Cisco 1.3.0.876 ISE
Hello
My company has a Cisco ISE infrastructure with 5 servers.
About a month ago someone tried a backup and he hangs out
I tried a manual backup, restarted the ise CLI application, but the message continues.
I want to plan a new backup into a new repository one continues to edit option is not available.
PSRCSISE01 / admin # sh backup State
% State of configuration backup
%% ----------------------------
backup % name: new
% repository: ISE_BACKUP1
% start date: Monday, August 29 at 10:51:27 WEST 2016
% on demand: no
% triggered from: CLI
% Host:
% State: New-CFG-160829 - 1051.tar.gpg backup in the ISE_BACKUP1 repository: success
% Backup operation status
%% ------------------------
name of the backup %: OpBackupDiario
% repository: ISE_BACKUP1
% start date: Fri Aug 05 17:24:57 WEST 2016
% on demand: no
% triggered from: web Admin UI
% Host: PSRCSISE02.bancobic.net
% status: cancellation of backup...
% of progression:
message from % growth:
Can you help me?
Thanks in advance
Hello
I was faced the same problem 1 year ago and it was a bug. By starting a manual backup, sometimes the status has been updated. But other times, restart the server, not just restart the ISE application.
Tried the full reboot?
Thank you
PS: Please do not forget to rate and score as correct answer if this answered your question
Tags: Cisco Security
Similar Questions
-
Cisco vWLC and issue of ISE Central Web Authetication
Hello!
I have a problem with a central Web authentication wireless. CWA woking fine wired.
My APs woking FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with the portal asked to not open, but I see, this redirection works...
When I try to ping ISE and have an odd result:
[email protected]/ * /: ~ $ ping 10.10.2.47
PING 10.10.2.47 (10.10.2.47) 56 (84) bytes of data.
64 bytes from 10.10.2.47: icmp_seq = 5 ttl = 63 times = 1.45 ms
64 bytes from 10.10.2.47: icmp_seq = 8 ttl = 63 times = 2.22 ms
64 bytes from 10.10.2.47: icmp_seq = 10 ttl = 63 times = 1.43 ms
^ C
-10.10.2.47 - ping statistics
21 packets transmitted, received 3, 85% packet loss, time 20106ms
RTT min/avg/max/leg = 1.430/1.703/2.223/0.367 ms
When I change the WIFI open network security or any other method, ping to ISE work very well. Help, please!
Web Auth (CWA) Centre works different controllers/APs works in mode FlexConnect. Please consult this guide and check if you have a similar setup.
If so, please post screenshots with your configs (ACL redirect, political in ISE and WLC SSD settings).
In addition, the version of the code you run in your controller and ISE.
Thank you for evaluating useful messages!
-
Cisco Ip Phone 7942 authentication ISE
Hello
I'm installing Cisco ISE soon and I have a question. Why I can't authenticate the model of Cisco IP phone 7942 using 802.1 x? I see that the phone has this option (it is not enabled). I am told that the Cisco IP phones must be authenticated to the ISE using profiling or MAB. This uses expensive advanced license from there to achieve.
All the world had a bit of luck in this area?
Thank you
Bob
Hello
Is your 7942 g model? In this case, these phones could have a built-in certificate of Cisco (certificate of manufacturer installed) that can be used for the EAP - TLS protocol. The common name start with MS och CP ether.
Kind regards
Philippe
-
Problem of generation of ISE CSR Cisco with wildcard certificate.
We buy the Wildcard SSL certificate to be used in Cisco ISE but when I enter the following attributes given by the seller, I have this error.
« *. domain.com is not a valid generic name. The attributes that I created in the CSR as follows:
CN = *. domain.com
SAN
DNS name: ise.domain.com
The above parameters is given by the seller. They said I should put this attribute because the certification authority (DigiCert), accepts that this certificate wildcard question format.
The seller rejected my previous CSR I created successfully with the following attributes below. This is based on the Cisco Documentation.
CN = ISE.domain.com
SAN
DNS name: ise.domain.com
DNS name: *. domain.com
I just want to confirm if the attribute given by the seller are valid for the Cisco ISE generate the CSR. Or to use the valid FQDN in the entrances to CN and not the generic name. And use the generic name in the name SAN DNS entry.
