Cisco authentication at the portal comments disabled ISE

Similar Questions

• Cisco ISE 1.1.2.145 Admin authentication via the LDAP protocol

  I have configured the LDAP protocol and able to retrieve our LDAP directory structure. Now, I'm trying to point authentication "Admin Access" Source 'External identity', which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for some reason the LDAP configuration does not work. I learned that the ISE can automatically return to local auth as external sources Idenitity are inaccessible. How can I test the LDAP authentication with breaking them our Admin Access? I thought to open two parallel sessions, one with Super Admin account Local and one with the domain account. But I noticed that ISE communication is smart enough for the closing session/connection no matter what other sessions in different browsers so, basically, I can't open two parallel sessions the same machine to test. Suggestions? or am I missing something here?

  Thanks in advance.

  Hi Srinivas,

  Even if you configure LDAP as a source of external identity of admin access, you can always internal relief without having locked. According to the ISE user guide:

  During the operation, Cisco ISE is designed to "fall back" and try to perform the internal identity database authentication, if the communication with the external identity store has not been established, or if it fails. In addition, whenever an administrator for which you have configured external authentication launches a browser and initiates a logon session, the administrator must still the option authentication of demand through the local Cisco ISE database by choosing 'Internal' to the Selector drop-down storage of identity in the Connect dialog box.

  http://www.Cisco.com/en/us/docs/security/ISE/1.1/user_guide/ise_man_identities.html#wp1351543

  Please see the attached screenshot by my lab ISE:

  

  I configured the admin authentication against AD, but I still see both 'Internal' and 'AD' at the time of the connection.

  I hope this helps.

  Thank you

  Aastha

• ISE according to the time portal comments

  G ' Day all,

  Could anyone advise if it is possible to extend or change the time profile of a guest account that has already been created? I'm trying to understand the use of time within the portal of Sponsor profiles. Imagine that a guest user has an account that gives them access to 2 weeks, by the end of the 2 weeks that the user requires another week of access.

  Of what I see as the time ISE profile page in the Developer Portal and config, is the user would have to wait before the expiry of the existing account and have a new account created or a new account must be created to grant additional access and the existing account could be deleted, I'm looking just for clarification if an extension of time for guest accounts is possible before the end of the account.

  Currently using ISE 1.1.3

  Thanks to the advanced guys.

  James.

  Hello

  Yes, I have increased the TAC issue and they notified me that the current version of ISE does not support guest accounts online updates, as the time profile sets the expiration date and then is not editable after that.

  Thank you

  Dave

• ISE, Portal comments about WLC

  Hello

  Currently we have wireless comments through a portal of comments in the WLC. Is it possible to apply ISE and keep the portal of comments in the WLC?

  Example:

  The user connects to an SSID with a laptop. This laptop is emerging as not belogning to the corporate network and is then redirected to the portal of WLC comments.

  All the guides I have found is to have comments at the ISE portal.

  Concerning

  Philippe

  Hi Philippe,.

  You can use the role of ActivatedGuest (or any other external identity store) and to implement authentication radius instead of LWA or CWA, this way you can keep the gate on the controller.

  Greetings

• Authentication of the machine does not work after the night of workplace surveillance ovr - ISE - 1.1.1

  I'm running an ISE 1.1.1 patch 2 and authetntication machine Windows XP using PEAP authentication with authentication computer and user.

  The issue is that when a machine is powered on fine machine authentication processes and the user authentication is successful. The problem is that, after that the machine is connected to the left and left unattended for may hours I am bounced in a guest VLAN - ISE newspapers say that they can validate is no longer the machine has been authenticated via AD. If the user reboots the computer, he is well again.

  Are there timers in AD or the machine that are hot flushes the status of RADIUS: WasMachineAuthenticated? Can someone tell me if there is a recommended configuration when the machine authentication is maintained throughout a work day or night?

  Hello rcianci.

  You experience this problem because of your authorization rule "WasMachineAuthenticated." This process (aka MAR - Machine access restrictions) occurs only when a computer is restarted or powered. Once the expiration of the timer to MAR the machine authentication fails until it is restarted again.

  Here are two ways you can try to tackle this problem:

  1. I used MAR in the past and:

  a. set the timer for 168 hours (1 week)

  b. educated users that they must restart their machines per week

  It worked 'OK' but it's still irritating to the end users. It can also cause problems if you do that for cable and because the MAC address will change and ISE/ACS will not see the new authenticated as mac address, which requires the user to perform another reboot

  2. a better way to be rid of MAR all together. If you want to keep things simple, you can just use PEAP machine based authentication using the credentials of the machine. It's not always ideal, but if your ad is correctly locked where only certain users can join computer to a domain then you should be good to go. However, if you want to continue to use the machine + user you will need to look at something a little more complex such as EAP-chaining.

  I hope that this help... Let me know if you have any other questions

  Thanks for the note!

• RADIUS authentication for the switch using ISE

  Hi guys,.

  Someone did he do Radius Authentication for switch cli connection using ISE?

