Cisco ISE synchronization and NTP server

Similar Questions

• Cisco ISE CLI and GUI password expires

  I got Cisco ISE version 1.1 I am facing a problem with the password CLI and GUI, it expires and I can not connect, I do password reset using the DVD of the ISE.

  I naviguer navigate to the CLI of ISE, then perform the following commands:

  conf t

  password policy

  no password-expiration-enable

  and reset the password of admin GUI, using the command:

  # reset-passwd ise admin request

  from the interface of ISE I delete option for the devil admin account after 45 days.

  but after 60 days, the password expire again.

  kindly advise what to check for this question expires.

  Hello Mostafa,

  Yes, the last answer was more towards past-mgmt GUI because in the majority of cases, it happens with the administrator account on the user interface. I need to know if you've restarted the ISE after disabling the expiration of the CLI, because what I read a few weeks in an internal fault which password policy settings are not preserved on cli after restart so just to check could please check current on CLI w settings / help to see the race. in the password policy.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Renewal of certificates Cisco ISE Admin and EAP

  Hi on board,

  Maybe I'm asking a rather stupid question here, but anyway :)

  Currently, I think about how renew a certificate admin/EAP on a node of the ISE and the effect on the endpoint authentication.

  Here's the thing that I do when I install initially an ISE node

  1.) creation of CSR on ISE (PAN) - CN = $FQDN$ and SAN = 'name of FQDN as well. "

  2.) sign CSR and certificate of bind on the ISE node - done

  Now, after 10 months or two (if the certificate is valid for one year) I want to renew the certificate of admin/EAP ISE.

  Creation of CSR: I can't use the $FQDN$ like CN, because there is still the current certificate (CN must be unique in the store, right?)

  So what to do now? I really need to create a temporary SSC and make the admin/EAP certificate, remove the current certificate, and then create a new CSR? There must be a way better and more important to do nondisruptive.

  How you guys do this in your deployments?

  Thanks again in advance, and sorry if this is a silly question.

  Johannes

  You can install a new certificate on the ISE until he's active, Cisco recommends to install the new certificate before the expiry of the old certificate. This period of overlap between the former certificate expiration date and the new certificate start date gives you time to renew certificates and to plan their installation with little or no downtime. Once the new certificate enters its valid date range, select the EAP or HTTPS protocol. Remember, if you turn on HTTPS, there will be a restart of the service

  Renewal of certificate on Cisco Identity Services Engine Configuration Guide

  http://www.Cisco.com/c/en/us/support/docs/security/identity-Services-engine/116977-TechNote-ISE-CERT-00.html

• Is it possible to map a promoter group in Cisco ISE to a group of users in Active Directory, using a RADIUS server?

  Hello!!

  We are working on a mapping between a promoter Cisco ISE group and a user group in Active Directory, but the customer wants the mapping through a RADIUS SERVER, to avoid the ISE by querying directly activate Directory.

  I know it is possible to use a RADIUS SERVER as source of external identity for ISE... but, is possible to use this RADIUS SERVER for this sponsor group manages?

  Thank you and best regards!

  Hi Rodrigo,

  The answer is no. There is no way to integrate the portal Sponsor config with a RADIUS server. Your DB for authentication Portal Sponsor options;

  AD
  LDAP
  User internal ISE DB

  Sent by Cisco Support technique iPhone App

• Cisco asa 5505 and centos VPN server connection

  Hi all

  Please I want to set up a VPN between Cisco asa 5505 and centos server.

  Here's my senerio

  -------------------------

  ASA 5505

  Public IP 155.155.155.2

  Local NETWORK: 192.168.6.X

  CentOS Server

  ------------------

  Public ip address: 155.155.155.6

  Thank you guys

  Apology, do you mean access remote VPN Client of hundred BONE for Cisco ASA 5505?

  If the remote access, here are the sample configuration:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

• Cisco ise license command

  I have a question

  1. is it possible to install the Cisco ISE software on the server machine to physical HP (without solution VMware or without the use of SNS-3415-k9 cisco device)?

  2. for 2500 users online, I'll order L-ISE-BSE-2550, L-ISE-PLS-S-2500 and L-ISE-APX-S-2500 of basis, more and apex licenses. My question is HA (primary and secondary) application I need 2 licenses for each? (2 * L - ISE - BSE - 2550, 2 * L - ISE - PLS - S - 2500 and 2 * L - ISE - APX - S - 2500)

  or just a license for each is enough?

