1.3 of the ISE and NAC

Similar Questions

• Difference between ISE and NAC?

  Dear all,

  Can you please help to understand difference ISE and NAC?

  Thank you

  Eve.

  ACS + NAC Profiler + comments the NAC + Manager = EHT NAC NAC Server

  ISE does:

  Centralized strategies
  RADIUS server
  Evaluation of posture
  Guest access services
  Profiling feature
  MDM
  Monitoring
  Troubleshooting
  Reporting

• 1.3 the ISE and multiple licensing requirements

  I am building a box of ISE 1.3 and I want to know if the following is feasible

  I have an AD forrest who has several groups of configured users

  1. Corporate
  2. BYOD
  3. demo

  What I want to do, use these groups to assign users wireless to the VLAN correct based on the membership of these groups AND the type of device they are connecting from.

  for example User1 connects to the network wireless from a Mac.  And they belong to the Group of corporate users.  I would like to be put on the vlan corporate.

  However, are they connect from their IPhone device and also belong to the Group BYOD, they get put on VLAN BYOD which has restricted access.

  I guess I should add User1 to the company and the BYOD AD groups, then the terms of use to determine what type of device they use and then create a profile for authorization to manage this VLAN they deleted in.  Then use airespace acl to determine what resources, they have access to.

  Unfortunately, the interface has changed a bit from 1.2 to 1.3, and I don't know if this is feasible.

  I advise to use the BYOD within the ISE feature that uses the device registration. All devices are on (default) RegisteredDevices group identity within the ISE, so that your authorization policy can look if EndPointIdentityGroup = ADGroup RegisteredDevices AND = BYOD then = BYOD VLAN + ACL.

  Put your saved rule BYOD above all others in the list for your rule of Group of companies don't replace the BYOD.

• 1.2 of the ISE and made maximum PSN supported in my Persona config

  Hello people, I am setting up a way large-scale distributed of ISE and I was wondering if anyone could tell me what the maximum number of PSN is allowed in this configuration.   I was reading through an older training document with version 1.1 and suggested 5, that's why I wonder if the specs changed on 1.2 but I can't find them anywhere to practice.

  I have a large virtual machine running the MAIN admin character who is also secondary to my report & follow-up in my main data centre.

  In another State (bound to 10G) is another large VM acting as my character high school admin with primary oversight & reports.

  Across several States I want to have multiple Ssnp through geographic patterns of each State, but I don't know if I can put across enough with my current version of 1.2 and my persona config Ssnp listed above.    I need about 12 to 15 Ssnp.

  I was wondering if I need two VMs more out of my control as a node in DC1 and secondary surveillance in DC2 for more extensibility PSN.

  Any help would be greatly appreciated.

  -Thank you

  As Marvin suggested, I would look at using 1.3 at this point, unless you have any specific concerns of this version and I really want to stay with 1.2. That being said, here are my recommendations/comments:

  -Two v1.2 and v1.3 fits in fact up to 40 knots PSN

  -If none of the nodes of your PSN will be put in the same place and are layer 2 adjacent I recommend putting them in a group node and behind a load balancer. If you do not have a load balancer, I would always put them in a node group. At this time a node group can have up to 10 PSN

  -If you have 10-15 knots PSN then you should spend 2 nodes for specifically for the character of monitoring

  -The period of maximum round trip between all nodes must not exceed 200 ms

  For more information, you can always reference the "Network deployment" section in the installation guide material for ISE:

  v1.3

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html

  v1.2

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/installation_guide/ise_ig/ise_deploy.html

  Thank you for evaluating useful messages!

• 1.2 of the ISE and ACL with several ports

  When you create a DACL for my groups I used the syntax "permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl within the DACL and the validated syntax checking. When I pushed my groups too, it worked but I have heard that this type of port several ACL in ISE is not supported. Does anyone know if this is accurate?

  You can implement several DACL to control access and the sound works perfectly with ISE

  Note the useful messages *.

• 1.2 of the ISE and iPEP required certificates

  Hello

  For version 1.1.x of ISE, there are a few constraints on the certificates used for iPEP and Admin:

  Both EKU attributes must be disabled, if the two attributes, EKU are disabled in the certificate of Inline Posture, or the two attributes, EKU must be activated, if the server attribute is enabled in the certificate Postur Inline.

  • [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  • The same applies for iPEP ISE 1.2? For ISE 1.2 User Guide and Setup Guide material does not mention anything about EKU and the attributes of specific certificate...
  • Any thoughts?
  • Thank you
  • Octavian

  Validation of EKU has been removed in version 1.2

  "If you configure ISE for services like Inline Policy Enforcement Point (iPEP), the model used to generate the ISE server identity certificate must contain attributes to authenticate client and server if you use ISE Version 1.1.x or earlier." This allows the admin and inline nodes to mutually authenticate each other. The validation of the EKU for iPEP was removed in ISE Version 1.2, which makes this less relevant requirement. »

  Source:

  http://www.Cisco.com/en/us/products/ps11640/products_tech_note09186a0080bff108.shtml

• Question commissioning of the ISE NAC agent

  I downloaded the NAC agents and modules of conformity to the ISE and configured the client provisioning rules. The user guide is not really explain very good next steps.

