Cisco NTP Sync ISE

Similar Questions

• Cisco VIRL and ISE

  Hello

  Is there an environment of switching on Cisco Cisco IBNS 2.0 especially ISE VIRL test functions.

  BR

  Hello BR -.

  Unfortunately, the 802. 1 x is not a feature supported on VIRL/IOU. Here is a link to the current characteristics of VIRL supported:

  https://learningnetwork.Cisco.com/docs/doc-30404

  I hope this helps!

  Thank you for evaluating useful messages!

• NTP sync

  Hello

  My NAS IX2 - ng didn't not synchronized with ntp national french "ntp.obspm.fr", but it is Ok with the default Ntp.

  Can you tell us why?

  On all my computers, I use this french NTP because I think that is ' important 'Paris-Meudon Observatory' that many people synchronize it computer via the NTP. So many use it, it will be easier for this Observatory to get national credit.

  Best regards; Claude

  Thanks for your reply,

  I have tried IP of ' Observatoire de Paris ' Ntp ' (145.238.203.10) and it's OK.

  After that I tried once more time 'ntp.obspm.fr' and it OK now.

  I don't understand why it didn't work before.

  Now I'm Happy alf... because I'm waiting for an update, creation of a service (such as or via Cron) in NAS IX2 - ng to program off the SAR unit to the time I chose and maybe another service to power on.

  Best regards... Claude_L

• Question about my first payment of cisco ISE

  Hi, thanks in advance,

  It's my first time to be implemented cisco ISE 1.1.4 with Vmware Esxi v5.5

  I did so far process

  -Created NTP, DNS, AD, of course ESXI running and have link between each other, ISE is able to synchronize the time with ntp server and DNS, etc AD.

  -J' created repository for installation of application bundle - which is ise-appbundle - 1.1.4.218.i386 that I could not find any fault of the application.

  However, while I was doing installation and it said ' / opt/oracle/base/product/11.2.0/dbhome_1/bin/lsnrctl: error while loading shared libraries: libclntsh.so.11.1: cannot open shared object file: no such file or directory "."

  I already check some forums and communities, and I have no problem about synchronizing time on dns with ntp and ISE itself with ntp.

  I have no firewall between devices and no other network devices don't interfere.

  and at the end of newspapers, it comes up like this

  ########################################################################################

  ERROR: CANNOT START DB!

  Database is not available in 240 seconds Timeout.

  This could be the result of incorrect network interface configuration

  or the lack of resources on the device or the virtual computer. Please solve the problem, run the following CLI to start the database again:

  "reset - config application ise"

  ########################################################################################

  Im just lost now... Any recommendation?

  Well, it is true that the CCIE Security use ISE 1.1 as its base. So for the installation of laboratory only for this purpose, you might go with him.

  90% of the things are similar and the concepts are identical to 1.1 to 1.3. The first versions were buggy however and we recommend to all production users go with 1.3.

  A new installation of 1.14 should be OK; but you would not use the Archives of gz appbundle ISE - you need to use the new installation ISO.

  Please see screenshot below.

  ise_1.1.4_packages.PNG

  

• Cisco ISE posture assessment and client provisioning

  Hello

  I have the Cisco ISE and Cisco IOS device. I configured the RADIUS between these devices.

  Also, I configured RADIUSbetween ISE of Cisco and Cisco ASA. Now I want to know that how to posture assessment for these devices (ISE of Cisco and Cisco ASA or ISE Cisco Cisco IOS). Please give me the steps together for assesment for cisco ios device posture in Cisco ise.

  In addition, please give me related to posture assessment and the provisioning client logs.

  Thanks in advance.

  You can go through the list link below to download a PDF link

  Assessment of the posture with ISE.

  http://www.Cisco.com/Web/CZ/expo2012/PDF/T_SECA4_ISE_Posture_Gorgy_Acs.PDF

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• ESXi 5.1 configured as a NTP server, do not sync with the Local PC

  I have a 5.1 ESXi server configured as an NTP server and a Windows Server 2008 R2 local PC that are not sync.  I understand well, it is not recommended for ESXi, but I read [1] [2] that, whenever an ESXi server is running as a client, it also acts as a server, so I enabled as a NTP client in vSphere by ticking the NTP client, adding some servers to the server list, and then click on run, and I also activated the 123 incoming/outgoing port by adding the shell of ESXi firewall settings.

