Cisco ISE comments settings problem

Similar Questions

• Cisco ISE comments Sponsor Isssue Portal

  Hi all

  We have insatalled 5 boxes of ise 3315 IOS 1.0.4 in our network where in two of them are admin node, two services strategy and has a node mnt. We using sponsor portal for guest user wirless comments where we integrated WLC 5508 with ise and using weblogin for guest users.

  We have created open ssid wlc and external aid redirected url to ise for the login page of comments.

  But when we create a guest in the sponsor for guest user connection, user that we faced after publication

  (1) when guest user gets connected to WiFi and connect to the portal of comments with credentials after putting the credentials then his new redirect to the same login page

  wihout invites successful connection.

  Can us guest login successful after comments connect to the portal of reviews or redirect any other link as google.com for guest user will be done the knowledge he is able to access the internet now

  (2) we have appointed time profile 8hours first user login guest. When the guest user gets connected while putting in credentials on the portal of comments.

  But we are facing problem after about 20 mins enhanced disconnects Internet and comments again Gets the login page of the portal of the guest and if we put the same credentials, then his work but after about 20 min interval disconnected Internet user.

  Can someone help me resolved on observation about covers them cisco ise comments sponsor Portal

  Thank you & best regards

  Pranav Gade

  Pranav your answers are online,

  (1) when guest user gets connected to WiFi and connect to the portal of comments with credentials after putting the credentials then his new redirect to the same login page

  wihout invites successful connection. When you use CWA (Central web authentication) there is no way we can redirect users by using the redirect url because it will always redirect users for each time they start a web request. There is no other cost functionality that will remove this condition because they have already been authenticated.  Here is a guide that explains the user experience when using web Central auth -

  http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_guest_pol.html#wp1296954

  Can us guest login successful after login guest Portal comments or redirect any other link as google.com for guest user will be acquainted with it is able to access the internet now This is not possible, you can change the verbage and force the AUP to be displayed to users informing them that they can start their web request after hitting the button I accept.

  Here's to justify it experience, once users go through the process of reviews-

  http://www.Cisco.com/en/us/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final

  (2) we have appointed time profile 8hours first user login guest. When the guest user gets connected while putting in credentials on the portal of comments.

  But we are facing problem after about 20 mins enhanced disconnects Internet and comments again Gets the login page of the portal of the guest and if we put the same credentials, then his work but after about 20 min interval disconnected Internet user. Check advance timer on your SSID you can be hitting the session on the WLC timeout. Please disable this option and let the functionality of COA ISE at expiration of the user on the controller sessions of.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Cisco ISE comments Portal - DNS problem - External area

  Hello

  I have a client that has the following sceanrio:

  In a wireless deployment and deployment Cisco ISE 1.1.3 with CWA, when the wireless client receives the URL ISE redictect (URL to access the portal of ISE comments), this URL is based on the ISE DNS name, not on its IP address. Thus, the PC cannot solve this problem by DNS name because there is no DNS in the external area (for the guets) or by using the addresses of servers DNS ISP provided by the DHCP server, and therefore it cannot access the portal comments at all;

  I know that in an attempt to manually code the IP address - it doesn't (IE in the authorization profile CWA, the equivalent URL redirection via the pair av CISCO as follows:)

  Cisco-AV-Paire = redirect url =https://10.10.10.10:8443/guestportal/gateway? sessionId = sessionIdValue & action = cwa,)

  given that the sessionIdValue variable is not replaced by its real value when sending to the wireless client)

  My question is: this question has been addressed in version 1.2 of Cisco of ISE - has anyone tried it if has been processed? If not in Cisco 1.2 - does anyone know iof this feature will become available?

  Thanks in advance for your answers.

  Robert C.

  Robert,

  Manual assignment has been made available in version 1.2 of the ISE.

  M.

  

• Cisco ISE 1.4 comments account Backup

  I currently deploy portal free registry for comments, I now of questions you want to certify, I just want to know to anyone facing the same problem as me.

  (1) except REST API any way to export the guest account

  (2) backup of the Appendix will include the guest account or not

  (3) what deployment node 2, guest account will sync on both nodes?

  Sorry for the bad English.

  Kind regards

  Alan

  1.] I don't think - I can see a well on the same feature request

  CSCty82007    ENH: Export invited accounts set up in ISE

  2.] Yes - backup should have all guest accounts.

