1.2 of the ISE and iPEP required certificates

Similar Questions

• 1.3 of the ISE and NAC

  I have a client that 5508 WLCs runs through the area, and I'm catching IEEE802.1x authentication for the enterprise WLAN and WebAuth for WLAN of comments... they PSK now :(

  They have ad and ISE and NAC great interest, so my immediate thoughts are to integrate ISE AD and use ISE as RADIUS server for .1x on the WLC. Then use the WLC and ISE do WebAuth for comments... It's all of the standard stuff, but it gives the background.

  Now, we come to the interesting bit... they want to run BYOD. They are involved in the financial markets, so the BYOD must be tightly controlled. They ask on ISE coupled with the NAC, but I am not convinced that I need the NAC since the arrival of the ISE1.3. Of course, I will examine three (min) SSID, corporate knowledge, comments and BYOD, just logically distinct. I have nothing that ISE 1.2 cannot press the company and comments but BYOD must full profiling and reclamation prohibition or device before access to the net.

  Someone at - he comments or suggestions? Is ISE 1.3 enough NAC-like that I don't need more, or if this is not the case, what additional benefits does that ISE can support

  Thanks for your advice/comments/experiences

  Jim

  Hi Jim -.

  Version 1.3 offers an integrated PKI and a significantly improved services reviews experience. The internal PKI is nice if the customer does not have a PKI solution in place. Don't forget however that the PKI ISE internal can only issue certificates to BYOD devices which have boarded through the ISE BYOD "flow", you cannot use the ISE PKI to issue certificates to computers in the domain.

  With regard to the NAC: you need to specify exactly what is needed here. If you were to make "posture assessment" then ISE can do for machines based on Windows and OSX. You can check for things like: A / V, a/s, status of the firewall, Windows hotfixes. If you want to make the posture on mobile devices, so you will need to integrate ISE with MDM (mobile device management) solution such as: Airwatch, Mobile, Extend360 iron, etc. ISE may question the MDM for things like: the device is protected with a PIN, is the rooted device, is the encrypted device, etc.

  I hope this helps!

  Thank you for evaluating useful messages!

• 1.3 the ISE and multiple licensing requirements

  I am building a box of ISE 1.3 and I want to know if the following is feasible

  I have an AD forrest who has several groups of configured users

  1. Corporate
  2. BYOD
  3. demo

  What I want to do, use these groups to assign users wireless to the VLAN correct based on the membership of these groups AND the type of device they are connecting from.

  for example User1 connects to the network wireless from a Mac.  And they belong to the Group of corporate users.  I would like to be put on the vlan corporate.

  However, are they connect from their IPhone device and also belong to the Group BYOD, they get put on VLAN BYOD which has restricted access.

  I guess I should add User1 to the company and the BYOD AD groups, then the terms of use to determine what type of device they use and then create a profile for authorization to manage this VLAN they deleted in.  Then use airespace acl to determine what resources, they have access to.

  Unfortunately, the interface has changed a bit from 1.2 to 1.3, and I don't know if this is feasible.

  I advise to use the BYOD within the ISE feature that uses the device registration. All devices are on (default) RegisteredDevices group identity within the ISE, so that your authorization policy can look if EndPointIdentityGroup = ADGroup RegisteredDevices AND = BYOD then = BYOD VLAN + ACL.

  Put your saved rule BYOD above all others in the list for your rule of Group of companies don't replace the BYOD.

• 1.2 of the ISE and made maximum PSN supported in my Persona config

  Hello people, I am setting up a way large-scale distributed of ISE and I was wondering if anyone could tell me what the maximum number of PSN is allowed in this configuration.   I was reading through an older training document with version 1.1 and suggested 5, that's why I wonder if the specs changed on 1.2 but I can't find them anywhere to practice.

  I have a large virtual machine running the MAIN admin character who is also secondary to my report & follow-up in my main data centre.

  In another State (bound to 10G) is another large VM acting as my character high school admin with primary oversight & reports.

  Across several States I want to have multiple Ssnp through geographic patterns of each State, but I don't know if I can put across enough with my current version of 1.2 and my persona config Ssnp listed above.    I need about 12 to 15 Ssnp.

  I was wondering if I need two VMs more out of my control as a node in DC1 and secondary surveillance in DC2 for more extensibility PSN.

  Any help would be greatly appreciated.