  3. If I implement Cisco ISE and HA on VMware environment, can I 2 L-ISE-VM-K9 licenses for each VM machines? and also I need 2 licenses for each basic, plus, and at the apex?

  4. What is smart net Cisco and Cisco SASU? need to buy these for support and ticketing system?

  5. What is license for cisco anyconnect (L-AC-APX-1 year-G)?

  thnx in adv.

  You can install ISE on a HP ONLY Server if you are using software virtualization (VMware or KVM).

  The Guide of Installation of ISE sets out three options:

  1 hardware appliance from cisco SNS

  2. virtual machine VMware

  3 Linux KVM.

  The AnyConnect license is required to qualify with the features of the Apex. It is not installed on the ISE server, however.

• Cisco ISE (Identity Services Engine) - seeds SGA device?

  Hello

  We have a LAB with Cisco ISE, certificates and list DACL. Everything works fine with the 1.1.1 version but now we want to use the functionality of CMS - SGT instead of the ACL and we found that we need seed for this device and the only device that takes in charge the Nexus 7000 is. Is this true? What is the only way that we can use LMS - SGT? Are there plans that any other device will be used to seed device?

  BR, Marko

  The device of seed set as first device that communicates with the ISE. It must be a link.

  http://www.Cisco.com/en/us/docs/solutions/enterprise/security/TrustSec_2.0/trustsec_2.0_dig.PDF

  In addition the Nexus needs a license of Advanced Services installed in order to support the Trustsec.

  I can't comment on any future plans.

• Press release cisco ISE 2.0

  Can someone please recommend a good book on ISE 2.0... again 2.0

  IMHO there is no good book on ISE 2.0 because there is no book of ISE 2.0 at all.

  IM aware of only three books on ISE:

  • CiscoPress: Unified Cisco ISE BYOD and blocked access
  • CiscoPress: CCNP security SISAS 300-208 official Cert Guide
  • Syngress: Practical deployment of Cisco Identity Services Engine (ISE): concrete examples of deployments AAA

  I did the first and also know each other. They n 't ISE 2.0 coverage. And looking at the table of contents of the third, it looks no better.

  Not a book at all, but the best documentation for ISE is ISE product page design guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

• Altered in Cisco Unity Connection and cancelled permits NTP server

  I use Cisco Unity Connection 8.6.1 and cancelled my Inbox licenses.  A few days ago I noticed that the timestamp of the voicemails was different from what said our CUCM so immediately, I assume that the NTP servers were different.  I was correct and made the change on our server CUC.  I came back to add another user, a few days later and was motivated that I didn't have enough licenses.  After researching on it after the fact, it seems that this happened because the value of NTP server is one of the values that cannot change with the current license, and I'm in a State of the trial for 30 days (24 days left now).  Now my problem is that I don't remember what would replace this NTP server.  How can I fix this problem?

  Hi William,.

  I guess the connection of the unit is installed on the virtual machine and therefore license MAC is here

  You can get the rehost license by launching the mail to [email protected] / * /

  regds,

  aamns

• Cisco ISE and external syslog server

  Hi Security Experts,

  We start with deployment cisco ISE (Identity Services Engine) in our network. We have allocated 250 GB of space for the node (Admin + monitor) ISE.

  I want to know if we can send tracking of nodes of external syslog server logs after a defined time interval.

  For example, newspapers that are more than 10 days are for external syslog server. So basically our node monitoring will have the marbles which are the Max 9 days. Is this possible? Could you tell me some doc that explains the configuration of the same thing?

  Thank you

  Boudou

  No this is not possible via syslog. What you need is database purge, so that the monitoring database is purged after a determined time interval. Here's a guide that will help shed some light on this:

  http://www.Cisco.com/en/us/docs/security/ISE/1.1/user_guide/ise_mnt.html#wp1054328

  Tarik Admani
  * Please note the useful messages *.

• Access VPN ASA and cisco ISE Admin

  Hello

  Currently I'm deployment anyconnect VPN Solution for my client on ASA 9.2 (3). We use the ISE 1.3 to authenticate remote users.

  In the policy stipulates the conditions, I put the condition as below.

