Voice SSID using ISE

Similar Messages

• ISE Multiple SSIDs using CWA

  I am using ISE 1.2.198 primarily to authenticate guest users.
  I have 2 types of guest - day visitors and longer term visitors.
  I am using 2 separate SSIDs on a 5760 controller.
  On the ISE I have authentication conditions to differentiate between the different SSIDs and apply the relevant policy set.
  I am using CWA with wireless MAB for both policy sets.
  Everything is working fine using different portals for each SSID.
  I have Sponsors set up to create accounts, to assign different roles (guest or partner) and to apply different time profiles. That all works and the account details get emailed to the recipient successfully.
  The issue I have is that the sponsored account credentials can be used to authenticate a user on either SSID.
  If the sponsor creates an account and assigns it to the guest role that user can authenticate successfully to both the guest and partner SSIDs with the same credentials. Similarly, if the account is assigned to the partner role, the user can again authenticate to both SSIDs.
  There must be a way to differentiate between different roles within the authorization policies.
  I can't find a way within the Policy Sets to separate the 2 types of users. Adding any conditions to the authorization rules that include the Network Access UseCase equals Guest Flow doesn't seem to have any affect.
  Has anyone managed to do this type of thing successfully?

  Roger,
  If you are using Active Directory as your Identity Source, then that is your issue.  As you know, ISE 1.2 is limited in AD Authentications.  What I would suggest is to go to Administration > Identity Management > External Identity Sources and set up an LDAP connection to the AD group from which you would like to authenticate.  One for each type of guest and choose only the AD Group that Guest type uses:
  Once this is done, create an new Identity Source Sequence for each Guest type:
  Then go to Administration > Web Portal Management > Settings and choose the Guest Portal you want to modify.  Click The Authentication tab and choose the Identity Store Sequence you just created for that portal.
  That should fix the issue.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• WPA2 Auth on WLC 5760 using ISE 1.2

  Hello there,
  I am trying to configure WPA2 802.1x authentication on my WLC that should use ISE as radius server which is set to authenticate AD users.
  The issue is that when I try to connect the SSID, it does not forward the authentication request to ISE. Therefore, I dont see any authentication request on ISE coming from the client.
  I am using the following cli config for the SSID.
  wlan TESTSTAFF 70 TESTSTAFF
  aaa-override
  client vlan Floor_WL
  security dot1x authentication-list WPA-Auth
  session-timeout 1800
  no shutdown      
  aaa authentication dot1x WPA-Auth group ISE_Group
  aaa group server radius ISE_Group
  server name ISE
  radius server ISE
  address ipv4 <ise_ip> auth-port 1812 acct-port 1813
  key <key>
  On ISE, I have added the WLC as network device. CWA authentication is working fine it is just Layer2 WPA 802.1x authentication which is not forwarding requests to ISE.
  Can you please suggest?
  Thanks in advance.

  is ur wlc and iSE is connected???
  is ur Radius Shared secret is correct or same on both side?
  Please check these: http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  Regards

• Guest Portal Using ISE with Flexconnect Mode

  Folks,
  I have configured my guest web authentication using ISE with flexconnect mode like this:
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml
  After done, I connect the SSID but cannot log in. I cannot get IP address and in the ISE I can see that my device has already hit my authorization profile and the status is pending. Can anyone help me with this?

  As Richard says, check to see if you have an IP address.  If not check the AP settings for FlexConnect.  Is the mode on the AP set right?  Please confirm that you are using FC local switching and not centralised switching? 
  Is the VLAN tagging enabled on the AP, and/or the VLANs on the AP switchport set right?

• LWA with MAB using ISE

  I am trying to setup a wireless solution using a 4400 series controller and ISE to present a web auth page for users to log in and register there device. I also want them to have to accept the AUP. After the device is registered I don't want them to have to see the web auth page again using Mac Filtering. Which I believe will work based off some research I have done. The real question I have is if I can force users to periodically to have to reauth that device or to reaccept the AUP? I don't want to actually have to manually disable the accounts or delete the device out of the database to force them to verify the device and account again.
  Really what I am trying to get is the experience you see at a hotel. Where you are given a username and password and regardless of whether you restart yoru computer or leave for the day you are valid for the set time frame they give you. After that you have to reauthenticate your device.
  Any ideas if this is supported or how to do this?

  So I am killing the need to re-accept the AUP page. But I am having issues with the LWA and the return radius COA coming back to the controllers. I can see in ISE that the device is being authenticated via MAB but I am still getting sent to the splash page regardless. I tried to change the Radius state to Radius NAC on the controller but it won't let me apply that setting to an open SSID. It works on the 7.2 controllers just not on the 7.0 controller. Any ideas of how to get LWA with MAB to work using ISE as the external web auth page and for the controller to accept the COA from ISE?
  Sent from Cisco Technical Support iPad App

• Iphone 4 voice Dial used to work great, but now, I can't get it to recognize voice commands. When i give it a command to call someone, it ends up repeating someone elses name and starts the call. Does anyone know how to solve this problem?