  [3.] the Cisco ISE guest services use distributed the Cisco ISE management system to allow several Cisco ISE nodes to work in a deployment. Configurations performed on the head node is replicated to the secondary nodes.

  ~ Jousset

• Change the URL redirection in Cisco ISE 2.1.0 comments Portal CWA

  Hello

  I've set up a guest Portal CWA with WLC 5508 8.0.133.0 and ISE 2.1.0.

  I did all the rules both Authenticatin and authorization, and I also see customers hit the rules of law. The rule of being redirects the client to a captive portal in ISE like this: cisco-av-pair = redirect url =https://ip:port/Portal/Gateway? sessionId = SessionIdValue & Portal = d30c7eb0...

  I have 3 different customer portals for each SSID and everything works fine.

  The problem is that, when the wireless client receives the URL ISE redictect (URL to access the portal of ISE comments), this URL is based on ISE DNS name, not on its IP address. My ISE FULL domain name is iselab01.example.local and the certificate indicating that the portal comments field is example.local.

  Now I was asked to create a new portal of comments but this time I have the certificate belongs to the domain example.org and need to redirect to this new portal comments use this new domain.

  I tried to code, in the authorization profile CWA, redirection to equivalent URL through the CISCO av pair as follows:

  Cisco-av-pair = redirect url =https://iselab01.example.org:8443/Portal/Gateway? sessionId = SessionIdValu...

  but it does not work, since the sessionIdValue is not replaced with its actual value when sending to the wireless client.

  Is it possible to change the URL for redirection of ISE somewhere just for a portal of comments?

  Best regards

  Simply use the automatic CWA parameter in the authz profile, rather than enter the cisco-av-pair yourself, you will find that you can change the part of the FQDN of the url, if the session ID is kept intact.

• Authentication (Windows Server 2013) AD Cisco ISE problem

  Background:

  Has deployed two Cisco ISE 1.1.3. ISE will be used to authenticate users wireless access admin WLC and switches. Database backend is Microsoft running on Windows Server 2012 AD. Existing Cisco ACS 4.2 still running and authenticate users. There are two Cisco WLCs version 7.2.111.3.

  Wireless users authenticates to AD, through works of GBA 4.2. Access admin WLC and switches to the announcement through ISE works. Authentication with PEAP-MSCHAPv2 access and admin PAP/ASCII wireless.

  Problem:

  Wireless users cannot authenticate to the announcement through ISE. This is the error message '11051 RADIUS packet contains invalid state attribute' & '24444 Active Directory failed because of an error that is not specified in the ISE'.

  

  Conducted a detailed test of the AD of the ISE. The test was a success and the result seems fine except for the below:

  xxdc01.XX.com (10.21.3.1)

  Ping: 0 Mins Ago

  Status: down

  xxdc02.XX.com (10.21.3.2)

  Ping: 0 Mins Ago

  Status: down

  xxdc01.XX.com

  Last success: Thu Jan 1 10:00 1970

  March 11 failure: read 11:18:04 2013

  Success: 0

  Chess: 11006

  xxdc02.XX.com

  Last success: Fri Mar 11 09:43:31 2013

  March 11 failure: read 11:18:04 2013

  Success: 25

  Chess: 11006

  Domain controller: xxdc02.xx.com:389

  Domain controller type: unknown functional level DC: 5

  Domain name: xx.COM

  IsGlobalCatalogReady: TRUE

  DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

  ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

  Action taken:

  Log Cisco ISE and WLC by using the credentials of the AD. This excludes the connection AD, clock and AAA shared secret as the problem.

  (2) wireless authentication tested using EAP-FAST, but same problem occurs.

  (3) detailed error message shows below. This excludes any authentication and authorization policies. Even before hitting the authentication policy, the AD search fails.

  12304 extract EAP-response containing PEAP stimulus / response

  11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated

  Evaluate the politics of identity

  15006 set default mapping rule

  15013 selected identity Store - AD1

  24430 Authenticating user in Active Directory

  24444 active Directory operation failed because of an error that is not specified in the ISE

  (4) enabled the registration of debugging AD and had a look at the logging. Nothing significant, and no clue about the problem.