  -Thank you

  As Marvin suggested, I would look at using 1.3 at this point, unless you have any specific concerns of this version and I really want to stay with 1.2. That being said, here are my recommendations/comments:

  -Two v1.2 and v1.3 fits in fact up to 40 knots PSN

  -If none of the nodes of your PSN will be put in the same place and are layer 2 adjacent I recommend putting them in a group node and behind a load balancer. If you do not have a load balancer, I would always put them in a node group. At this time a node group can have up to 10 PSN

  -If you have 10-15 knots PSN then you should spend 2 nodes for specifically for the character of monitoring

  -The period of maximum round trip between all nodes must not exceed 200 ms

  For more information, you can always reference the "Network deployment" section in the installation guide material for ISE:

  v1.3

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html

  v1.2

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/installation_guide/ise_ig/ise_deploy.html

  Thank you for evaluating useful messages!

• 1.2 of the ISE and ACL with several ports

  When you create a DACL for my groups I used the syntax "permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl within the DACL and the validated syntax checking. When I pushed my groups too, it worked but I have heard that this type of port several ACL in ISE is not supported. Does anyone know if this is accurate?

  You can implement several DACL to control access and the sound works perfectly with ISE

  Note the useful messages *.

• Planning, estimation of the disk and memory requirements

  Hello Experts,
  
  I m going to estimate the needs of memory and disk for a scheduled planning applications.
  
  for required-> disc is sufficient to estimate the size of the outline, data files (pag), data blocks, index files, (similar to the Essbase database) index pages?
  for the record, requirements-> is - it enough to estimate (similar to the Essbase database) cache, cache data files, data cache, cache index calculator?
  
  
  Is there something special to plan?
  
  Thanks and greetings

  Hello

  1. first of all, I recommend you take a look at amd RAM space required for planning, you can find it here

  http://download.Oracle.com/docs/CD/E12825_01/EPM.111/epm_install_start_here/frameset.htm?ch02s04.html

  2. on top of this, you will need to think about number of planning applications and the... essbase cubes etc.

  Sandeep Reddy, Enti
  HCC
  http://hyperionconsultancy.com/

• 4.2 of the ACS and 4096 bit certificate

  Hello

  is it possible to use a CBS and a CA server with 4096 bit certificate?

  So far, we have tested with selfsigned 1024-bit certificates. Now, I don't know, I we can install a certificate to 4096 bits on GBA and if she can handle 4096 bits client certificates?

  Thanks in advance.

  Concerning

  Dominic

  Dominic,

  You can use 4096 bit certificate of CSA 4.2.0.124 patch 10 go.

  Kind regards

  ~ JG

  Note the useful messages

• 4.2 of the ACS and auth with certificate 802.1 x

  Hi all

  I have geerated new certificate and installed on my ACS 4.2, it's only auto generated the certificate by the Association. Now, the end user cannot authenticate automatically.

  If I mnually install this certificate on the computer of the end user, then the end user is able to authenticate.

  Is it possible to authenticate the end user automatically?

  Oh, I'm sorry...

  Here are the comments;

  1.] you must uncheck "Validate server certificate" on the client side, this way, you don't need to install the certificate on the computers of end users.

  2. uncheck the option 'Automatically use my windows password and domain name user name' by these users windows credentials will be saved and the client will be connected whenever you log on to the windows machine.

  HTH

  Rgds, jousset

  Note the useful posts ~

• ISE and WLC for sanitation of the posture

  Please can someone clarify a few things regarding the ISE and posture wireless.

  (1) is the ACL-POSTURE-REDIRECT used for conversion, or is it just an ACL to redirect some of the posture of the kickoff checking traffic?

  (2) can / a dACL/wACL list must be specified as a sanitation ACL?

  (3) the WLC ACL should be written in long format (manually specify source and dest ports/doesny direction any job?)

  (4) does anyone have working example ACL for redirect (CPC) posture and sanitation (dACL)?

  (5) any other advice or pointers would be as useful as any docs I have found so far, what he TrustSec2, CiscoLive or anything else, do not seem to help me understand sanitation and WLC posture

  Thank you

  Nick

  Yes,

  This means that strategy available to your customer does not have a rule that will correspond to an entrepreneur who joined the network. Can you post a screenshot of the provisioning of customer policy?

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• ISE and ASA5505

  Hello all - I'm working with a client on a deployment of the ISE and that they would like remote locations enjoy to dot1X.  The potential problem I see is - what - they have ASA5505s for the tunnels to the main location, which is great, but they also use the integrated... switch I know there are problems with the largest ASAs requiring the IPN.  I wonder if they will need a different switch to make it work?  Don't think they plan on posture or whatever it is advanced.  More just to lock the switchports and avoid problems when people plug random devices to keep them out of the network...

  any suggestions are appreciated.