  I have an I phone 4 with 32g.  The voice dial used to work just fine, but now it doesn't recognize the words and ends up saying someone elses name and starts calling the wrong person.  It even won't recognize a number when spoken to it and speaks back and calls the wrong numbers.
  Lately, the phone has really slowed down.  I am not sure if this is the problem.. I have closed all the open apps and deleted any extra picture off the card and extra songs that I have downloaded and the slow problem still exists. 
  Would a reset work to restore the phone to factory settings and if I then resync the phone, would all contacts pictures and songs be restored?
  Ron
  Oklahoma

  What is wrong with your Mac?  You still haven't told us what the problem is. Is the computer still under warranty or Apple Care?
  the next time i attempted to use the computer it wasn't fine
  What do you mean by "wasn't fine".  We can't see your computer so you'll have to describe what your're experiencing in detail without the editorializing.
  Download and run Etrecheck.  Copy and paste the results into your reply. It's a diagnostic tool that was developed by one of the most respected users here in the ASC to help identify the more obvious culprits.

• Deleted voice memos using Syncios. Now Voice Memos won't open and iPhone won't sync.

  I deleted all voice memos from the iPhone using Syncios, and now I'm having the following issues:
  1) Voice Memos app is broken on iPhone. It opens and then immediately closes.
  2) Can't sync via iTunes! Get the following error message:
  The iPhone "[iPhone Name]" could not be synced because the sync session failed to start.
  3) Syncios is not recognizing the device even when connected. Error message:
  Device disconnected, please reconnect the device.
  It looks like deleting the voice memos using Syncios did something else to the phone to break it.
  Please help ASAP.

  Same problem here. I contacted Syncios and they opened a bug report, but I it seems that they don't have any workaround for the moment :-/
  In my case, I also discovered that my iCloud backup was corrupted when restoring my iPhone 6 in order to "fix" all these problems (had to wipe my phone to use it again...)... So it's possible that this Syncios bug also damages iCloud/iTunes backups, which would be very embarassing for them.

• Google Voice APP and Google Voice will use cell phone minutes.

  My Verizon contract has 1400 minutes shared with 3 cell phones. I noticed that my cell number was using minutes from the calling plan. I normally call the other two cell phones, and my home number (which is on my friends of family calling list). My original intention was to be able to hide behind Google Voice and not allow my cell phone number to be broadcast. Google Voice would use whatever phone number was available on their server, make the call, then connect with my cell phone to complete the connection. I didn't notice that my minutes were being used until after someone else reported that they had exceeded their plan minutes after switching their cell phone to use their Google Voice number for outgoing calls.
  I called Verizon concerning this issue, and their only response was to contact the third party.
  I have now, and informed my friends, to only use their number and change the Google Voice APP, Making Calls setting to "Do not use Google Voice to make any calls".
  Just thought others would like to know.

  As an example of the comparison: http://searchunifiedcommunications.techtarget.com/feature/Skype-vs-Google-Voice-Feature-by-feature-s...

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• Cut-Through Proxy / Authentication Proxy on Cisco ASA using ISE as AAA Server for allocating SGTs

  Hi,
  We are trying to setup ASA to do cut-through authentication proxy, and use ISE as RADIUS. We can successfully authenticate the user from Radius on the ASA, while he opens a web-page, but then it displays the error: authorization denied.
  What we want:
  ISE to allocate a security group tag to the user session when he logs in, that tag would carried within out cisco network infrastrucutre to define the access
  policy for that user.
  Can someone please help me with a sort of step by step thing for ISE configuration to allocate SGTs/SGACL for the user session after authentication is completed.
  Thanks
  Lovleen

  Please refer to below step by step config guide for security group access policies
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html

• Can I use ISE IPN without posture for VPN with Base license only?

  I'm looking at ISE licensing, and both Base and Advanced licenses have VPN listed. I could not find any document that provides guideline for VPN implementation using ISE Base license only.
  1. Can I use ISE IPN (Inline Posture Node) functionality without posture assessment with ISE Base license only? (I know it has to be ISE hardware appliance, and I know that Posture assessment requires ISE Advanced license.)
  2. Do I have to use IPN for VPN deployment using ISE as the Radius server?
  3. If I do not have to use IPN for VPN, can I use ISE for Authentication and Authorization in the same way as I use ACS?
  Thanks,
  Val Rodionov

  Val,
  There is no need to consider IPN if you are not using posturing. You can use ISE much like ACS for radius authentication for vpn users.
  If posturing is down the road and your hope is to have an architecture in place and license later, then I am sure that you can use the ipn with base licensing, however I would strongle recommend working with the PDI (for partners) for help and confirmation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Radius server web authentication using ISE

  Hi,
  Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
  I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
  The following link explains "Radius Server Web Authentication" using ACS.  I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html  
  Thanks,

  Hi,
  Please check these:
  Central Web Authentication on the WLC and ISE Configuration Example
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Regards
  Dont forget to rate helpful posts

• Which command in the Cisco AP1200 series will you use to broadcast the SSID using VLANs?

  Folks,
  Which command in the Cisco AP1200 series will you use to broadcast the SSID using VLANs?
  Thanks

  If you have enabled mbssid, "guest-mode" would be replaced by "mbssid guest-mode" this would also allow multiple ssid's to be broadcast
  -Tim
  Sent from Cisco Technical Support iPad App