  I'm pretty sure it isn't a firewall problem.  I completely disabled the firewall on my local PC.  Running "w32tm keyboardists computers: - IP address of the server -" give me the time of the server and running the software NTPQuery gives me an answer back on port 123 of the server time.

  I tried:

  - Date/time settings (right-click on notification area-> set date/time-> Internet time-> set as the IP address of the server) - sync fails (* an error has occurred while Windows timed with - server IP-*)

  - Group Policy Editor (Computer Configuration\Administrative Templates administration\systeme\service Time Service, currently disabled but because I heard this causes problems) - synchronization fails

  - The registry editor (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\settings) - synchronization fails

  - Command prompt, using:

  w32tm /config /manualpeerlist:-IP of server- /syncfromflags:MANUAL /reliable:yes /update
  net stop w32time && net start w32time
  w32tm /resync /rediscover
  
  
  

  This updates the registry properly, but the outputs "the computer did not resync because no time data was available."  And when I use the command "w32tm/query/source" the source is always "The local CMOS clock."

  Here is the output from w32tm/query /configuration

      [Configuration]
  
  
      EventLogFlags: 2 (Local)
      AnnounceFlags: 5 (Local)
      TimeJumpAuditOffset: 28800 (Local)
      MinPollInterval: 10 (Local)
      MaxPollInterval: 15 (Local)
      MaxNegPhaseCorrection: 3600 (Local)
      MaxPosPhaseCorrection: 3600 (Local)
      MaxAllowedPhaseOffset: 1 (Local)
    
      FrequencyCorrectRate: 4 (Local)
      PollAdjustFactor: 5 (Local)
      LargePhaseOffset: 50000000 (Local)
      SpikeWatchPeriod: 900 (Local)
      LocalClockDispersion: 10 (Local)
      HoldPeriod: 5 (Local)
      PhaseCorrectRate: 1 (Local)
      UpdateInterval: 360000 (Local)
  
  
    
      [TimeProviders]
    
      NtpClient (Local)
      DllName: C:\windows\system32\w32time.dll (Loca
      Enabled: 1 (Local)
      InputProvider: 1 (Local)
      AllowNonstandardModeCombinations: 1 (Local)
      ResolvePeerBackoffMinutes: 15 (Local)
      ResolvePeerBackoffMaxTimes: 7 (Local)
      CompatibilityFlags: 2147483648 (Local)
      EventLogFlags: 1 (Local)
      LargeSampleSkew: 3 (Local)
      SpecialPollInterval: 900 (Local)
      Type: NTP (Local)
      NtpServer: -IP of server-,0x1 (Local)
    
      NtpServer (Local)
      DllName: C:\windows\system32\w32time.dll (Loca
      Enabled: 1 (Local)
      InputProvider: 0 (Local)
      AllowNonstandardModeCombinations: 1 (Local)
  
  
  

  Any ideas?  Thanks in advance.

  Your ESXi server response shows that the leap indicator is 3 and the server stratum is 0.

  This means that ESXi NTP server is synchronized and unable to provide a valid reference time to customers.

  We recommend that you configure your ESXi host with valid upstream NTP servers such as:

  0.vmware.pool.ntp.org,1.vmware.pool.ntp.org and 2. VMware.pool.ntp.org

  as described in the KB article or alternatively your internet service provider NTP servers.

  Although not recommended, you can configure ESXi to allow a reference time by using the own system clock

  If you can not configure ESXi to synchronize to external NTP servers upstream.

  UI, tab Configuration, using software (time setting), properties, Options, and NTP settings.

  Specify "127.127.1.0" as your single NTP server. Don't forget to check the box "restart NTP service to apply the changes.

  then click OK twice to close the dialog boxes. Wait a few minutes for NTP sync, then try your test.