  Policy name: Anyconnect

  Condition: DEVICE: Device Type Device Type #All Device Types #Dial - in access EQUALS AND
  RADIUS: NAS-Port-Type is equal to virtual

  I'm authenticating users against the AD.

  I am also restrict users based on group membership in authorization policies by using the OU attributes.

  This works as expected for remote users.

  We also use the ISE to authenticate administrators to connect to the firewall. Now what happens is, Cisco ASA valid also against policy, administrators and their default name Anyconnect.

  Now the question is, how to set up different political requirement for access network admin and users the same Firewall VPN.

  Any suggestions on this would be a great help.

  See you soon,.

  Sri

  You can get some ideas from this article of mine:

  http://ltlnetworker.WordPress.com/2014/08/31/using-Cisco-ISE-as-a-generic-RADIUS-server/

• Authentication (Windows Server 2013) AD Cisco ISE problem

  Background:

  Has deployed two Cisco ISE 1.1.3. ISE will be used to authenticate users wireless access admin WLC and switches. Database backend is Microsoft running on Windows Server 2012 AD. Existing Cisco ACS 4.2 still running and authenticate users. There are two Cisco WLCs version 7.2.111.3.

  Wireless users authenticates to AD, through works of GBA 4.2. Access admin WLC and switches to the announcement through ISE works. Authentication with PEAP-MSCHAPv2 access and admin PAP/ASCII wireless.

  Problem:

  Wireless users cannot authenticate to the announcement through ISE. This is the error message '11051 RADIUS packet contains invalid state attribute' & '24444 Active Directory failed because of an error that is not specified in the ISE'.

  

  Conducted a detailed test of the AD of the ISE. The test was a success and the result seems fine except for the below:

  xxdc01.XX.com (10.21.3.1)

  Ping: 0 Mins Ago

  Status: down

  xxdc02.XX.com (10.21.3.2)

  Ping: 0 Mins Ago

  Status: down

  xxdc01.XX.com

  Last success: Thu Jan 1 10:00 1970

  March 11 failure: read 11:18:04 2013

  Success: 0

  Chess: 11006

  xxdc02.XX.com

  Last success: Fri Mar 11 09:43:31 2013

  March 11 failure: read 11:18:04 2013

  Success: 25

  Chess: 11006

  Domain controller: xxdc02.xx.com:389

  Domain controller type: unknown functional level DC: 5

  Domain name: xx.COM

  IsGlobalCatalogReady: TRUE

  DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

  ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

  Action taken:

  Log Cisco ISE and WLC by using the credentials of the AD. This excludes the connection AD, clock and AAA shared secret as the problem.

  (2) wireless authentication tested using EAP-FAST, but same problem occurs.

  (3) detailed error message shows below. This excludes any authentication and authorization policies. Even before hitting the authentication policy, the AD search fails.

  12304 extract EAP-response containing PEAP stimulus / response

  11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated

  Evaluate the politics of identity

  15006 set default mapping rule

  15013 selected identity Store - AD1

  24430 Authenticating user in Active Directory

  24444 active Directory operation failed because of an error that is not specified in the ISE

  (4) enabled the registration of debugging AD and had a look at the logging. Nothing significant, and no clue about the problem.

  (5) wireless tested on different mobile phones with the same error and laptos

  (6) delete and add new customer/features of AAA Cisco ISE and WLC

  (7) ISE services restarted

  (8) join domain on Cisco ISE

  (9) notes of verified version of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Find anything related to this problem.

  10) there are two ISE and two deployed WLC. Tested a different combination of ISE1 to WLC1, ISE1 to WLC2, etc. This excludes a hardware problem of WLC.

  Other possibilities/action:

  1) test it on another version WLC. Will have to wait for approval of the failure to upgrade the WLC software.

  (2) incompatibility between Cisco ISE and AD running on Microsoft Windows Server 2012

  Did he experienced something similar to have ideas on why what is happening?

  Thank you.

  Update:

  (1) built an another Cisco ISE 1.1.3 sever in another data center that uses the same domain but other domain controller. Thai domain controller running Windows Server 2008. This work and successful authentication.

  (2) my colleague tested in a lab environment Cisco ISE 1.1.2 with Windows Server 2012. He has had the same problem as described.

  This leads me to think that there is a compatibility issue of Cisco ISE with Windows Server 2012.

