Cisco 1.3.0.876 ISE

Similar Questions

• Cisco vWLC and issue of ISE Central Web Authetication

  Hello!

  I have a problem with a central Web authentication wireless. CWA woking fine wired.

  My APs woking FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with the portal asked to not open, but I see, this redirection works...

  When I try to ping ISE and have an odd result:

  [email protected]/ * /: ~ $ ping 10.10.2.47

  PING 10.10.2.47 (10.10.2.47) 56 (84) bytes of data.

  64 bytes from 10.10.2.47: icmp_seq = 5 ttl = 63 times = 1.45 ms

  64 bytes from 10.10.2.47: icmp_seq = 8 ttl = 63 times = 2.22 ms

  64 bytes from 10.10.2.47: icmp_seq = 10 ttl = 63 times = 1.43 ms

  ^ C

  -10.10.2.47 - ping statistics

  21 packets transmitted, received 3, 85% packet loss, time 20106ms

  RTT min/avg/max/leg = 1.430/1.703/2.223/0.367 ms

  When I change the WIFI open network security or any other method, ping to ISE work very well. Help, please!

  Web Auth (CWA) Centre works different controllers/APs works in mode FlexConnect. Please consult this guide and check if you have a similar setup.

  http://www.Cisco.com/c/en/us/support/docs/security/identity-Services-engine/116087-configure-CWA-WLC-ISE-00.html

  If so, please post screenshots with your configs (ACL redirect, political in ISE and WLC SSD settings).

  In addition, the version of the code you run in your controller and ISE.

  Thank you for evaluating useful messages!

• Cisco Ip Phone 7942 authentication ISE

  Hello

  I'm installing Cisco ISE soon and I have a question. Why I can't authenticate the model of Cisco IP phone 7942 using 802.1 x? I see that the phone has this option (it is not enabled). I am told that the Cisco IP phones must be authenticated to the ISE using profiling or MAB. This uses expensive advanced license from there to achieve.

  All the world had a bit of luck in this area?

  Thank you

  Bob

  Hello

  Is your 7942 g model? In this case, these phones could have a built-in certificate of Cisco (certificate of manufacturer installed) that can be used for the EAP - TLS protocol. The common name start with MS och CP ether.

  Kind regards

  Philippe

• Problem of generation of ISE CSR Cisco with wildcard certificate.

  We buy the Wildcard SSL certificate to be used in Cisco ISE but when I enter the following attributes given by the seller, I have this error.

  « *. domain.com is not a valid generic name. The attributes that I created in the CSR as follows:

  CN = *. domain.com

  SAN

  DNS name: ise.domain.com

  The above parameters is given by the seller. They said I should put this attribute because the certification authority (DigiCert), accepts that this certificate wildcard question format.

  The seller rejected my previous CSR I created successfully with the following attributes below. This is based on the Cisco Documentation.

  CN = ISE.domain.com

  SAN

  DNS name: ise.domain.com

  DNS name: *. domain.com

  I just want to confirm if the attribute given by the seller are valid for the Cisco ISE generate the CSR. Or to use the valid FQDN in the entrances to CN and not the generic name. And use the generic name in the name SAN DNS entry.

  Please advice. Appreciate the prompt respose of the expert.

  Thank you.

  Kind regards

  Mike

  Mike,

  A wildcard cert is definitely the way to go in a distributed environment.  Use the host name the node of your Admin got into the CN field:

  CN = ise, OR = domain, OU = com

  then enter the SAN field as asown above the CSR.

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• Upgrade to Cisco ISE CPU/memory

  Hi all

  I have a Cisco ISE in Vmware environment and I need better cpu/memory in my political Service node.

  How can I do? Isn't that increase the memory/cpu in environment machine vmware?

  TKS.

  Rafael,

  This is what I highly recommend because it is not documented on what best practices are Cisco and with database of ISE is sensitve to the way that the hard drive are presented, I suggest strongly to nine in order to exclude any stability related issues (if you face them) in the future.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Cisco VIRL and ISE

  Hello

  Is there an environment of switching on Cisco Cisco IBNS 2.0 especially ISE VIRL test functions.

  BR

  Hello BR -.

  Unfortunately, the 802. 1 x is not a feature supported on VIRL/IOU. Here is a link to the current characteristics of VIRL supported:

  https://learningnetwork.Cisco.com/docs/doc-30404

  I hope this helps!

  Thank you for evaluating useful messages!

• ISE upgrade problem

  I tried to upgrade ISE in stand-alone deployment of the 1.2.1.198 to 1.3

  -My file name and size is identical to what I see in the cisco.com download article (name: ise-upgradebundle - 1.2.x - to-1.3.0.876.repackaged.x86_64.tar.gz, size: 4.02 GB (4,326,538,352 bytes))
  -J' used as a result of orders and both have the same error:

  upgrade the application prepare ise-upgradebundle - 1.2.x - to-1.3.0.876.repackaged.x86_64.tar.gz UPGRADE
  application upgrade UPGRADE of the ise-upgradebundle - 1.2.x - at-1.3.0.876.repackaged.x86_64.tar.gz

   
  ISE-application STANDALONE # upgrade ise-upgradebundle - 1.2.x - to-1.3.0.876.repackaged.x86_64.tar.gz UPGRADE
  Save the current running of ADE-OS configuration? (yes/no) [Yes]? Yes
  Building configuration...
  Save the current configuration of ADE-OS at startup

  Get the package to the local computer.
  MD5: 76e17877c2fb70d1006a20780fbf5b98
  SHA256: 461a0931c2f498399d96f195b1ab3d196fe7694f6e0cc2b4cb75928aced5f1c7
  % Please confirm above cryptographic hash matches that which is available on the Cisco download site.