  (5) wireless tested on different mobile phones with the same error and laptos

  (6) delete and add new customer/features of AAA Cisco ISE and WLC

  (7) ISE services restarted

  (8) join domain on Cisco ISE

  (9) notes of verified version of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Find anything related to this problem.

  10) there are two ISE and two deployed WLC. Tested a different combination of ISE1 to WLC1, ISE1 to WLC2, etc. This excludes a hardware problem of WLC.

  Other possibilities/action:

  1) test it on another version WLC. Will have to wait for approval of the failure to upgrade the WLC software.

  (2) incompatibility between Cisco ISE and AD running on Microsoft Windows Server 2012

  Did he experienced something similar to have ideas on why what is happening?

  Thank you.

  Update:

  (1) built an another Cisco ISE 1.1.3 sever in another data center that uses the same domain but other domain controller. Thai domain controller running Windows Server 2008. This work and successful authentication.

  (2) my colleague tested in a lab environment Cisco ISE 1.1.2 with Windows Server 2012. He has had the same problem as described.

  This leads me to think that there is a compatibility issue of Cisco ISE with Windows Server 2012.

  
  

  
  

  Yes, it seems that 1.1.3 doesn't support Server 2012 as of yet.

  External identity Source OS/Version

  Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit

  Active Directory Microsoft Windows 2008 32-bit and 64-bit

  Microsoft Windows Active Directory 2008 R2 64-bit only

  Microsoft Windows Active Directory 2003 32-bit only

  http://www.Cisco.com/en/us/docs/security/ISE/1.1/compatibility/ise_sdt.PDF

• The ISE comments and update of Broswer Security Portal

  Hi, last week our assistance service received a constant steam of calls regarding our wireless of comments.  For most people, the problem is that there are browser will not allow them on the portal.  After a bit of investigation, we have established that what happens on devices with the latest browsers - IE11, Firefox 39 + and Chrome.

  OS x and iOS devices and those devices with older browsers are working ok.

  We run ISE 1.1.3.124 which is a certain number of revisions behind so I assume it is the question that 'ignore' safety standards in these new browsers.

  My plan is to upgrade to version 1.2, and then to 1.3 which I had planned to do next month anyway, but I just wanted to see if there is a work around on the ISE, which can be implemented so that the upgrade is made a thoughtful and not rushed.

  Thank you.

  This problem is apparent on several Cisco - ISE and at least first Infrastructure products.

  A couple of threads to discuss and provide workarounds:

  Thread 1

  Thread 2

  ISE 1.3 (or 1.4) will fix it. In addition, ISE 1.2.1 Patch 7.

  Here's the official Cisco ISE Bug ID.

• Cisco ISE 1.3 question Active Directory

  Hi people

  I'm having a problem with our Cisco ISE and would love some comments or a solution. I configured to ISE to use our Active Directory setup and so far it seems to be functional. I could connect to retrieve ad groups and use AD for authentication. The problem I encounter is that when I try to go to the ' Administration > Identity Management > Sources external page and select our instance AD in the window side left hand screen hangs and won't load.  Any advice?

  ad_error.PNG

  

  You are using a supported browser and have you tried an alternative one?

  If you are using a supported browser, it looks like a bug in the layout of the page. I was opening, in this case, a case of TAC. I had this same work of page very well for me in the three different 1.3 deployments.

• The band multiple @domaine used in user name on the integration of commercials with Cisco ISE?

  Hello

  How to remove multiple domain suffixes through ISE with AD user name used as an external identity Source. Username is used in [email protected] / * / format.

  Cisco ISE 1.2 patch introduced 4 Strip prefix or suffix @domaine Kingdom of the username through ISE with AD used as external identity Source. But the documentation is not updated for this feature. I am able to band 1 domain successfully suffix but following conditions listed in the list of suffixes fails to get stripped.

  Any thoughts on the same.

  Thanks Kumar

  In the ISE under Administration > identity management > external identity Sources

  Choose the Active Directory on the left, select your ad server and Advanced settings

  Under identity band of suffix, make sure prefixes band below: is selected (I know, it says prefix).

  In the list of Suffixes box, enter your list of domain suffixes to undress.  The separator character is a comma (,).

  

  If this does not solve your problem, then I fear that a call to TAC may be in order.

  UPDATE *.