Please advice. Appreciate the prompt respose of the expert.
Thank you.
Kind regards
Mike
Mike,
A wildcard cert is definitely the way to go in a distributed environment. Use the host name the node of your Admin got into the CN field:
CN = ise, OR = domain, OU = com
then enter the SAN field as asown above the CSR.
Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.
Charles Moreton
-
Upgrade to Cisco ISE CPU/memory
Hi all
I have a Cisco ISE in Vmware environment and I need better cpu/memory in my political Service node.
How can I do? Isn't that increase the memory/cpu in environment machine vmware?
TKS.
Rafael,
This is what I highly recommend because it is not documented on what best practices are Cisco and with database of ISE is sensitve to the way that the hard drive are presented, I suggest strongly to nine in order to exclude any stability related issues (if you face them) in the future.
Thank you
Tarik Admani
* Please note the useful messages *. -
Hello
Is there an environment of switching on Cisco Cisco IBNS 2.0 especially ISE VIRL test functions.
BR
Hello BR -.
Unfortunately, the 802. 1 x is not a feature supported on VIRL/IOU. Here is a link to the current characteristics of VIRL supported:
https://learningnetwork.Cisco.com/docs/doc-30404
I hope this helps!
Thank you for evaluating useful messages!
-
I tried to upgrade ISE in stand-alone deployment of the 1.2.1.198 to 1.3
-My file name and size is identical to what I see in the cisco.com download article (name: ise-upgradebundle - 1.2.x - to-1.3.0.876.repackaged.x86_64.tar.gz, size: 4.02 GB (4,326,538,352 bytes))
-J' used as a result of orders and both have the same error:upgrade the application prepare ise-upgradebundle - 1.2.x - to-1.3.0.876.repackaged.x86_64.tar.gz UPGRADE
application upgrade UPGRADE of the ise-upgradebundle - 1.2.x - at-1.3.0.876.repackaged.x86_64.tar.gz
ISE-application STANDALONE # upgrade ise-upgradebundle - 1.2.x - to-1.3.0.876.repackaged.x86_64.tar.gz UPGRADE
Save the current running of ADE-OS configuration? (yes/no) [Yes]? Yes
Building configuration...
Save the current configuration of ADE-OS at startupGet the package to the local computer.
MD5: 76e17877c2fb70d1006a20780fbf5b98
SHA256: 461a0931c2f498399d96f195b1ab3d196fe7694f6e0cc2b4cb75928aced5f1c7
% Please confirm above cryptographic hash matches that which is available on the Cisco download site.Downlod and MD5 exactly like Ciscoes published file size, but the SHA algorithm is different:
Cisco download site show SHA512 Checksum: ea2e5eee527c145eb971e2a7806e6185The projection of the ISE: sha256: 461a0931c2f498399d96f195b1ab3d196fe7694f6e0cc2b4cb75928aced5f1c7
Can someone please advise what the problem with the above steps or how to fix the above error. ?
Check your SHA512 hash matches using an external control (such as http://download.cnet.com/MD5-SHA-Checksum-Utility/3000-2092_4-10911445.html ).
Then use the same utility to calculate the SHA256 before transferring the file to ISE. Which allows to check.
-
Host multi-domain phone Cisco C2960-mode does not go to the field of voice
Hello world
I'm working on the deployment of dot1.x through our company. I'm stuck on configuring Cisco phones to go on one VLAN correct when the multi domain host-mode option is used. I tried on two C2960 switch with two different images. No matter what I do, the phone is going to area: DATA and unable to connect to the network as more likely, it is a wrong VLAN. Poster as authenticated port ISE and MAB works very well. When I set up stream host-mode, the phone Gets a VLAN correct and can top to the network.