  According to RFC 4330, NTP-SNTP (Simple) customers must not use time in a package of NTP response if the

  stratum returned is 0 (and the leap indicator is 3). Apparently, your client Windows NTP Simple is more

  the RFC.

• ISE GANYMEDE authentication - connect before you decide if you should have access

  I'm away Cisco ACS to ISE Cisco version 2.1 to control GANYMEDE of my network devices.  I opened a proof with TAC but the answer, I seem to fly intuitive and hope for verification of this is now the way that Cisco or I just need to set up my policy defines differently.

  For a switch using ACS for the administration, a user will be SSH to the machine and if they are not in good AD security group, the user will receive a response from denial of access

  With ISE GANYMEDE to the administration, the user will be SSH to the machine and because they are a member of the AD domain they authenticate and connect the device actually get a command prompt.  Now this same user if they are not in the right group of safety AD that they will not be allowed to do anything on the switch.

  According to my TAC, ISE needs to identify the user, before he can decide if that user is allowed to access the device.  It is not fine with me because basically, anyone in my company can now connect on these devices.  Outside put ACLs on the switches that allow access only from certain computers, what are others doing to mitigate this risk?

  Thank you

  Hi Ken,
  In the event that you have configured your ISE with a new 2.1 installation, follow these steps:

  To the "device Admin defined strategy", leave the part "Authentication" of a rule as it is.
  In the "Authorization" section, add your security AD as conditions groups (select the box on the right under the conditions of-> create new condition-> to 'select attribute': 'AD login name'-> ExternalGroups-> 'equal'-> name of group to choose AD) and the right set of commands and the Shell profile for each security group.

  Now the importand part: the last rule is the default rule that will be used if the user is not a member of a security group that was the condition of an old rule.
  Here, you should make sure that the profile ' refuse of all Shell "is selected, it means that if this rule should be used, the user will be blocked from access.

  In case you went from 2.0 to 2.1, you may be suffering from this bug here:
  https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCva04654/?referring_site=bugquickviewredir Then you simply do not have a profile ' refuse of all Shell "as an option.
  I'm building a work around for my system:
  I created a new profile of shell, which has a "disconnect" as command 0 privielege max level and auto.
  I loaded this profile of shell in the default rules.
  Maybe this isn't the best solution, but it does what it should do.

  Let me know if it worked and it please note useful responses!

  Greetings,
  Max

  Edit: spelling mistakes

• features of the client ntp ESXi (interesting compliance requirement)

  Hi guys,.

  I was thrown an interesting compliance of a customer requirement. They demand that all averaged over servers ntp NTP updates (preferably 3) 2 (a particular layer, although I don't think this would have a bearing on the issue).

  Indeed, they want to question several NTP servers, the average of the difference between the updates provided by all servers then drift in that direction. Apparently, this is the normal behavior for the ntp client HP NonStop they use and must find a way to do it on all the other guests.

  I trawled autour and couldn't find an easy way to do this with esxi ntpd uses. The best I could think of would be to have infrastructure ntp sync for that provide customers (esx), but from the perspective of compliance that would not be cut.

  Apparently, it is a common requirement of compliance for the financial houses - anyone otherwise run into that, or have a solution?

  It seems that one of these requirements that no one knows everything

  As usual, all thoughts appreciated and rewarded with points

  The behavior you describe (drift toward the average of the reported servers) is the normal and expected of all implementations NTP appropriate.  (See http://web.archive.org/web/20100331222927/http :// www.sun.com/blueprints/0901/NTPpt3.pdf for an explanation of why this is the case - as part of the illustration on page 9 is one of the best things that you will ever make to understand NTP.)

  As near as I can tell, ESXi provides a fully operational server.  So all what you need to do is add three servers in the service host configuration screen and you will get this behavior.  You can verify the behavior by the running of "ntpq - pn IPaddress" from a local Linux machine against your ESXi host.  This is only an example of what mine looks like shortly after the time servers have been reconfigured and restarted ntpd:

  refid distance st t when poll reach delay offset jitter
  ==============================================================================
  192.168.240.254 203.192.179.98 3 u 37 64 101 1,229 60465,5 30179.7
  192.168.240.5 203.31.84.4 3 u 96 64 37 0.269 60338,7 30169.5
  192.168.240.249 192.189.54.17 3 100 64 37 0.229 u 60338,8 30169.4

  This server has been slower than the actual time of about 1 minute (60 000 milliseconds) and should start to drift toward it once it is synchronized to the top.