  Spaces are significant characters.  The registration of domains, so as such:

  @domain.com, @domain.local, @testdomain.com

  END UPDATE *.

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

  Post edited by: Charles Moreton

• Cisco ISE CLI and GUI password expires

  I got Cisco ISE version 1.1 I am facing a problem with the password CLI and GUI, it expires and I can not connect, I do password reset using the DVD of the ISE.

  I naviguer navigate to the CLI of ISE, then perform the following commands:

  conf t

  password policy

  no password-expiration-enable

  and reset the password of admin GUI, using the command:

  # reset-passwd ise admin request

  from the interface of ISE I delete option for the devil admin account after 45 days.

  but after 60 days, the password expire again.

  kindly advise what to check for this question expires.

  Hello Mostafa,

  Yes, the last answer was more towards past-mgmt GUI because in the majority of cases, it happens with the administrator account on the user interface. I need to know if you've restarted the ISE after disabling the expiration of the CLI, because what I read a few weeks in an internal fault which password policy settings are not preserved on cli after restart so just to check could please check current on CLI w settings / help to see the race. in the password policy.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Cisco ISE 1.1.1 with Windows posturing

  Hello

  We tired for configured windows posturing here's the scenario

  We saw five ise boxes 3315 with version 1.1.1 off them 2 is admin, 2 is PS and 1 MNT

  and we have local Symantec and WSUS Server.

  We make posturing for Windows where I have a few questions

  (1) is there an integration here of the local WSUS server with Cisco ISE where Cisco ISE can automatically take all the mandatory WSUS update according to the crititcality of the WSUS server.

  (2) what is advised to set up the strategy of the Posture of the posture of windows in Cisco ISE and if manually configure windows political posture using specific KB and if there is an update available on Microsoft will we be able to configure the policy for the new update.

  (3) we have configured authentication dot1x in cisco ise and asked as well as on switch port where once the user must be connected to dot1x port of the switch it invites username and password dot1x and therefore, authorization policy, it gives vlan appropriate dynamics.

  But what are the ways where we can restrict the machine which is rather than the assets of the company and even if the user's user name and password in short any employee aware how we can restrict the user making the machine rather than the assets of the company?

  (4) can configure US policy posture for antivirus which will keep us in normal mode and at the same time, we can put posturing for windows which monioring mode which only monitor policy posture and reflected in the monitoring, log in which does not restrict the network for windows posturing

  That will be great if any one can please help me to get the issues

  Thank you

  Pranav

  What follows is under the POLICY-OF ELEMENTS of STRATEGY-POSTURE-> REQUIREMENTS > >

  

  What follows is located under

  POLICY OF-> ELEMENTS OF STRATEGY-> POSTURE->

  REPAIR-> WINDOWS SERVER UPDATE SERVICES REMEDIATION ACTIONS

  

  What follows is part POLICY-> POSTURE

  

  These settings work ALMOST flawlessly for me by forcing her we approved on our WSUS server for our group of workstations updated (all of our laptops are members of the) which meet the criteria of severity EXPRESS (critical and Important). Now, what I've discovered in the last few days is that... MS seems a bit random in their identification of what severity level they assign to their updates. For example... I think that a service pack of the operating system would be considered IMPORTANT if not CRITICAL... however... Look at this from the identification of the server WSUS from Windows 7 Service Pack 1:

  

  Thus, those who updates you deleted, I'd go throgh your WSUS server to identify how they are identified by gravity, then according to your needs set the parameters of the ISE accordingly to ensure that you get updates you plan.

  Hope this helps everyone out there who has similar problems.

  Thank you

  Dirk

• Cisco ISE (Identity Services Engine) - seeds SGA device?

  Hello

  We have a LAB with Cisco ISE, certificates and list DACL. Everything works fine with the 1.1.1 version but now we want to use the functionality of CMS - SGT instead of the ACL and we found that we need seed for this device and the only device that takes in charge the Nexus 7000 is. Is this true? What is the only way that we can use LMS - SGT? Are there plans that any other device will be used to seed device?

  BR, Marko

  The device of seed set as first device that communicates with the ISE. It must be a link.

  http://www.Cisco.com/en/us/docs/solutions/enterprise/security/TrustSec_2.0/trustsec_2.0_dig.PDF

  In addition the Nexus needs a license of Advanced Services installed in order to support the Trustsec.