Here is what I use:
- C2960S-48-i/s-L with C2960S-UNIVERSALK9-M or if C2960 with c2960-lanlitek9 - tar.150 - 2.SE7
- Phone Cisco 7960 and 7962
- ISE 1.3.0.876
Here is the current port configuration:
GigabitEthernet1/0/1 interface
switchport access vlan 2
switchport mode access
switchport voice vlan 703
multi-domain of host-mode authentication
authentication order mab dot1x
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
end
Here is the output of logon authentication show inter Gig1/0/1
MAC address: 0013.1a58.xxxx
IP address: unknown
Username: 00-13-1A-xx-xx-xx
Status: Authz success
Area: DATA
Oper host mode: multi-domain
Oper control dir: in
Authorized by: authentication server
Policy of VLAN: n/a
The session timeout: 5400 s (local), remaining: 5384 s
Delay action: authenticate again
Idle timeout: N/A
The common Session ID: 0AF301450000000C001F3391
ACCT Session ID: 0x00000010
Handle: 0x0400000D
Thanks for your help.
Looks like youre missing the device class = attribute in your profile authz voice.
-
PC profiled as a phone by ISE 1.4
Hello
I see that attached to the Cisco phones PC profiled by ISE 1.4 (patch 3) as Cisco phones. When first attached to the n (Cisco 6880 - last worm 15.2) the phone is emerging as a "Cisco-IP-Phone-7911" correctly and the PC is 802. 1 x authenticated ok and profiled as "Microsoft-workstation.
In the minute the PC varies "Microsoft-Desktop" to "Cisco-IP-Phone-7911"in the list of endpoint ISE."
When I opened the PC in the endpoint list, I see that he "inherited" details cdp of the phone. When I disconnect and reconnect the phone/PC, they all have two get profiled by ISE that phones - the n is configured to access Multi field (a device authorized in both voice and data) then the switchport is off because of a security breach.
To work around this problem, I have disabled cdp on the n and active lldp. The phone is now emerging as "Cisco-IP-Phone" (Cisco-IP-Phone-7911 profile requires cdp) and the PC is profiled as "Microsoft-workstation.
Is this a bug ISE or IOS? I had this problem with all available versions of the track 15.2 for the 6880. I am aware of the bugs CSCuu97659 and CSCuu94127 but these thought related to ISE 1.3 and earlier versions
Thank you
AndyHi Andre, I think you're hit these bugs... and add to the mixture CSCuu76087 :)
-
Hello
I am trying to generate a CSR on my 1.1.1.268 ISE, I always get this error message "" CSR generation failed: invalid certificate subject DN length ".
I followed the guide from cisco, I used the FQDN ISE for CN, and generation of CSR is still a failure...
My ISE FQDN is: kam - ise - 01.kamcorp.kam.com
This is the subject of the certificate I used:
CN = kam - ise - 01.kamcorp.kam.com, OR =, O = KAM, C = US, S = CA, L = NY
Any help please...
Could you please try this:
CN = kam - ise - 01.kamcorp.kam.com, OU =, O = KAM, C = US, ST= CA, L = NY
I fixed the format. I think that you use only S. However the user guide says ST for the State.
http://www.Cisco.com/en/us/docs/security/ISE/1.2/user_guide/ise_man_cert.html#wp1077292
We have a bug known on that as well where the ISE should raise a more explicit error and say what was wrong
CSCuj28351 ISE complains of the DN length when the problem is the format
Symptom:
ISE survey "Generation of CSR failed" with "invalid certificate subject DN length" when you create a CSR to EHT
Conditions:
It happens not necessarily when the question is too long, but if the format is bad too
For example, if you enter 'C = Belgium' instead of 'C = BE', you will get this error.
State and country are 2 field of certificates requiring letters and no name and surname.
Workaround solution:
Correct your fields to match the format of right X 509
~ BR
Jatin kone* Does the rate of useful messages *.
-
ISE - ISE - 1.3.0.876 - eval - 2.ova username and password
I downloaded the following egg file, but could not find any documentation for the login and password.
ISE - 1.3.0.876 - eval - 2.ova
-login and password
Any help will be greatly appreciated. Thank you
Please visit the following Web site.
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/installation_guide...
When it ask for a username. Please enter the configuration and return.
-
ISE 1.3.0.876 high memory use
Hi team,
Kindly help me on our ISE Cisco version 1.3.0.876 that meets the high memory use. It has a HA configuration.
Primary school has 83% and secondary 63%.
Thanks in advance!