  Kind regards

  Paul

• Posture Validation on ACS 5.3

  Hello

  Can someone tell me if it is possible to activate the validation of Posture on ACS 5.3.

  If so, could I have a link or a procedure of implementation?

  Best regards

  Hello

  ACS 5.3 does no validation of posture, as did 4.2. Who was known as a framework of the NAC and Cisco dedicated appliance (Cisco clean access - cisco.com/go/nac) and a new device that uses the RADIUS and that is a hybrid of ACS 5 and NAC called ISE (cisco.com/go/ise).

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Detect and block unauthorized devices and users on the network

  Hello

  At the moment we have Cisco 6509 as a switch to access to our network. Each user has an IP phone and a computer. We will implement 802. 1 X for end users by next month. I need to check any activity of users on the network as if someone plug an access point to the network or router.

  I just checked Cisco NAC and I think it will a to help us detect these activities on the network.

  I need to get more information about Cisco NAC or other products for this purpose. also, what is the difference between Cisco NAC and application like Microsoft TMG?

  Could you please give me more detail on Cisco NAC? It is agent less or I need to install something on computers? It works as a default router for users of computers?

  Thank you

  Mike

  Hello

  If you want to implement dot1x Cisco NAC is not the solution because it's not dot1x for cable customers.

  Your best bet is to go with Cisco ISE. You don't have to install any software and can choose to use the native windows supplicant.

  www.Cisco.com/go/ISE

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Cisco ISE synchronization and NTP server

  I am currently implementing Cisco ISE to our customer.

  But having a little problem Cisco ISE cannot synchronize with NTP server.

  Keep in mind, NTP servers in AD.

  Currently, Cisco ISE synchronize just at the local level.

  Cisco ISE implemented distributed mode, when there are two Cisco ISE installed on VMware (Administration & monitoring primary & secondary node), and another is the device (political Service node).

  As a result of it might not sync server NTP and the ISE of Cisco, Cisco ISE often OUT-OF-SYN.

  Is there a solution for this problem?

  Gandhi,

  This is a known issue, I have crossed upwards and have not read that you use AD as your NTP server, there have been problems with integration of the ISE and ACS with AD as their ntp source, please use another device like sources ntp, for example a router.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Cisco ISE 1.4 comments account Backup

  I currently deploy portal free registry for comments, I now of questions you want to certify, I just want to know to anyone facing the same problem as me.

  (1) except REST API any way to export the guest account

  (2) backup of the Appendix will include the guest account or not

  (3) what deployment node 2, guest account will sync on both nodes?

  Sorry for the bad English.

  Kind regards

  Alan

  1.] I don't think - I can see a well on the same feature request

  CSCty82007    ENH: Export invited accounts set up in ISE

  2.] Yes - backup should have all guest accounts.

  [3.] the Cisco ISE guest services use distributed the Cisco ISE management system to allow several Cisco ISE nodes to work in a deployment. Configurations performed on the head node is replicated to the secondary nodes.

  ~ Jousset

• Cisco ISE 1.2 and the ad group

  Hello

  I have Cisco ISE installed on my EXSi server for my test pilot. I added several ad groups at ISE as well.

  I created a condition of authorization policy, that is WIRELESS_DOT1X_USERS (see screenshot)
  Basically, I just replicate the default Wireless_802.1X and added Network Access: EapAuthentication, Equals, EAP - TLS.

  My problem is, I have been unable to join the wireless network, if I added my ad group to the authorization strategy (see screenshot). The user I is a member of WLAN USERS. If I removed the authorization policy group, the use is able to join the wireless network.

  I have attached the screenshot of ISE newspapers as well. I checked the ISE, AD/NPS, WLC, laptop computer time and date, and they are all in sync.