  We did it in our environment with ISE, but it is a challenge to give read-only access / Priv-1.

  If some users know the enable password, they can use and earn full privilege.

  Anyway to get around this other than to change the enable password?

  We have thousands of switches and won't change on each of them.

  If you have another method please advice.

  Thank you in advance.

  Well, you can set the "enable" function also be controlled via the AAA server with the following command:

  AAA authentication enable... This way server AAA will be checked for authentication for the secret to activate and use the local database as a last resort

  I hope this helps!

  Thank you for evaluating useful messages!

• How to disable the portal Cache

  Hello
  When I change the data in the database table, it is not reflected in the portlets to the portal and they show old data. Data updates show that when I empty the cache. I want to automate this process. In other words, when the data changes in the database, it must be immediately reported.
  
  On the page of the EM, I go into the component 'portal', then in 'cache portal settings', and then I disable the cache. Is this the right approach?
  
  Also on the same page, in the 'cleaning' section, there is an option called 'Maximum ages for queues (days) Cache. What happens if I put this vacuum? or put zero in?
  
  concerning

  Yes, it should go in the portlet code.

• Keyboard does not work after authentication on the RDS Session host

  When you connect to the RDS through the access portal or app keyboard does not work after authentication on the RDS session host. Offline authentication works very well, past will guide you to the RDS host, then when you try to reset your password, the keyboard does not work.

  Has anyone else had that... ?

  Options (some better than others!) are:

  1. move all MS applications seamless

  2. have an application named "Reset your password" (or similar) which uses MS Seamless.then you can leave other applications, as they are

  3 disable authentication carried forward and implemented our service reset password instead so people reset their password before can connect you.

  4. use the full desktop instead of transparent

• The number of devices (MAB) can be authenticated via the internal identity stores ACS 5.3? ACS 1120 (802.1 x))

  Hello

  I m currently looking for a document that specify the number of MAC addresses can be stored and authenticated via a GBA (1120)? I prefer to use the identity store internal AD or LDAP for authentication of the MAB for 802.1 X project.

  I would like to know what impact the GBA? CPU/MEM?

  What is the impact on the user authentication? delay, delay, etc.

  Please specify any other restrictions or side effect.

  Thanks for your comments

  Concerning

  Torsten Hello,

  I have confirmed on our database as well as this community and the answer is the same

  Refer to:

  https://supportforums.Cisco.com/thread/2101657

  Added additional information:

  Internal Users : 300000 Internal Hosts : 50000

  Best regards.

• The NAC Agent autoUpgrade ISE possible?

  Hi all

  I have this:

  802.1 x-window with the NacAgent version (say 1) <---->802. 1 x switch active (RADIUS aaa OK) <------>ISE and AD on the same LAN

  ISE is configured for client provisioning with hardware (NacAgent version 2) downloaded from Cisco's Web site (as described in the documentation)

  I have a basic plan of authentication and authorization that allow me to well but I expect the NACAgent to be upgraded.

  No profiling is configured at the moment.

  Is that someone can help?

  Best regards?

  Hello

  In the ISE settings provisioning client, activate you the option where the NAC upgrade agent is required. However, it is to you to run updates perioidic and map the most recent agent in the configuration of the parameters of the client.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• functions of YouTube works do not (such as adding to the playlist comment)

  Hello.
  functions of YouTube works do not (such as adding to the playlist comment) has stopped working, they are still working for the same account on chrome or another browser. (when it happened I didn't update or downgrade programs, addons, plugins that run in firefox or chrome, I don't see why all of a sudden).
  so I can't like videos, I get the message 'feature not available try later', can't add videos to the playlist (whole playlist including fav, as: Watch more later playlist pre made by youtube) and can't comment, for these 2 functions, I get the message 'invalid request '.
  all this happen again and many times, they stop or I can't make it work with reboot, refresh, try again.
  I did a fresh install of firefox and all it's the addons, plugins, same installation fees of adobe and divx, vlc products (which have the plugins or addons in firefox)
  After installing I could like comment add to playlist, before the snap all the addons, but I could only play HTML5 in youtube, any video that had no HTML5 support required at adobe. (after that I installed adobe it worked until I restarted the browser).
  now it does not work yet. (to disable, uninstall all the addons, plugins does not affect the problem)

  Some issues may also occur because of ProxTube - at least, I realized that I was was instantly redirected to the first film in the playlist on youtube - having no chance to see the entire playlist. It works when I disabled ProxTube.

• I would love to see my idea of ISEEDS Apple. Wireless. Bluetooth headsets in the form of seeds. No more son. And the landslide simply out of the back of the phone.  They are always charged. A simple click of your thumb to the rear and an iseed flicks or

  I would love to see my idea of ISEEDS Apple. Wireless. Bluetooth headsets in the form of seeds. No more son. And they simply slide to the back of the phone.  They are always charged. A simple click of your thumb at the back and an iseed movies out. And an Apple healthy seeds

  Garry Graham

  Please you not to Apple here. This is a user forum. You can share your comments with a Apple. They will not respond, but at least they'll know your suggestion.

  http://www.Apple.com/feedback/

• I'm using Outlook Express and from time to time, the box "leave a copy of messages on the server" becomes disabled automatically.

