Cisco ISE 1.1.1 with Windows posturing

Hello

We tired for configured windows posturing here's the scenario

We saw five ise boxes 3315 with version 1.1.1 off them 2 is admin, 2 is PS and 1 MNT

and we have local Symantec and WSUS Server.

We make posturing for Windows where I have a few questions

(1) is there an integration here of the local WSUS server with Cisco ISE where Cisco ISE can automatically take all the mandatory WSUS update according to the crititcality of the WSUS server.

(2) what is advised to set up the strategy of the Posture of the posture of windows in Cisco ISE and if manually configure windows political posture using specific KB and if there is an update available on Microsoft will we be able to configure the policy for the new update.

(3) we have configured authentication dot1x in cisco ise and asked as well as on switch port where once the user must be connected to dot1x port of the switch it invites username and password dot1x and therefore, authorization policy, it gives vlan appropriate dynamics.

But what are the ways where we can restrict the machine which is rather than the assets of the company and even if the user's user name and password in short any employee aware how we can restrict the user making the machine rather than the assets of the company?

(4) can configure US policy posture for antivirus which will keep us in normal mode and at the same time, we can put posturing for windows which monioring mode which only monitor policy posture and reflected in the monitoring, log in which does not restrict the network for windows posturing

That will be great if any one can please help me to get the issues

Thank you

Pranav

What follows is under the POLICY-OF ELEMENTS of STRATEGY-POSTURE-> REQUIREMENTS > >

What follows is located under

POLICY OF-> ELEMENTS OF STRATEGY-> POSTURE->

REPAIR-> WINDOWS SERVER UPDATE SERVICES REMEDIATION ACTIONS

What follows is part POLICY-> POSTURE

These settings work ALMOST flawlessly for me by forcing her we approved on our WSUS server for our group of workstations updated (all of our laptops are members of the) which meet the criteria of severity EXPRESS (critical and Important). Now, what I've discovered in the last few days is that... MS seems a bit random in their identification of what severity level they assign to their updates. For example... I think that a service pack of the operating system would be considered IMPORTANT if not CRITICAL... however... Look at this from the identification of the server WSUS from Windows 7 Service Pack 1:

Thus, those who updates you deleted, I'd go throgh your WSUS server to identify how they are identified by gravity, then according to your needs set the parameters of the ISE accordingly to ensure that you get updates you plan.

Hope this helps everyone out there who has similar problems.

Thank you

Dirk

Tags: Cisco Security

Similar Questions

  • Authentication (Windows Server 2013) AD Cisco ISE problem

    Background:

    Has deployed two Cisco ISE 1.1.3. ISE will be used to authenticate users wireless access admin WLC and switches. Database backend is Microsoft running on Windows Server 2012 AD. Existing Cisco ACS 4.2 still running and authenticate users. There are two Cisco WLCs version 7.2.111.3.

    Wireless users authenticates to AD, through works of GBA 4.2. Access admin WLC and switches to the announcement through ISE works. Authentication with PEAP-MSCHAPv2 access and admin PAP/ASCII wireless.

    Problem:

    Wireless users cannot authenticate to the announcement through ISE. This is the error message '11051 RADIUS packet contains invalid state attribute' & '24444 Active Directory failed because of an error that is not specified in the ISE'.

    Conducted a detailed test of the AD of the ISE. The test was a success and the result seems fine except for the below:

    xxdc01.XX.com (10.21.3.1)

    Ping: 0 Mins Ago

    Status: down

    xxdc02.XX.com (10.21.3.2)

    Ping: 0 Mins Ago

    Status: down

    xxdc01.XX.com

    Last success: Thu Jan 1 10:00 1970

    March 11 failure: read 11:18:04 2013

    Success: 0

    Chess: 11006

    xxdc02.XX.com

    Last success: Fri Mar 11 09:43:31 2013

    March 11 failure: read 11:18:04 2013

    Success: 25

    Chess: 11006

    Domain controller: xxdc02.xx.com:389

    Domain controller type: unknown functional level DC: 5

    Domain name: xx.COM

    IsGlobalCatalogReady: TRUE

    DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

    ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

    Action taken:

    Log Cisco ISE and WLC by using the credentials of the AD. This excludes the connection AD, clock and AAA shared secret as the problem.

