyone,
  I have a issue trying to deploy Flexconnect in WLC integrated with ISE.
  In the scenario, the users are working properly through the wireless network and they are able to authenticate, the NAC agent is invoked and everyone can get authorization access to the network using Radius NAC as NAC State. But when we tick the feature ""FlexConnect Local Switching"" and change the users cannot get IP Address from DHCP and the client status in WLC show POSTURE_REQD.
  We can see this in ISE that the user is able to authenticate but never get authorization and the NAC state is not showing in the PC.
  Any idea about this issue?? This is maybe any limitation or configuration error?
  Regards

  There are some documents for this type of deployment:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml#anc13
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• LWA Guest Access with ISE and WLC

  Hi guys,
  Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
  1. Guests try to connect wifi with SSID Guest
  2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
  3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
  https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
  4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
  5. After that the Guest Login Page will appear, and guests input their username and password.
  6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
  The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
  I know it happened when guests didn't have the WLC Login Page Certificate...
  My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
  Thx 4 your answer and sorry for my bad English....

  Thx for your reply Peter, your solution is right,
  i don't choose CWA, because their DNS is not stable...
  i've found the problem...
  the third-party CA is revoked, so there is no way it will success until it fixed...
  and there is no guarantee, they will fix it soon..
  so solution that we choose is by disable "HTTPS" on WLC...
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable"
  thank you all...

• Strange repaint behaviour with JList & Keyboard actions

  Hi everyone,
  This is my first post to the forum. You guys have been a great help in the past and I hope to contribute more in the future.
  Anyways, I've encountered some strange repainting behaviour with a JDialog that uses a JList and a JButton. The dialog is fairly straight-forward and basically this is how it works (like an open file dialog - yes I'm implementing my own filechooser of sorts):
  * JList lists a number of simple items that the user can select from.
  * Once a selection is made, an Open button (JButton) is enabled.
  * <ENTER> key is registered (using registerKeyboardAction()) with a JPanel which is used as the main content pane in the dialog.
  * The user can either click on the Open Button or hit the <ENTER> key which then closes the dialog and runs whatever logic that needs to.
  Now, the repaint problem comes in when:
  1. User selects an item.
  2. User hits the <ENTER> button
  3. Dialog closes
  4. User brings the dialog back up. This entails reloading the list by removing all elements from the list and adding new ones back in.
  5. Now... if the user uses the mouse to select an item lower in the list than what was done in step #1, the selection is made, but the JList doesn't repaint to show that the new selection was made.
  I didn't include a code sample because the dialog setup is totally straight-forward and I'm not doing anything trick (I've been doing this kind of thing for years now).
  If I remove the key registration for the <ENTER> key from the dialog, this problem NEVER happens. Has anyone seen anything like this? It's a minor problem since my workaround is to use a ListSelectionListener which manually calls repaint() on the JList inside the valueChanged() method.
  Just curious,
  Huy

  Oh, my bad. I'm actually using a JToggleButton and not a JButton, so the getRootPane().setDefaultButton() doesn't apply because it only takes JButton as an input param. I wonder why it wasn't implemented to take AbstractButton. hmmm.