  I guess because the identity of the user groups are used in politics, commissioning is used with webauth, is that correct?

  Jeppe,

  The commissioning customer is done with any authentication method. Whether via dot1x or webauth, it is the authorization policy that starts this process. You redirect your customers customer provisioning portal using the authorization policy. Then, you determine which agent (web agent, agent nac or no agent) through the client provisioning policy.

  Hope that helps,

  Tarik Admani
  * Please note the useful messages *.

• ISE and WLC for sanitation of the posture

  Please can someone clarify a few things regarding the ISE and posture wireless.

  (1) is the ACL-POSTURE-REDIRECT used for conversion, or is it just an ACL to redirect some of the posture of the kickoff checking traffic?

  (2) can / a dACL/wACL list must be specified as a sanitation ACL?

  (3) the WLC ACL should be written in long format (manually specify source and dest ports/doesny direction any job?)

  (4) does anyone have working example ACL for redirect (CPC) posture and sanitation (dACL)?

  (5) any other advice or pointers would be as useful as any docs I have found so far, what he TrustSec2, CiscoLive or anything else, do not seem to help me understand sanitation and WLC posture

  Thank you

  Nick

  Yes,

  This means that strategy available to your customer does not have a rule that will correspond to an entrepreneur who joined the network. Can you post a screenshot of the provisioning of customer policy?

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Cisco ISE and WLC Access-List Design/scalability

  Hello

  I have a scenario that wireless clients are authenticated by the ISE and different ACL is applied depending on the rules in the ISE. The problem I have seen is due to the limitation on the Cisco WLC that limit only 64 input access list. As the installer has only a few IVR/interfaces and several different access lists are applied to the same base on user groups interface; I was wondering if there may be an evolutionary design / approach according to which the access list entries can evolve next to create a vlan for each group of users and apply the access list on the interface of layer 3 instead? I illustrated the configuration below for reference:

  Group of users 1 - apply ACL 1 - on Vlan 1

  User 2 group - apply ACL 2 - on the Vlan 1

  3 user group - apply ACL 3 - on the Vlan 1

  The problem appears only for wireless users, he does not see on wired users as the ACLs can be applied successfully without restriction as to the switches.

  Any suggestion is appreciated.

  Thank you.

  In fact, you have limitations on the side of the switch as well. Long ACL can deplete resources AAGR of the switch. Take a look at this link:

  http://www.Cisco.com/c/en/us/support/docs/switches/Catalyst-3750-series-switches/68461-high-CPU-utilization-cat3750.html

  The new WLCs based on IOS XE and not the old OS Wireless/Aironet will provide the best experience in these matters.

  Overall, I see three ways to overcome your current number:

  1. reduce the ACL by making them less specific

  2 use L3 interfaces on a switch L3 or FW and the ACL is applied to them

  3. use the SGT/SGA

  I hope this helps!

  Thank you for evaluating useful messages!

• ISE and ASA5505

  Hello all - I'm working with a client on a deployment of the ISE and that they would like remote locations enjoy to dot1X.  The potential problem I see is - what - they have ASA5505s for the tunnels to the main location, which is great, but they also use the integrated... switch I know there are problems with the largest ASAs requiring the IPN.  I wonder if they will need a different switch to make it work?  Don't think they plan on posture or whatever it is advanced.  More just to lock the switchports and avoid problems when people plug random devices to keep them out of the network...

  any suggestions are appreciated.

  Scott J.

  Scott,

  If you are referring to the ports on the SAA, these are not supported dot1x. You will need a switch different in order to get this dot1x features you're looking for.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• ISE and certificates

  Hi all

  Im trying to get my head around the use of 3d party certificates with the ISE and I think that I need advice here.

  I have a setup of 6 knots ISE, 2xAdmin, 2xMonitoring and 2xPolicy.

  All the these have the abc.local domain name.

  I want to use MS-CHAPv2 and customer service without certificate error.

  So I register all my six knots with some 3d CA? Or only the nodes 2xPolicy?

  I know that the best solution would be the six, but just to know if it is possible.

  How to work around the problem with .local? I don't think that it is possible to get a certificate with .local as a domain in the FULL domain name.

  Is that useful here of SAN certificates? How would look (even .local in CN..?)

  Other things to consider in the present?

  concerning

  Mikael

  That's right, that you must issue the CSR based on the currently configured for ise host name that corresponds to the fqdn.