    (2) wireless authentication tested using EAP-FAST, but same problem occurs.

    (3) detailed error message shows below. This excludes any authentication and authorization policies. Even before hitting the authentication policy, the AD search fails.

    12304 extract EAP-response containing PEAP stimulus / response

    11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated

    Evaluate the politics of identity

    15006 set default mapping rule

    15013 selected identity Store - AD1

    24430 Authenticating user in Active Directory

    24444 active Directory operation failed because of an error that is not specified in the ISE

    (4) enabled the registration of debugging AD and had a look at the logging. Nothing significant, and no clue about the problem.

    (5) wireless tested on different mobile phones with the same error and laptos

    (6) delete and add new customer/features of AAA Cisco ISE and WLC

    (7) ISE services restarted

    (8) join domain on Cisco ISE

    (9) notes of verified version of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Find anything related to this problem.

    10) there are two ISE and two deployed WLC. Tested a different combination of ISE1 to WLC1, ISE1 to WLC2, etc. This excludes a hardware problem of WLC.

    Other possibilities/action:

    1) test it on another version WLC. Will have to wait for approval of the failure to upgrade the WLC software.

    (2) incompatibility between Cisco ISE and AD running on Microsoft Windows Server 2012

    Did he experienced something similar to have ideas on why what is happening?

    Thank you.

    Update:

    (1) built an another Cisco ISE 1.1.3 sever in another data center that uses the same domain but other domain controller. Thai domain controller running Windows Server 2008. This work and successful authentication.

    (2) my colleague tested in a lab environment Cisco ISE 1.1.2 with Windows Server 2012. He has had the same problem as described.

    This leads me to think that there is a compatibility issue of Cisco ISE with Windows Server 2012.



    Yes, it seems that 1.1.3 doesn't support Server 2012 as of yet.

    External identity Source OS/Version

    Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit

    Active Directory Microsoft Windows 2008 32-bit and 64-bit

    Microsoft Windows Active Directory 2008 R2 64-bit only

    Microsoft Windows Active Directory 2003 32-bit only

    http://www.Cisco.com/en/us/docs/security/ISE/1.1/compatibility/ise_sdt.PDF

  • Integration of CISCO ISE with another controller wireless lan of the seller

    Hi all!

    I am currently working on an assignment and eager to integrate the identity service provider in the network. the only problem is that the deployed wireless network earlier of another provider I just need to know that either ISE has integration with the other controller feature wireless provider and can provide guest access control. The LDAP integration is also required.

    Waiting for help!

    Hello

    According to my knowledge Yes, Cisco ISE can be integrated with another controller wireless LAN of the seller, but limited. (Aruba, Rukus) and if you want to add the external identity group to your network, then LDAP integration is required.

  • Question about my first payment of cisco ISE

    Hi, thanks in advance,

    It's my first time to be implemented cisco ISE 1.1.4 with Vmware Esxi v5.5

    I did so far process

    -Created NTP, DNS, AD, of course ESXI running and have link between each other, ISE is able to synchronize the time with ntp server and DNS, etc AD.

    -J' created repository for installation of application bundle - which is ise-appbundle - 1.1.4.218.i386 that I could not find any fault of the application.

    However, while I was doing installation and it said ' / opt/oracle/base/product/11.2.0/dbhome_1/bin/lsnrctl: error while loading shared libraries: libclntsh.so.11.1: cannot open shared object file: no such file or directory "."

    I already check some forums and communities, and I have no problem about synchronizing time on dns with ntp and ISE itself with ntp.

    I have no firewall between devices and no other network devices don't interfere.

    and at the end of newspapers, it comes up like this

    ########################################################################################

    ERROR: CANNOT START DB!

    Database is not available in 240 seconds Timeout.

    This could be the result of incorrect network interface configuration

    or the lack of resources on the device or the virtual computer. Please solve the problem, run the following CLI to start the database again:

    "reset - config application ise"

    ########################################################################################

    Im just lost now... Any recommendation?