  I can't comment on any future plans.

• Group of endpoint Cisco ISE 1.4 hotspot

  Patch 1.4 Cisco ISE 6

  Cisco WLC 8.0.121

  Setup

  the WLC has a named Hotspot SSID. It uses mac auth with radius of the NAC to redirect to the Hotspot portal of reviews on the ISE.

  drops flexconnect users in vlan 401 (with preAuthAcl), after the PSU, it is initially a COA to move users to VLANs 413 with permitInternetAcl

  Description of the problem:

  users connect to the SSID of the access point and get an IP address valid in vlan 401

  redirected to the page of the hotspot on the ISE with a PSU and the PIN code request.

  are they disconnect from the network and reconnect, the ISE sends a certificate of authenticity to move to 413 without the Hotspot portal.

  what I've noticed, is that as soon as users get the redirect of the original Web page, they are moved to the endpoint group defined in the hotspot portal.

  What I've read about this behavior makes me understand that it is a default behavior, but if that's the case then I'm not sure on how I can make my font to check if the PSU has been accepted.

  Thank you

  Maarten

  Portal.PNG

  

  Policy.PNG

  

  Profile.PNG

  

  Cisco WLC 8.2.100

  Patch 1.4 ISE 6

  Similar Hotspot ISE installation, of similar rules except change VLAN. I have observed the same behavior.

  This configuration was working on patch 5.

  Update:

  I found a solution based on the following bug. Use the following attribute in the authorization rule. The success page remains but no Instant Internet access is available using this workaround solution.

  https://Tools.Cisco.com/bugsearch/bug/CSCux22558/?referring_site=bugquic...

  ' Workaround:
  "Use the LEAST 24 endpoints: LastAUPAcceptanceHours for example (means PUA agreed less than 24 hours ago).

• Cisco ISEv2 & comments on 3750 x wired SW

  Hello

  Could someone give me a suggestion to solve the below problem reported, really, it's very strange

  After you download Cisco ISE-2 to switch x 3750 DACL, I immediately get "REASON Provisioning Failed"?

  26 jan 16:33:25.827: % EMP-6-AAA: POLICY xACSACLx-IP-NG_WIRED_GUEST-56a7960f | DOWNLOAD_REQUEST EVENT
  26 jan 16:33:25.836: % EMP-6-AAA: POLICY xACSACLx-IP-NG_WIRED_GUEST-56a7960f | DOWNLOAD-SUCCESS EVENT
  26 jan 16:33:25.911: EMP-4-POLICY_APP_FAILURE %: policy request failed for forPOLICY_TYPE [10.0.121.24] [28d2.4426.02ae] [0A0000650000004A063C060F] AuditSessionID named Acl POLICY_NAME MAC Client xACSACLx-IP-NG_WIRED_GUEST-56a7960f REASON Provisioning Failed

  Thank you

  Yes, the train 15.x was chaotic and I saw funky problems with it. Happy that the upgrade took care of the issue. Also, thank you to return and validation of the solution (+ 5 from me)

  Now if your problem is resolved you must mark the thread as "answered" :)

  Thank you for evaluating useful messages!

• Upgrade to Cisco ISE

  Hello

  I have cisco ISE 1.0, which I want to spend 1.3 ISE. According to the upgrade path, I would need to follow this process

  1.0 > 1.1 (apply the latest patch) 1.2 > 1.3

  The bundle 1.0 to 1.1 is deferred. So I think to install a new 1.3 ISE as a virtual appliance and then configure it from there. I have not too clued up on ISE so I was wondering is there a way to backup on ISE 1.0 and 1.3 restoration?

  If this is not the case, what would be the best approach?

  Thank you

  Wow 1.0 to 1.4 is a big leap in functionality. You run this in your production network?

  Authentication and authorization should continue to work that you have configured the.

  On the top of my head

  -you come on duty return to the AD domain (if you have joined in the first place). Make sure you have the credentials of the service account to do.

  -Comments and other portals have been completely redesigned. If you have made any customizations, you're probably better it demolition and reconstruction by using the new tools of the portal generator.

  -Depending on whether you have advanced Base 1.0 licenses will take you through basic or Apex with 1.3 / 1.4.

  -ISE has a ton of other features that may or may not apply in your environment.