  
  

  
  

  Yes, it seems that 1.1.3 doesn't support Server 2012 as of yet.

  External identity Source OS/Version

  Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit

  Active Directory Microsoft Windows 2008 32-bit and 64-bit

  Microsoft Windows Active Directory 2008 R2 64-bit only

  Microsoft Windows Active Directory 2003 32-bit only

  http://www.Cisco.com/en/us/docs/security/ISE/1.1/compatibility/ise_sdt.PDF

• Cisco ISE 1.2 and the ad group

  Hello

  I have Cisco ISE installed on my EXSi server for my test pilot. I added several ad groups at ISE as well.

  I created a condition of authorization policy, that is WIRELESS_DOT1X_USERS (see screenshot)
  Basically, I just replicate the default Wireless_802.1X and added Network Access: EapAuthentication, Equals, EAP - TLS.

  My problem is, I have been unable to join the wireless network, if I added my ad group to the authorization strategy (see screenshot). The user I is a member of WLAN USERS. If I removed the authorization policy group, the use is able to join the wireless network.

  I have attached the screenshot of ISE newspapers as well. I checked the ISE, AD/NPS, WLC, laptop computer time and date, and they are all in sync.

  I also have the WLC added as NPS client on my network.

  I checked the newspaper AD and I found it, it was the local management user WLCs trying to authenticate. It is supposed to be my wireless user Credential is not the WLC.

  It's the paper I received from the AD/NPS

  Access denied to user network policy server.

  Contact the server administrator to strategy network for more information.

  User:

  Security ID: NULL SID

  Account name: admin

  Domain account: AAENG

  Account name: AAENG\admin

  Client computer:

  Security ID: NULL SID

  Account name: -.

  Full account name: -.

  OS version: -.

  Called Station identifier: -.

  Calling the Station identifier: -.

  NAS:

  NAS IPv4 address: 172.28.255.42

  NAS IPv6 address: -.

  NAS identifier: RK3W5508-01

  NAS Port Type: -.

  NAS Port:                              -

  RADIUS client:

  Friendly name of client: RK3W5508-01

  The client IP address: 172.28.255.42

  Information about authentication:

  Connection request policy name: Windows authentication for all users use

  The network policy name: -.

  Authentication provider: Windows

  Authentication server: WIN - RSTMIMB7F45.aaeng.local

  Authentication type: PAP

  EAP Type:                              -

  Identifier for account: -.

  Results of logging: Accounting Information was written in the local log file.

  Reason code: 16

  Reason: Authentication failed due to incompatibility of user credentials. The provided username is not mapped to an existing user account or the password is incorrect.

  Hello

  The problem is with what ISE name, it's choosing to search of the AD. If you look in the ISE newspapers down, you'll see the username that use ISE (firstname, lastname) to search for the AD.

  In your certificate template see what attribute containst name AD (possibly the dns name or email or the name of principle of RFC 822 NT), go to your profile to authenticate cerificate and use this attribute for the user name.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Cisco ISE with GANYMEDE + and RADIUS both?

  Hello

  I'm wired opening of authentication on a network using Cisco ISE. I studied the conditions for this. I know that I need to enable the RADIUS on the Cisco switches on the network. The switches in the network are already programmed to GANYMEDE +. Anyone know if they can both operate on the same network at the same time?

  Bob

  I suppose that Ganymede is configured (with ACS 4.x or 5.x) for the peripheral administration via telnet/ssh, and now you need the RADIUS (radius) to authenticate 802. 1 x. Yes they can both work on the same network at the same time.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Cisco ISE and Meraki RADIUS

  I am very new to Cisco ISE and Meraki.  I try to get the Radius configuration for wireless authentication.  When I do a test of the Meraki to ISE, it passes.

  When I try to connect from my laptop, I look at the logs of the Radius and it passes; However, it does not connect me to good policy.  I keep hitting the default policy.  I have my Meraki police above the default policy in the strategy defined in article.  I have attached what looks like my strategy game.

  Devices does not really matter. Here is what I see when I create a device group (where you add the access point to this group), and then create the condition:

  networkdevicegroups.PNG

  

  And here is where I create the condition of strategy game and you should be able to select the Meraki access points:

  devicecondition.PNG

  

  This will give you the condition similar to what I posted above. This is perhaps why you aren't hit that is not matching the condition for this game.