  Your problem is that the public certificate authorities will not issue you a cert because you use a .local and not a public domain such as .com, .edu or .org to name a few.

  The only way to solve your problem is to use a Microsoft private certification authority that is simple to configure. Or change your area om ise and use the public domain of your company name.

  Thank you

  Sent by Cisco Support technique iPad App

• In anticipation of the posture with 1.3, Agent NAC 4.9.5.10 ISE and Windows 10

  Hello

  I have a client with the patch 1.3 ISE 5 installed in its network, and it tests the connection to the network from a client Windows 10. In the client, this customer has manually installed Agent NAC 4.9.5.10, and used Anyconnect 4.2.01035 (with NAM module) as supplicant 802.1 x.

  In the ISE, the 3.6.10205 - 2 4.9.5.10 NAC Agent and compliance Module is downloaded and there is that a strategy of commissioning of the customer created in order to provide customers with this version of the NAC Agent and compliance Module if this client authenticates correctly in Active Directory. There is also a political Posture that requires that the customer have a fixed version of McAffee Antivirus from the Posture.

  When connecting to the wifi network, the client authenticates properly using the user name and, after authentication, it launches the Cisco's NAC Agent in order to pass the posture. At this point, the Agent NAC pop-up displays an error indicating that the operating system of the client is not supported, although NACAgent 4.9.5.10 supports Windows 10 and patch5 ISE 1.3 also supports Windows 10. Due status Posture maintains in State waiting, the customer is not allowed to connect with the correct permissions for the network by the ISE authorization policy.

  My questions are:

  You know the reason for this error showed by NAC Agent (client operating system not supported)?

  Do you know what are the correct versions of the NAC and ISE Agent to support customers on Windows 10 connections?

  And also, Windows 10 is supported by ISE 1.3 patch5 or maybe it's better to move to ISE 2.0?

  Thanks in advance

  Concerning

  Juan

  I'll guess that maybe the VA of Cisco and databases supported OS version are not current.  Try to go to the Administration->-> Posture--> updates the settings and click on "Update Now".

• Cisco ISE and the new Version of AntiVirus... not DAT

  I am ready to go to our VPN ISE users. It was a great test and it seems that we are ready to roll.

  Then comes a new version of our corporate AntiVirus software. We had Kaspersky EndPoint Security v8 since last August. Kaspersky now comes to Endpoint Security v10. It took about 3 months for compliance in ISE Module to allow the NAC Agent to recognize KESv10. But now, when we connect I get an error from the NAC stating bascially that the version of installed KES is no posture installation rules and he can't do anything. (see attachment for the exact wording)

  I remember when we first set up the ISE, there was a screen that broke down the different manufacturers of AV and the different versions that would support ISE/NAC. I have no idea where it is now.

  How to I update my sanitation/policies/rules to take account of two KES10 including, or simply change to allow version 8 +, or even ANY version?

  I'm sure this is a simple solution, but I can't find it. I looked through a lot of documentation, and I even looked through a PDF of global laboratory on-site ISE posturing, and he can find.

  Thank you

  Dirk

  Unfortunately, there are various known bugs related to the use of the browser "bad" that have been around for a while

• I would love to see my idea of ISEEDS Apple. Wireless. Bluetooth headsets in the form of seeds. No more son. And the landslide simply out of the back of the phone.  They are always charged. A simple click of your thumb to the rear and an iseed flicks or

  I would love to see my idea of ISEEDS Apple. Wireless. Bluetooth headsets in the form of seeds. No more son. And they simply slide to the back of the phone.  They are always charged. A simple click of your thumb at the back and an iseed movies out. And an Apple healthy seeds

  Garry Graham

  Please you not to Apple here. This is a user forum. You can share your comments with a Apple. They will not respond, but at least they'll know your suggestion.

  http://www.Apple.com/feedback/

• The ISE comments and update of Broswer Security Portal

  Hi, last week our assistance service received a constant steam of calls regarding our wireless of comments.  For most people, the problem is that there are browser will not allow them on the portal.  After a bit of investigation, we have established that what happens on devices with the latest browsers - IE11, Firefox 39 + and Chrome.

  OS x and iOS devices and those devices with older browsers are working ok.

  We run ISE 1.1.3.124 which is a certain number of revisions behind so I assume it is the question that 'ignore' safety standards in these new browsers.

  My plan is to upgrade to version 1.2, and then to 1.3 which I had planned to do next month anyway, but I just wanted to see if there is a work around on the ISE, which can be implemented so that the upgrade is made a thoughtful and not rushed.

  Thank you.

  This problem is apparent on several Cisco - ISE and at least first Infrastructure products.

  A couple of threads to discuss and provide workarounds:

  Thread 1

  Thread 2

  ISE 1.3 (or 1.4) will fix it. In addition, ISE 1.2.1 Patch 7.

  Here's the official Cisco ISE Bug ID.