  I also have the WLC added as NPS client on my network.

  I checked the newspaper AD and I found it, it was the local management user WLCs trying to authenticate. It is supposed to be my wireless user Credential is not the WLC.

  It's the paper I received from the AD/NPS

  Access denied to user network policy server.

  Contact the server administrator to strategy network for more information.

  User:

  Security ID: NULL SID

  Account name: admin

  Domain account: AAENG

  Account name: AAENG\admin

  Client computer:

  Security ID: NULL SID

  Account name: -.

  Full account name: -.

  OS version: -.

  Called Station identifier: -.

  Calling the Station identifier: -.

  NAS:

  NAS IPv4 address: 172.28.255.42

  NAS IPv6 address: -.

  NAS identifier: RK3W5508-01

  NAS Port Type: -.

  NAS Port:                              -

  RADIUS client:

  Friendly name of client: RK3W5508-01

  The client IP address: 172.28.255.42

  Information about authentication:

  Connection request policy name: Windows authentication for all users use

  The network policy name: -.

  Authentication provider: Windows

  Authentication server: WIN - RSTMIMB7F45.aaeng.local

  Authentication type: PAP

  EAP Type:                              -

  Identifier for account: -.

  Results of logging: Accounting Information was written in the local log file.

  Reason code: 16

  Reason: Authentication failed due to incompatibility of user credentials. The provided username is not mapped to an existing user account or the password is incorrect.

  Hello

  The problem is with what ISE name, it's choosing to search of the AD. If you look in the ISE newspapers down, you'll see the username that use ISE (firstname, lastname) to search for the AD.

  In your certificate template see what attribute containst name AD (possibly the dns name or email or the name of principle of RFC 822 NT), go to your profile to authenticate cerificate and use this attribute for the user name.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Altered in Cisco Unity Connection and cancelled permits NTP server

  I use Cisco Unity Connection 8.6.1 and cancelled my Inbox licenses.  A few days ago I noticed that the timestamp of the voicemails was different from what said our CUCM so immediately, I assume that the NTP servers were different.  I was correct and made the change on our server CUC.  I came back to add another user, a few days later and was motivated that I didn't have enough licenses.  After researching on it after the fact, it seems that this happened because the value of NTP server is one of the values that cannot change with the current license, and I'm in a State of the trial for 30 days (24 days left now).  Now my problem is that I don't remember what would replace this NTP server.  How can I fix this problem?

  Hi William,.

  I guess the connection of the unit is installed on the virtual machine and therefore license MAC is here

  You can get the rehost license by launching the mail to [email protected] / * /

  regds,

  aamns

• Cisco 1.3.0.876 ISE

  Hello

  My company has a Cisco ISE infrastructure with 5 servers.

  About a month ago someone tried a backup and he hangs out

  I tried a manual backup, restarted the ise CLI application, but the message continues.

  I want to plan a new backup into a new repository one continues to edit option is not available.

  PSRCSISE01 / admin # sh backup State
  % State of configuration backup
  %% ----------------------------
  backup % name: new
  % repository: ISE_BACKUP1
  % start date: Monday, August 29 at 10:51:27 WEST 2016
  % on demand: no
  % triggered from: CLI
  % Host:
  % State: New-CFG-160829 - 1051.tar.gpg backup in the ISE_BACKUP1 repository: success

  % Backup operation status
  %% ------------------------
  name of the backup %: OpBackupDiario
  % repository: ISE_BACKUP1
  % start date: Fri Aug 05 17:24:57 WEST 2016
  % on demand: no
  % triggered from: web Admin UI
  % Host: PSRCSISE02.bancobic.net
  % status: cancellation of backup...
  % of progression:
  message from % growth:

  Can you help me?

  Thanks in advance

  Hello

  I was faced the same problem 1 year ago and it was a bug. By starting a manual backup, sometimes the status has been updated. But other times, restart the server, not just restart the ISE application.

  Tried the full reboot?

  Thank you

  PS: Please do not forget to rate and score as correct answer if this answered your question