    Well, it is true that the CCIE Security use ISE 1.1 as its base. So for the installation of laboratory only for this purpose, you might go with him.

    90% of the things are similar and the concepts are identical to 1.1 to 1.3. The first versions were buggy however and we recommend to all production users go with 1.3.

    A new installation of 1.14 should be OK; but you would not use the Archives of gz appbundle ISE - you need to use the new installation ISO.

    Please see screenshot below.

  • Cisco ISE comments Portal - DNS problem - External area

    Hello

    I have a client that has the following sceanrio:

    In a wireless deployment and deployment Cisco ISE 1.1.3 with CWA, when the wireless client receives the URL ISE redictect (URL to access the portal of ISE comments), this URL is based on the ISE DNS name, not on its IP address. Thus, the PC cannot solve this problem by DNS name because there is no DNS in the external area (for the guets) or by using the addresses of servers DNS ISP provided by the DHCP server, and therefore it cannot access the portal comments at all;

    I know that in an attempt to manually code the IP address - it doesn't (IE in the authorization profile CWA, the equivalent URL redirection via the pair av CISCO as follows:)

    Cisco-AV-Paire = redirect url =https://10.10.10.10:8443/guestportal/gateway? sessionId = sessionIdValue & action = cwa,)

    given that the sessionIdValue variable is not replaced by its real value when sending to the wireless client)

    My question is: this question has been addressed in version 1.2 of Cisco of ISE - has anyone tried it if has been processed? If not in Cisco 1.2 - does anyone know iof this feature will become available?

    Thanks in advance for your answers.

    Robert C.

    Robert,

    Manual assignment has been made available in version 1.2 of the ISE.

    M.

  • I need Cisco ISE VM part # L - ISE - VM - K9 = to install ESXi

    Hello

    Do I need permit L-ISE-VM-K9 to install Cisco ISE on an ESXi?

    In fact, Cisco ISE can be downloaded with an Eval license for 90 days.

    I know, ISE license (basic license, for example) is required.

    Thank you very much.

    Greetings,

    Norbert

    Although the demonstration you use is free, you have to pay for L-ISE-VM-K9 when you move to a production model because it uses an Oracle database licensed under it.  You must do this for each instance of ISE you are running.  You can then buy licenses wireless as necessary for your number of devices.

  • Cisco Ise 1.3 with Flex to connect wireless supported function

    Hello

    My environment is formed ROUND of flex-mode connection wireless and cisco Ise 1.3, these features are supported?
    Basic functions of the AAA
    profiling
    posturing
    Substitution VLAN
    Substitution of the ACL
    Comments commissioning

    TrustSec 2.0 this MDC is not supported? someone try this feature?

    These all work with ISE 1.3 and FlexConnect WLAN.

    You need the right license ISE - the type of mobility (wireless) license will cover everything. If you have wired and wireless, then you must have basic (for most features) + more (for profiling) + Apex (for Posturing).

  • Cisco ISE posture assessment and client provisioning

    Hello

    I have the Cisco ISE and Cisco IOS device. I configured the RADIUS between these devices.

    Also, I configured RADIUSbetween ISE of Cisco and Cisco ASA. Now I want to know that how to posture assessment for these devices (ISE of Cisco and Cisco ASA or ISE Cisco Cisco IOS). Please give me the steps together for assesment for cisco ios device posture in Cisco ise.

    In addition, please give me related to posture assessment and the provisioning client logs.

    Thanks in advance.

    You can go through the list link below to download a PDF link

    Assessment of the posture with ISE.

    http://www.Cisco.com/Web/CZ/expo2012/PDF/T_SECA4_ISE_Posture_Gorgy_Acs.PDF

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Cisco ISE Posture compliance

    Hello!

    Is anyone know about Cisco ISE?

    I have a problem with the respect of the Posture. I installed the NAC Agent on PC, Catalyst 2950, and ISE. Authentication is great, but the Posture of compliance does not. I'll send you information if you want to help me.

    Thank you!

    Catalyst 2950 does not support costs (RADIUS permission change) which is required for enforcement to work: http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038

  • Unable to connect to network WPA2 with Windows 7 64-bit (Intel 4965 and Cisco WUSB600N)

    Connect to a WPA2 network seems to be a fairly common problem.  Again, I can't be able to find a solution.