Kind regards
Mady
Tehreare some fixes in patches that resolve the problems associated with the use of memory
Last paych 1.3 patch 6 and included the following fix
CSCux53910: patch 1.3 ISE 5 augmented memory of lead for authentic latency
I recommend cosnidering install the latest patches
-
Cisco ISE Patch 1.3 6 procedure
Hi team,
Please help me with the installation of fix on Cisco ISE version 1.3.0.876. I intend to patch our ISE with HA Set - up for patch 6. There also a way to upgrade? I read that you must install the hotfix on the primary node, then the secondary node automatically update to patch 6. Which command will work for me to check that the secondary image is upgraded to patch 6. Also, how much time it take to restart the application.
Thanks in advance!
Kind regards
Mady
Hi Mady-
You can perform the installation, restore and check the status of the patch directly from the graphical interface on the head node to Admin. You can reference to ISE 1.3 Administrator's Guide:
Install the Patch:
Check the status of the patch:
I hope this helps even if end :)
Thank you for evaluating useful messages!
-
I have a question
1. is it possible to install the Cisco ISE software on the server machine to physical HP (without solution VMware or without the use of SNS-3415-k9 cisco device)?
2. for 2500 users online, I'll order L-ISE-BSE-2550, L-ISE-PLS-S-2500 and L-ISE-APX-S-2500 of basis, more and apex licenses. My question is HA (primary and secondary) application I need 2 licenses for each? (2 * L - ISE - BSE - 2550, 2 * L - ISE - PLS - S - 2500 and 2 * L - ISE - APX - S - 2500)
or just a license for each is enough?
3. If I implement Cisco ISE and HA on VMware environment, can I 2 L-ISE-VM-K9 licenses for each VM machines? and also I need 2 licenses for each basic, plus, and at the apex?
4. What is smart net Cisco and Cisco SASU? need to buy these for support and ticketing system?
5. What is license for cisco anyconnect (L-AC-APX-1 year-G)?
thnx in adv.
You can install ISE on a HP ONLY Server if you are using software virtualization (VMware or KVM).
The Guide of Installation of ISE sets out three options:
1 hardware appliance from cisco SNS
2. virtual machine VMware
3 Linux KVM.
The AnyConnect license is required to qualify with the features of the Apex. It is not installed on the ISE server, however.
-
Check the ISE for the VPN Cisco posture
Hello community,
first of all thank you for taking the time to read my post. I have a deployment in which requires the characteristic posture of controls for machines of VPN Cisco ISE. I know that logically once a machine on the LAN, Cisco ISE can detect and apply controls posture on clients with the Anyconnect agent but what about VPN machines? The VPN will end via a VPN concentrator, which then connects to an ASA5555X that is deployed as an IPS only. Are there clues to this?
Thank you!
The Cisco ASA Version 9.2.1 supports the change in RADIUS authorization (CoA) (RFC 5176). This allows for the gesticulations of users against the ISE Cisco VPN without the need of an IPN. Once a VPN user connects, the ASA redirects web traffic to the LSE, where the user is configured with a Network Admission Control (NAC) or Web Agent. The agent performs specific controls on the user's computer to determine its conformity against one together configured posture rules, such as the rules of operating system (OS) patches, AntiVirus, registry, Application, or Service.
The posture validation results are then sent to the ISE. If the machine is considered the complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After validation of the successful posture and CoA, the user is allowed to access internal resources.
Maybe you are looking for
-
Connection link does not appear on a Web site
I am running Win7pro and 35 of Firefox.I am able to access the history channel- History.comsite, but the 'full video access' link. 'Full video access' is a link to connect you with your particular TV provider that allows you to watch all the episodes
-
Apple TV from the Canada to the Australia, going to work?
We are moving Canada towards the Australia later this year and don't know what to do with the Apple TV. If take us him with us, which is great, will it work? I don't know if there is any sort of compatibility issues. I am aware of the voltage variati
-
Hor to move photos from iPhoto to other sites for competitions.
-
Installation/uninstallation of Windows Media Player 11
Hello. I'm a Dell laptop user with windows Vista Home Basic 32-bit. For more than one Media Player window on my computer stopped working. Because I didn't know what to do to remedy this I installed VLC Media Player and was used during the WMP was not
-
How to enable the recognition of the speed
How can I activate speech recognition