CWA ISE 1.2 Patch 7 possible comments bug

Similar Questions

• ISE 1.2 patch 3 - lag default portal Sponsor changed to non-existent ECT

  Hello world

  We applied Microsoft3 to our ISE 1.2 cluster and after the upgrade all the sponsors accounts (outwardly autenticated on Active Directory) are now GMT + 01:00 Europe/ECT as time zone default. So the guest account have the same time zone time and invited the authentication will fail.

  It's the mistake of ise - console.log:

  Comments:-com.cisco.cpm.guest.exceptions.PortalUserException: java.lang.IllegalArgumentException: zone of datetime id "ECT" is not recognized

  Comments:-to com.cisco.cpm.guest.edf.GuestUserAdaptor.isAcctValid(GuestUserAdaptor.java:489)

  I checked the interface of administration and documentation 1.2 but could find no default setting for users of sponsor zone

  Time zone for the 3315 is THIS:

  clock timezone THIS

  One solution is to update its zone on sponsor Portal setting has each user of sponsor, but it is impratical.

  Doesn't have all the known world the same problem?

  Kind regards

  Hello

  You hit CSCuj91050 bug I guess. This will be fixed in patch 4 I think, but for now, you can go back to patch 2.

• ISE v1.2 patch PSN 5 down, deleted endpoint identity

  Please refer to the diagram. I'll make it simple and clear.

  Patch version 1.2 of ISE 5

  3xPOL (2xVirtual devices)

  1 LUN

  1 Admin

  Since Janauray the 8th we have problems with ISE. problem encounter were end of endpoint profiling devices like (Cisco 1140 AP) but the devices is a portable Motorola running Windows CE. Also the mac address of Motorola deleted endpoint identity, every 4 to 6 hours, and we need to put the mac address manually to start the authentication to work.

  We open a cisco with TAC. and TAC advice there is a bug in the software and must be upgraded to patch 17 or be upgraded to 1.4 as EHT it more stable than version 2.

  a few days later after one of the node POL3 (in the language of cisco PSN) went down. and one of our clinets SSID WiFi lost the connection that they were unable to authenticate (security WLC are on POL3 with ISE group created AD HOC Network devices with filtering MAC.) to solve the problem, we change the WLC AAA to POL1 (PSN) security to make it work. given that his work.

  later the next day an another POL2 (up/down beat) other clients of SSID (DATA) are starting to declare connection drop. change us again the WLC AAA authentication ip in the direction to POL1 since his works very well.

  now on 3 only 1 POL's work and three SSIDS end clinet is authenciated by the ip address of this POL.

  We arrived at cisco help, they looked in this and said POL node are not syn. so EHT needs a reboot to fix this. US management decided if this requires a reboot to fix theye why do not upgrade us to version 1.4 EHT. Cisco TAC mention upgrade can take up to 3 to 4 hours, or maybe more depends on the server. Now we want to go to upgrade but our network structure is complex, we do not want to lose the ise for 3 to 4 hours. We are a hospital and all verification devices/doctor patients computers/handheld devices/records are authenticated through ISE. We using ISE mainly for the wireless.

  Now, it's the background story. now, I have a question can reload us the POL nodes 1 by 1 to resolve this problem. I also noticed there is another work around, we had another node ISE from another hospital of trust in our data center. It is a virtual appliance (ise - psn.web.com) in our controller ip address SSID (WLC) one of our leading hospitals of authentication setting two AAA is POL1 and next is the ip address of the ISE - PSN. WEB.COM if we recharge our ise and wlc, we note the ip address of the ISE - PSN. WEB.COM will be this keep the SSID client remains connected.

  Please let know us that we are in a desperate situation where we need advice to minumis downtime of our patient critical application that are connected wirelessly.

  Hi there and sorry you are in such a crappy situation. It's no funny!

  To answer your questions:

  #1. I would certainly recommend the upgrade to a later version of ISE or at least get your current version on the last patch!

  #2. Yes, you can reload the Ssnp one at a time with zero and without interruption of service. Your WLC detects that your first PSN is down and then move to the second that is configured under the SSID > AAA servers. It is very important that your PSN is in a node group. This way if the PSN-1 goes down, none of the sessions that have been in the middle of the AAA process will get absorbed by another node in node group. If the PSN is not in a group of clients node trying to authenticate to the network at the time of charging will have to start again.

  #3. Once that clients are authenticated and authorized their rail traffic is no longer the PSN. So, reload the PSN will not affect clients that are already on the network. However, if a customer needs to re-auth (in due to inactivity, slowed down or re-auth timer) then a job THAT PSN is necessary, otherwise the AAA session will fail.

  #4. Certainly, you can set up a third NHPS under your SSID and use your PSN which is in another hospital. As long as this node is located in the same deployment of ISE and is synchronized with the PAN then you should be good to go. You can quickly test it by creating a temporary SSID > do as PSN its main Radius Server > test it with a test computer.

  I hope this helps!

  Thank you for evaluating useful messages!

• ISE 1.4 WLAN MAC filtering comments

  Hello

  I just installed 1.4 ISE and features of the company work. However, I have problems with the installation of comments.