    OS: Windows 7 Ultimate 64-bit

    Wireless adapter (s): Intel 4965AGN (integrated into Dell XPSM1330) and Cisco/Linksys WUSB600N

    Drivers: latest windows 7 64 bit drivers from the two websites of companies.  Intel (v12.4.1.4), Linksys (3.0.10.0)

    Network properties: WPA2 enterprise, encryption of the ACS, authentication EAP - P, several types of routers around the world

    History: has been able to use the same laptop with Vista32 on this network without any problem

    I can not connect to networks non - WPA WPA networks simply not.

    When you try to connect to my companies WPA2 network (at any of our locations around the world).

    Method #1:

    1. Select "Other network" in the list of network
    2. Enter the SSID of the network
    3. Windows could not connect to the SSID
    Method #2
    1. Open network and sharing Center
    2. Select set up a new connection or network
    3. Select manually connect to a wireless network
    4. Select one of my adapters
    5. Enter the SSID, as WPA2-Enterprise security type, type of encryption like AES, check the boxes to connect automatically and connect even if the network is not broadcasting
    6. An unexpected error has occurred
    Method #3: Try to trick windows
    1. Open network and sharing Center
    2. Select set up a new connection or network
    3. Select manually connect to a wireless network
    4. Select one of my adapters
    5. Enter the SSID but select an open network
    6. Adds the network
    7. Then try to change properties
    8. WPA2-Enterprise security type
    9. Set to AES encryption type
    10. "Choose a network authentication method:" drop-down menu is empty!
    11. Windows has encountered an error saving the wireless profile.  Specific error: the profile has an invalid length field.
    I'm pretty desperate for a solution.
    Kind regards
    John

    There are a few people with Win7 x 64 that cannot connect to WPA2 P/EAP Corporate/business networks and no solution?

    Come on, guys, it's the microsoft answers site! someone give me something! I have two asus laptops, both with network cards Intel having this problem on two networks separate enterprise (school).

    Edit:

    RESOLVED:

    Here's the thread of the resolution:

    http://answers.Microsoft.com/en-us/Windows/Forum/Windows_7-networking/unable-to-connect-to-company-wireless-network/3bcd12b1-A0D8-4357-bded-07da96259920?page=3

    The problem occurs when you perform a Wizard for easy transfer to a computer that was Symantec Endpoint Protection installed to one without him.

    Answer, copypasted:

    Inspect the key mentioned above - that is of HKLM\System\CurrentControlSet\services\RasMan\PPP\EAP.

    In each of the number keys look something like ConfigPathBackup and its corresponding ConfigPath - there are a number of them.

    For each, I deleted the original key (e.g., ConfigPath) and restored the original by renaming ConfigPathBackup to ConfigPath

    For each of them, the State is now restored to her pre State Symantec - each key pointed to a Symantec location that is no longer present and by restoring the path key backs up everything was fine

  • Cisco ISE with GANYMEDE + and RADIUS both?

    Hello

    I'm wired opening of authentication on a network using Cisco ISE. I studied the conditions for this. I know that I need to enable the RADIUS on the Cisco switches on the network. The switches in the network are already programmed to GANYMEDE +. Anyone know if they can both operate on the same network at the same time?

    Bob

    I suppose that Ganymede is configured (with ACS 4.x or 5.x) for the peripheral administration via telnet/ssh, and now you need the RADIUS (radius) to authenticate 802. 1 x. Yes they can both work on the same network at the same time.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • SealthWatch intrgration with Cisco ISE-3315

    Hello Experts,

    I have Cisco ISE-3315 version 1.3

    Can I order and SealthWatch Lancop and use it with this series of ISE 3315? Or I must have the SNS?

    Hi Imran-

    3315 unit supports all personas running ISE 1.3

    http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/Release_notes/ise13_rn.html#pgfId-527567

    Now, that being said, don't forget that this devices has a lot less resources compared with the NHU devices. So, if you decided to run all personas on it then you will be greatly limited the number of concurrent endpoints.