  Downlod and MD5 exactly like Ciscoes published file size, but the SHA algorithm is different:
  Cisco download site show SHA512 Checksum: ea2e5eee527c145eb971e2a7806e6185

  The projection of the ISE: sha256: 461a0931c2f498399d96f195b1ab3d196fe7694f6e0cc2b4cb75928aced5f1c7

  Can someone please advise what the problem with the above steps or how to fix the above error. ?

  Check your SHA512 hash matches using an external control (such as http://download.cnet.com/MD5-SHA-Checksum-Utility/3000-2092_4-10911445.html ).

  Then use the same utility to calculate the SHA256 before transferring the file to ISE. Which allows to check.

• Host multi-domain phone Cisco C2960-mode does not go to the field of voice

  Hello world

  I'm working on the deployment of dot1.x through our company. I'm stuck on configuring Cisco phones to go on one VLAN correct when the multi domain host-mode option is used. I tried on two C2960 switch with two different images. No matter what I do, the phone is going to area: DATA and unable to connect to the network as more likely, it is a wrong VLAN. Poster as authenticated port ISE and MAB works very well. When I set up stream host-mode, the phone Gets a VLAN correct and can top to the network.

  Here is what I use:

  • C2960S-48-i/s-L with C2960S-UNIVERSALK9-M or if C2960 with c2960-lanlitek9 - tar.150 - 2.SE7
  • Phone Cisco 7960 and 7962
  • ISE 1.3.0.876

  Here is the current port configuration:

  GigabitEthernet1/0/1 interface

  switchport access vlan 2

  switchport mode access

  switchport voice vlan 703

  multi-domain of host-mode authentication

  authentication order mab dot1x

  authentication priority dot1x mab

  Auto control of the port of authentication

  periodic authentication

  MAB

  dot1x EAP authenticator

  dot1x tx-time 10

  spanning tree portfast

  end

  Here is the output of logon authentication show inter Gig1/0/1

  MAC address: 0013.1a58.xxxx

  IP address: unknown

  Username: 00-13-1A-xx-xx-xx

  Status: Authz success

  Area: DATA

  Oper host mode: multi-domain

  Oper control dir: in

  Authorized by: authentication server

  Policy of VLAN: n/a

  The session timeout: 5400 s (local), remaining: 5384 s

  Delay action: authenticate again

  Idle timeout: N/A

  The common Session ID: 0AF301450000000C001F3391

  ACCT Session ID: 0x00000010

  Handle: 0x0400000D

  Thanks for your help.

  Looks like youre missing the device class = attribute in your profile authz voice.

• PC profiled as a phone by ISE 1.4

  Hello

  I see that attached to the Cisco phones PC profiled by ISE 1.4 (patch 3) as Cisco phones. When first attached to the n (Cisco 6880 - last worm 15.2) the phone is emerging as a "Cisco-IP-Phone-7911" correctly and the PC is 802. 1 x authenticated ok and profiled as "Microsoft-workstation.

  In the minute the PC varies "Microsoft-Desktop" to "Cisco-IP-Phone-7911"in the list of endpoint ISE."

  When I opened the PC in the endpoint list, I see that he "inherited" details cdp of the phone. When I disconnect and reconnect the phone/PC, they all have two get profiled by ISE that phones - the n is configured to access Multi field (a device authorized in both voice and data) then the switchport is off because of a security breach.

  To work around this problem, I have disabled cdp on the n and active lldp. The phone is now emerging as "Cisco-IP-Phone" (Cisco-IP-Phone-7911 profile requires cdp) and the PC is profiled as "Microsoft-workstation.

  Is this a bug ISE or IOS? I had this problem with all available versions of the track 15.2 for the 6880. I am aware of the bugs CSCuu97659 and CSCuu94127 but these thought related to ISE 1.3 and earlier versions

  Thank you
  Andy

  Hi Andre, I think you're hit these bugs... and add to the mixture CSCuu76087 :)

• CSR ISE generation failed

  Hello

  I am trying to generate a CSR on my 1.1.1.268 ISE, I always get this error message "" CSR generation failed: invalid certificate subject DN length ".

  I followed the guide from cisco, I used the FQDN ISE for CN, and generation of CSR is still a failure...

  My ISE FQDN is: kam - ise - 01.kamcorp.kam.com

  This is the subject of the certificate I used:

  CN = kam - ise - 01.kamcorp.kam.com, OR =, O = KAM, C = US, S = CA, L = NY

  Any help please...