  The WLC (5508), I have a guest and foreign controller setup, the client being in the demilitarized zone. I am Setup ISE as radius server and when I select the MAC filtering option, it won't let me connect to the WLAN comments. Keeps trying to connect and fails authentication.

  I have the installation RADIUS, defined by the WLC in ISE, checked the overide AAA and RADIUS selected as the NAC agent according to the instructions online. But I think that MAC authentications keeps failing.

  Any ideas anyone

  Thank you

  Good work on the resolution of your problem! (+ 5) to me!

  If your problem is solved, please mark the thread as "answered" :)

• ISE according to the time portal comments

  G ' Day all,

  Could anyone advise if it is possible to extend or change the time profile of a guest account that has already been created? I'm trying to understand the use of time within the portal of Sponsor profiles. Imagine that a guest user has an account that gives them access to 2 weeks, by the end of the 2 weeks that the user requires another week of access.

  Of what I see as the time ISE profile page in the Developer Portal and config, is the user would have to wait before the expiry of the existing account and have a new account created or a new account must be created to grant additional access and the existing account could be deleted, I'm looking just for clarification if an extension of time for guest accounts is possible before the end of the account.

  Currently using ISE 1.1.3

  Thanks to the advanced guys.

  James.

  Hello

  Yes, I have increased the TAC issue and they notified me that the current version of ISE does not support guest accounts online updates, as the time profile sets the expiration date and then is not editable after that.

  Thank you

  Dave

• ISE device administration authentication Radius possible?

  Hello

  does anyone know if the edge RADIUS authentication and authorization administration is possible with the actual release of ISE? I know that GANYMEDE will be available in future releases.

  Concerning

  Joerg

  Yes it is possible according to the "Ask the experts" forum

  --------------------------

  https://supportforums.Cisco.com/thread/2172532

  "If you use RADIUS for the administration of the system, ISE can be used using authorization policy elements that return Cisco av-pairs."  But personally, I think that ACS is currently superior to ISE for this task. »

  --------------------------

  In any case, I'm about to test "device admin" and "network access" at the same time in the same switch with Radius and ISE.

  Please rate if this can help

• Redirect CWA ISE 1.2 URL

  Hello

  Was wondering was there anyway to manipulate webauth URL is sent to a customer in the redirect chain. Currently my ISE sends customers of the machine internal name, I was wondering if there was anyway that I can change this.

  I know that on local on the WLC webauth you can set the external URL, this functionality exists in the ISE?

  TIA

  G

  Sent by Cisco Support technique iPad App

  In ISE 1.2 results for authorization framework, there is a box below the setting of the redirect. I think it is called static host name...

  Thank you

  Sent by Cisco Support technique Android app

• ISE CPP wireless with redirection possible exclusions?

  Hi all, a little bit of a tricky situation here. I have a wireless network and ISE 1.1.1. The wireless code 7.0 and 7.3 is mixed.

  On a wired ISE installation, it is easy to have an allow rule that URL redirects users to the portal provisioning client * BUT * to have a redirect refuse the ACL on the switch with statements that exclude some websites of the redirect. For this, so users can click on the links of rehabilitation of the NAC Agent and reach sites to download updates of GIS, updated windows, anti-virus, etc. but all other attempts at web redirected to the CPP.

  Any fine and it works perfectly on the cable network. HOWEVER, I can't find in a similar way, to do this on the wireless network. While you can create a policy of redirection of posture to send to the CPP with an ACL, this ACL seems only to allow or deny traffic through a standard ACL. Sense a user gets on but any attempt to go anywhere in a browser redirects to the CPP. It is therefore impossible to make the pages of sanitation.

  Is there a way to accomplish what I'm trying to do here? It seems it should be a core function.

  Sorry, I had some problems to deal with personal and just had the chance to follow on this. Firs of all, good job on understanding and publishing the results back here! (+ 5) from me for that!

  To answer your questions:

  #1. You are 100% on the logic on the WLC ACL ACL Switch vs. The switches 'refuse' means "do not redirect" the traffic, therefore allowed on the network. On the WLCs 'refuse' means 'redirect' traffic, so do not allow to it on the network. I don't know why Cisco has done this, but different buses, different teams, etc.

  #2. You are also right on this one. Your vWLC and ISE work as expected. While the switches are supported on DACLS, WLCs support only "named ACL. Therefore, when you are referencing ACLs on ISE for the wireless, which ACL must exist on the WLC and it MUST BE NAMED EVEN or it won't work.

  I hope this helps. If you problems are solved please mark the thread as "answered".

  Thanks for the note!