  Scott J.

  Scott,

  If you are referring to the ports on the SAA, these are not supported dot1x. You will need a switch different in order to get this dot1x features you're looking for.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Why Apple does not provide a 10 W charger with the air of the iPad 2 when the barn of the computer and hundreds of people on the web say he needs a 12 W charger because Apple has changed their software and 10 W very slow iPad charges.

  Why Apple does not provide a 10W for I pad air 2 charger when the barn of the computer and hundreds of people on the web say that the 10 W does not work and it takes a 12 W charger.  Burning of the computer told me that Apple has changed their software on the iPad and now requires a 12 W charger.

  So you're claiming Apple is selling iPads with a charger that doesn't work?

  A charger 10W works perfectly well. A 12W charger can be slightly faster to load under certain conditions.

• During execution of the backup and maintenance on one of my computers, I noticed a folder and the file that I can't identify me...

  Original title: identity of unknown folder

  During execution of the backup and maintenance on one of my computers (Windows xp home, sp3), I noticed a folder and the file that I can't identify.  The name of the folder is cc68f6b7a7ca948eefb018f001 and the name of the update.exe file.  The properties of the file that it is a Windows Service Pack installation.  I tried Googling the name of the folder, but found nothing.

  Can you tell me with regard to this issue, and what, if anything, I have to do?

  Thank you.

  When some programs (including Windows) installs things, it can create a temporary folder composed of 20-30 random letters and numbers or random numbers and letters in the root of the drive of the volume with more free space.

  This explains why the records are sometimes on your C drive or any other drive - the most space?

  For example, you can see a similar to or called folder:

  D:\9470bb12e8a4f3447657236478e41c5

  There may be other folders and files in this main temporary folder such as amd64 and i386 platforms.

  They should normally be deleted when the installation is complete, but sometimes they are not - especially if the installation fails.  They are harmless but annoying.  You can think something is wrong when there are no or fear, that the files are really necessary.  To avoid confusion, you can delete the temporary files.

  If your installation has failed or the installation does not remove the folder to the random name when it finishes running again installation will be another folder at the random name.

  You may be able to identify installation (out of curiosity) by looking at some of the contents of the folder and decide if this installation was not serious, just remove the files/folders.  If the installation does not work for some reason, run again just installation will create a new temporary folder to the random name so the old temporary folder is really useless.

  Records are sometimes tough to remove.  Even if you are an administrator on the system, you might get a "sharing violation", "access denied", "used" or type similar message when you try to delete temporary folders.  Facilities sometimes use different permissions that can have a regular user with the administrator group.

  There are many methods to try to remove the folders, and some require third party programs to install or change some windows settings that could compromise the security of your system if you do not change them back when you're done.

  Start your system in Mode safe mode (by pressing the F8 key several times just before XP attempts to load) is one good method to try to remove the files because it does not have to make any changes to your system configuration or by downloading third-party programs.

  If you are running XP Home Edition, the following section on turn off "Simple file sharing" does not apply to you since in XP Home, Simple file sharing is always turned on.  If you are running XP Home Edition, skip the next few paragraphs and resume where it says:

  "If no part tool above work try a third popular called Unlocker.

  If Safe Mode does not work you can change the security of the folder when you start in Normal Mode to give your username full control over the files by navigating to it in Solution Explorer, click on tools, Folder Options, view and in the advanced settings window, uncheck (at the bottom of the list) use simple file sharing (recommended) and click OK.  This disables him recommended simple file sharing on your computer if you want to turn it back on when you're done to make everything you do.

  Right-click on the files of interest, click Properties and click the now visible security tab.  Change the properties, but you need (for example, select your user name, and check the box to allow full control), click OK to apply the changes.

  With usage share of active simple files (recommended) the checked the properties of the folder tabs are:

  General, sharing, customize

  With the use of sharing files simple disabled (recommended) box unchecked, the properties of the folder tabs are:

  General, security, customize

  Now, try to manipulate/delete the folder.

  It's a good idea to go back to the Explorer and the cheque in the box easy to use sharing files (recommended) when you have finished making everything you do.

  If none of the above works, try a popular third-party tool called Unlocker.

  Unlocker can be downloaded here:

  http://www.emptyloop.com/Unlocker/

  If you use Unlocker, be sure to install because he wants to add a bunch of options, addons, shortcuts and other extras that you don't need.