  Hi, Im using Outlook Express and from time to time, box "leave a copy of messages on the server" becomes disabled automatically.

  Ive checked the Task Manager, its not running after close Outlook.

  Appreciate your comments.

  This can be dependent on ISP or it could just be OE spoil.  I saw this happen at any time.  You can try to backup the message store, and then delete the mail account completely (you will not lose messages).  The file to run. Folder | All compact.  Then close and reopen OE and then add the account back again.  See if things stick after that.

  Steve

• Already registered on the portal OnPlus - cannot add a device already enabled/customer

  Hello

  I am registered on OnPlus.

  Then my colleague registered and activated a device.

  I could not activate the device - even if my PC is on the same subnet and can connect to it very well (with the password provided by my colleague).

  When he sends me an invitation for the device - it takes me to the registration page.

  If I get my information from record (again) - I get (not surprisingly)...

  "We had a problem with your submission. Please correct the following errors. This user ID is already registered. »

  Still-, there is no choice because "I am already registered.

  When I connect OnPlus and try to "Add Customer" - I put in the details, then it goes to the activation screen with

  "CustomerX / status".

  To activate this client:

  Install the Agent network OnPlus on the premises of the customer and connect it to the LAN client.

  Turn the Network Agent OnPlus the switch zipper on the back panel of the Network Agent OnPlus.

  If your computer is connected to the same network as the network OnPlus Agent, click on the button activate now below.

  Otherwise, follow the instructions for activation in the guide getting started for the Cisco OnPlus Network Agent.

  Activation for this customer information are:

  Activation ID:... »

  If I click on activate it says

  "Unable to determine a local IP address for all Agent OnPlus of network into your current network.

  Check that the Network Agent OnPlus is connected to the same local network as this browser. OnPlus Network Agent must be on the same public WAN IP address (203.25.x.x) in your web browser block current.

  Not enabled OnPlus network Agents will attempt to disseminate their IP up to 30 minutes and if successful will appear here for 4 hours. Try to stop power OnPlus Network Agent if it has been online for more than 30 minutes.

  Verify that the DHCP service is running on the local network so that network OnPlus Agent is able to acquire an IP via DHCP. You will be able to change Agent of the OnPlus network to use a static IP address if you choose to (recommended), but the DHCP service is required to access the Network Agent OnPlus start.

  Ensure that DHCP clients can route to the Internet.

  If the Network Agent OnPlus hosting site has multiple WAN paths to the Internet, try refreshing this page. Your browser must Access this page from the IP WAN as the Agent of OnPlus network address. »

  We even tried power cycling it, and I'm definitely on the same subnet.

  There was no possibility of entering an IP address no matter where manually - process regarding the "Impossible to determine an IP address local for all Agent OnPlus network on your current network."

  I ping the device and even connect to its graphical interface. It simply does not appear as any way to add this unit to my own account on the portal OnPlus.

  That please?

  Hello Brett.

  The On100 device can be associated with a single customer and a customer cannot exist in more than one Agent account. From your description, I understand that your colleague registered as a OnPlus Agent, created an account customer, and then active the On100 device under this new client.

  However, it is possible for you to have access to the customer site by becoming a sub-agent under account OnPlus Agent of your colleague.  And according to the description above, it seems that your colleague has already sent you an invitation to become a subagent.  The problem now is that you have previously registered your EAC as OnPlus Agent id.  It is not possible for a single CCE id or an Agent and a secondary agent in the OnPlus portal.

  To allow your registration as sub-agent, we remove your EAC to your portal id.  It is a manual step that I am happy to help you.  Simply unicast your Agent account information to [email protected] / * / .  Once I take off your CEC id you will be OK to complete the registration of subagent.

  Here's some more information about the creation of the sub-agents in the portal OnPlus.  A previous post jamwyatt courtesy of response:

  In the account that contains the Agent network ON100, you can add other agents, on invitation. On the overview page, there is a menu agent at the top that will allow you to invite the officers. Once you invite an agent, and they sign up, they will be able to see the same view you see. The design intent is that you set up a master account for your business, then you invite other employees and contractors to adhere as agents of this account. Each guest will need a Cisco ID and once that they sign up, they will have to be approved by the owner of the main account (same menu agent, selection "of Agents in waiting"). Using this approach, the owner of the company retains the main account and allows you to manage completely all agents.

  Kind regards

  -r.

• Add user access to the portal

  Hello

  I have the role of Managing Director on the portal how can I add colleagues more access to the portal, also how to give access to users customers

  Hi Marc,

  Here are the steps to grant access based on roles on the portal of the NMP, please go through this document.

  https://supportforums.Cisco.com/document/12583596/adding-new-users-smart-net-total-care-portal

  Thank you

  Anusha.