    Thank you for evaluating useful messages!

  • The band multiple @domaine used in user name on the integration of commercials with Cisco ISE?

    Hello

    How to remove multiple domain suffixes through ISE with AD user name used as an external identity Source. Username is used in [email protected] / * / format.

    Cisco ISE 1.2 patch introduced 4 Strip prefix or suffix @domaine Kingdom of the username through ISE with AD used as external identity Source. But the documentation is not updated for this feature. I am able to band 1 domain successfully suffix but following conditions listed in the list of suffixes fails to get stripped.

    Any thoughts on the same.

    Thanks Kumar

    In the ISE under Administration > identity management > external identity Sources

    Choose the Active Directory on the left, select your ad server and Advanced settings

    Under identity band of suffix, make sure prefixes band below: is selected (I know, it says prefix).

    In the list of Suffixes box, enter your list of domain suffixes to undress.  The separator character is a comma (,).

    If this does not solve your problem, then I fear that a call to TAC may be in order.

    UPDATE *.

    Spaces are significant characters.  The registration of domains, so as such:

    @domain.com, @domain.local, @testdomain.com

    END UPDATE *.

    Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

    Charles Moreton

    Post edited by: Charles Moreton

  • Cisco VPN Client with Windows 7 Home Premium 64-bit

    I recently bought a new laptop with Windows 7 Home Premium 64-bit.   I need to connect to a VPN IPSEC to work.  I tried the current VPN client and after reading the posts in this group, I tried vpnclient-win-msi-5.0.07.0240-k9-BETA.exe.  When I tried to install the beta version, I get the following error message:

    Error 28011: Windows 64-bit is not supported by Cisco Systems VPN Client 5.0.07.0240.

    Any suggestion would be appreciated.

    Hello

    You should download the 64-bit version. vpnclient-winx64-MSI-5.0.07.0240-K9-Beta.exe is the version you tried to install the 32-bit version

    Thank you

    John

  • Does Cisco ACS 1113 v4.2 device work with Windows 2008

    Hello

    I have a wireless currently in production infrastructure. All my Cisco LWAP is managed by Cisco WLC. Authentication is done via RADIUS through my device Cisco ACS 1113 running on version 4.2. The Cisco ACS 1113 device communicates with my Windows 2003 Active Directory. Everything is good now.

    Next month, we plan to update Active Directory from Windows 2003 to Windows 2008? Will be all fine and good, or will it be questions? Please advice kindly.

    I saw another post in this community that the States https://supportforums.cisco.com/thread/1003597?tstart=0. I am now confused. Help, please.

    Kind regards

    RAM

    + 60122918870

    ACS 4.2 does not work with Windows 2008R2.  I had a case of TAC open about this, and basically, they told me that I had to switch to 5.2 ACS.   I've been doing demonstrations there and it authenticates with Windows2008R2 very well.

Maybe you are looking for

  • Fingerprint Software does not work with Firefox after an update

    Hello the first thread that I started this topic is closed, so I have to make a new... As mentioned here http://forums.computers.Toshiba-Europe.com/forums/thread.jspa?threadID=25776&TSTART=15 Fingerprint Software no longer works with Firefox after up

  • How do I get the drivers of Windows XP SP3 upgrades

    How can I check later and then get the WinXP SP3 drivers?

  • W510 and google earth directX

    Hi all! I recently received a w510 and I am overall happy with it, but have faced problems with DirectX applications. It is said that the graphic component can handle DX 9, but running for example Google Earth led to the freezing of the pilot. I see

  • Newbie question: Multiples of the SDK & Plugins by install Eclipse?

    Hello Please excuse if this is a stupid question, but I'm new to the development of BB. Can I have several versions of SDK and plug-in installed in one Eclipse install?  I understand that the latest version of the SDK requires the latest version of E

  • time order date by am pm

    Please help me get the results below. My order of requirement by date am day then MPSelect d)SELECT TO_CHAR)To_date (' August 15, 2009, 16:30 ')(' DD/month/YYYY, hh: mi: ss AM')(' YYYY-MM-DD hh: mi: ss AM') dOF THE DOUBLEUnion of all theSELECT TO_CHA