  You must add the shell extension so when you right click on the offending file, you will have a Unlocker option to choose.  I would just install it long enough to clean up the leftovers and then, I usually just uninstall and all parts of it.  You can always install it again another day if you like.

  Unlocker can be uninstalled when you have finished using it.

  Reboot when finished to ensure that boring records are really missing.

• Vista PC taken hostage by System Tools 2011 program - infected all access to the system and wants the credit card to disinfect.

  Vista 32 laptop SP2 infected Trojan System Tools 2011

  some of its files have been identified by Microsoft Security esentials but could not get rid of the whole virus

  She came back and took over the boot startup sequence.

  You start on the main office, but the in a few seconds, she resumed the Office

  No access to other programs.  It changes the wallpaper and it requires the form for

  System Tools 2011 with your credit card and related information to receipt the file to eliminate the infection.

  Safe mode still seem to work.

  The question seems to have started after downloading a PDF via ie and trying to open the .pdf file

  Can you help me?

  Kind regards

  GV

  Vista 32 laptop SP2 infected Trojan System Tools 2011

  some of its files have been identified by Microsoft Security esentials but could not get rid of the whole virus

  She came back and took over the boot startup sequence.

  You start on the main office, but the in a few seconds, she resumed the Office

  No access to other programs.  It changes the wallpaper and it requires the form for

  System Tools 2011 with your credit card and related information to receipt the file to eliminate the infection.

  Safe mode still seem to work.

  The question seems to have started after downloading a PDF via ie and trying to open the .pdf file

  Can you help me?

  Kind regards

  GV

  Hey Giorgio V

  read the uninstall information located under

  http://www.bleepingcomputer.com/virus-removal/remove-system-tool

  Walter, the time zone traveller

• Cisco ISE and WLC Access-List Design/scalability

  Hello

  I have a scenario that wireless clients are authenticated by the ISE and different ACL is applied depending on the rules in the ISE. The problem I have seen is due to the limitation on the Cisco WLC that limit only 64 input access list. As the installer has only a few IVR/interfaces and several different access lists are applied to the same base on user groups interface; I was wondering if there may be an evolutionary design / approach according to which the access list entries can evolve next to create a vlan for each group of users and apply the access list on the interface of layer 3 instead? I illustrated the configuration below for reference:

  Group of users 1 - apply ACL 1 - on Vlan 1

  User 2 group - apply ACL 2 - on the Vlan 1

  3 user group - apply ACL 3 - on the Vlan 1

  The problem appears only for wireless users, he does not see on wired users as the ACLs can be applied successfully without restriction as to the switches.

  Any suggestion is appreciated.

  Thank you.

  In fact, you have limitations on the side of the switch as well. Long ACL can deplete resources AAGR of the switch. Take a look at this link:

  http://www.Cisco.com/c/en/us/support/docs/switches/Catalyst-3750-series-switches/68461-high-CPU-utilization-cat3750.html

  The new WLCs based on IOS XE and not the old OS Wireless/Aironet will provide the best experience in these matters.

  Overall, I see three ways to overcome your current number:

  1. reduce the ACL by making them less specific

  2 use L3 interfaces on a switch L3 or FW and the ACL is applied to them

  3. use the SGT/SGA

  I hope this helps!

  Thank you for evaluating useful messages!

• ISE and certificates

  Hi all

  Im trying to get my head around the use of 3d party certificates with the ISE and I think that I need advice here.

  I have a setup of 6 knots ISE, 2xAdmin, 2xMonitoring and 2xPolicy.

  All the these have the abc.local domain name.

  I want to use MS-CHAPv2 and customer service without certificate error.

  So I register all my six knots with some 3d CA? Or only the nodes 2xPolicy?

  I know that the best solution would be the six, but just to know if it is possible.

  How to work around the problem with .local? I don't think that it is possible to get a certificate with .local as a domain in the FULL domain name.

  Is that useful here of SAN certificates? How would look (even .local in CN..?)

  Other things to consider in the present?

  concerning

  Mikael

  That's right, that you must issue the CSR based on the currently configured for ise host name that corresponds to the fqdn.

  Your problem is that the public certificate authorities will not issue you a cert because you use a .local and not a public domain such as .com, .edu or .org to name a few.

  The only way to solve your problem is to use a Microsoft private certification authority that is simple to configure. Or change your area om ise and use the public domain of your company name.

  Thank you

  Sent by Cisco Support technique iPad App