  Could you please try this:

  CN = kam - ise - 01.kamcorp.kam.com, OU =, O = KAM, C = US, ST= CA, L = NY

  I fixed the format. I think that you use only S. However the user guide says ST for the State.

  http://www.Cisco.com/en/us/docs/security/ISE/1.2/user_guide/ise_man_cert.html#wp1077292

  We have a bug known on that as well where the ISE should raise a more explicit error and say what was wrong

  CSCuj28351    ISE complains of the DN length when the problem is the format

  Symptom:

  ISE survey "Generation of CSR failed" with "invalid certificate subject DN length" when you create a CSR to EHT

  Conditions:

  It happens not necessarily when the question is too long, but if the format is bad too

  For example, if you enter 'C = Belgium' instead of 'C = BE', you will get this error.

  State and country are 2 field of certificates requiring letters and no name and surname.

  Workaround solution:

  Correct your fields to match the format of right X 509

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• ISE - ISE - 1.3.0.876 - eval - 2.ova username and password

  I downloaded the following egg file, but could not find any documentation for the login and password.

  ISE - 1.3.0.876 - eval - 2.ova

  -login and password

  Any help will be greatly appreciated. Thank you

  Please visit the following Web site.

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/installation_guide...

  When it ask for a username. Please enter the configuration and return.

• ISE 1.3.0.876 high memory use

  Hi team,

  Kindly help me on our ISE Cisco version 1.3.0.876 that meets the high memory use. It has a HA configuration.

  Primary school has 83% and secondary 63%.

  Thanks in advance!

  Kind regards

  Mady

  Tehreare some fixes in patches that resolve the problems associated with the use of memory

  Last paych 1.3 patch 6 and included the following fix

  CSCux53910: patch 1.3 ISE 5 augmented memory of lead for authentic latency

  I recommend cosnidering install the latest patches

• Cisco ISE Patch 1.3 6 procedure

  Hi team,

  Please help me with the installation of fix on Cisco ISE version 1.3.0.876. I intend to patch our ISE with HA Set - up for patch 6. There also a way to upgrade? I read that you must install the hotfix on the primary node, then the secondary node automatically update to patch 6. Which command will work for me to check that the secondary image is upgraded to patch 6. Also, how much time it take to restart the application.

  Thanks in advance!

  Kind regards

  Mady

  Hi Mady-

  You can perform the installation, restore and check the status of the patch directly from the graphical interface on the head node to Admin. You can reference to ISE 1.3 Administrator's Guide:

  Install the Patch:

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0101.html#ID202

  Check the status of the patch:

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0101.html#ID325

  I hope this helps even if end :)

  Thank you for evaluating useful messages!

• Cisco ise license command

  I have a question

  1. is it possible to install the Cisco ISE software on the server machine to physical HP (without solution VMware or without the use of SNS-3415-k9 cisco device)?

  2. for 2500 users online, I'll order L-ISE-BSE-2550, L-ISE-PLS-S-2500 and L-ISE-APX-S-2500 of basis, more and apex licenses. My question is HA (primary and secondary) application I need 2 licenses for each? (2 * L - ISE - BSE - 2550, 2 * L - ISE - PLS - S - 2500 and 2 * L - ISE - APX - S - 2500)

  or just a license for each is enough?

  3. If I implement Cisco ISE and HA on VMware environment, can I 2 L-ISE-VM-K9 licenses for each VM machines? and also I need 2 licenses for each basic, plus, and at the apex?

  4. What is smart net Cisco and Cisco SASU? need to buy these for support and ticketing system?

  5. What is license for cisco anyconnect (L-AC-APX-1 year-G)?

  thnx in adv.

  You can install ISE on a HP ONLY Server if you are using software virtualization (VMware or KVM).

  The Guide of Installation of ISE sets out three options:

  1 hardware appliance from cisco SNS

  2. virtual machine VMware

  3 Linux KVM.

  The AnyConnect license is required to qualify with the features of the Apex. It is not installed on the ISE server, however.

• Check the ISE for the VPN Cisco posture

  Hello community,

  first of all thank you for taking the time to read my post. I have a deployment in which requires the characteristic posture of controls for machines of VPN Cisco ISE. I know that logically once a machine on the LAN, Cisco ISE can detect and apply controls posture on clients with the Anyconnect agent but what about VPN machines? The VPN will end via a VPN concentrator, which then connects to an ASA5555X that is deployed as an IPS only. Are there clues to this?

  Thank you!

  The Cisco ASA Version 9.2.1 supports the change in RADIUS authorization (CoA) (RFC 5176). This allows for the gesticulations of users against the ISE Cisco VPN without the need of an IPN. Once a VPN user connects, the ASA redirects web traffic to the LSE, where the user is configured with a Network Admission Control (NAC) or Web Agent. The agent performs specific controls on the user's computer to determine its conformity against one together configured posture rules, such as the rules of operating system (OS) patches, AntiVirus, registry, Application, or Service.

  The posture validation results are then sent to the ISE. If the machine is considered the complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After validation of the successful posture and CoA, the user is allowed to access internal resources.

  http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-Appliance-ASA-software/117693-configure-ASA-00.html