• ISE pass 1.3 (876) in ISE 1.4 patch 7 or newer

  Hi all

  I have a set for active connections approx. 12000 upward with almost 19000 termination points based VM environment. Nodes as below

  (1) an Administrator main node (20 GB of RAM)

  (2) NHP 3 (RAM: 20 GB each)

  (3) a DEM (RAM: 16 GB)

  Above set up is active, it is in production, we must move to the version mentioned without interruption of service. After reviewing all the documentation, I found that the downtime is applicable to almost 1.5 to 2 hours or at least 30-40 minutes for PSN and 1 HR for MNT, we use no profiling, database dot1x/MAB

  We have an admin for the secondary node, but it is not added to the deployment, please specify best practices and steps to upgrade with or without secondary node admin and downtime there is

  ++ Important: as you notice we run large-scale (12000 connections) with fewer resources, we expect to increase the RAM so

  In my opinion /searches on Web pages, it is preferable to increase the RAM first and then plan upgrade. I have a few questions is not the documents in the guidelines of cisco

  (1) in case update us the RAM, it is true that we have a new facility for ISE VM (new admin/PSN/MNT), because it can see the upgrade of RAM but will not use the same with old VM, for the record, it is mentioned that we have new facility where we intend to upgrade

  (2) I can see the CPU is near 3%, but I regularly receive alerts in average load, is calculated based on Terrain or overall. What is the command to check the CPU peak value and the number of cores assigned, we have 6 hearts at the ISE (see inventory)

  Thanks in advance

  Kind regards

  Sam

  Hi Sameer,

  Let me know if you have any additional questions. Otherwise, please close by scoring it.

  Concerning

  Gagan

• Display with VMware Workstation 9 and Enterprise of Windows 8 comments bug

  Hello

  I just installed VMware Workstation 9.

  I created and installed a VM of Windows 8 Enterprise comments.

  Everything works fine, except that when I go to the Windows 8 settings via bar charm (not via the desktop...), the display setting menu is occasionally screwed up!

  This problem appeared just after I installed the VMware Tools in the guest OS. Before that, there was no display problem. Believe me, I've taken care of that by testing entirely.

  My OS is Windows 7 Ultimate. My processor is an Intel Core i7 870 (4 cores) and I have 8 GB of memory. My graphics card is an AMD ATI 5850 with the latest drivers.

  Any help would be greatly appreciated!

  PS: This is not one type of bug in time. I can repeat this every time I have to create a virtual machine Windows 8 Enterprise comments. The problem was also there with VMware Workstation 8. My guess is that VMware tools are buggy, at least with certain type of graphics compared to Windows 8...

  Hodgepodge

  Looks like you see the same problem that has been reported in this thread: http://communities.vmware.com/message/2124359

• Facebook comments Bug

  Hello

  I hope someone is able to help me with my blog and facebook comments that go hand in hand.

  On my blog here, I'm trying to be able to moderate posts, however, something odd is occurring where I am only able to moderate some of the posts and the others are ares does not give me the option. It seems strange that I have the code of moderation in the model.

  If it helps, the page Citrish Relish is one who works while not the grilled vegetables.

  Any ideas? Thank you!

  Perhaps because the meta admins is not in the head. You put this in the blog layout I understand, the system in the blogs not drives in the head as he does for other things such as web applications and products, I do not know why.

  Make a new template for your blog and put it in the head of the model and set the template for the blog.

  You can while your att he can add a specific class of body for the blog to do extras if you want anyway

  Try and see if the meta in the head properly functioning.

• NETGEAR D6000 (Possible Firmware Bug)

  Hello

  About a week ago, I bought a Netgear D6000 - 100AUS ModemRouter. I have it configured manually and everything went well, I was online in 10 minutes. After completing the configuration, I noticed the Firmware update notification on the WebUI devices. I've updated, everything went well.

  Probably the next day, I got home to discover most (if not all) connected devices had issues. The DNS servers configured in the modemrouter were not meet. I think actually fairly quickly that it could be a problem with the firmware up-to-date mixed with the old configuration data saved in the device, so I restored the factory setting and set up again (this time with the Wizard). No problems.

  I get home today, same problem. I discovered that the DNS servers configured in the modem (Googles DNS 8.8.8.8 and 8.8.4.4) were not meet. I can work around this by assigning the DNS server on the computer or the device. DNS servers responded very well, so it was something to do with the modem.

  When this problem occurs, the routers WebUI responds very slowly. As I speak of ~ 5 minutes before I get a login prompt. And it's also across all devices. So this deffinately not a line problem, it seems more like a bug in the firmware. I was talking to a technician on the live chat and he advised me to post here. I hope that someone will see it and maybe work with me to resolve the issue.

  In addition, it is pretty weird. I have an old ISP Telstra has published ModemRouter, it is a Netgear DEVG2020 and looks like it is running similar firmware. That's what I had before, I got off a friend after my prior ModemRouter (TP-Link (A) has been damaged. I couldn't make it work like a ModemRouter and assumed that it was because I didn't have a Telstra business account (it is what it was for). So I got an old Telstra Modem, I have had and used the DEVG2020 just a router. And he was constantly the same f r e a k I n g question. For a long time, I had all devices in the House that is configured with its own DNS to work around him. So yes, I don't know if this information will help you. All I can think is a problem of firmware. But I have no idea. I intend on the Netgear to return next week, but I'm happy to stay with her a little more if a firmware update on the way.

  Thank you!

  I got it exchanged for a Technicolor. No problem now. Deffs a firmware issue.

• Possible a bug of cascading select list

  Hi people,

  I created a dynamic action "onChange" in a page called "P5_COD" element Always of value of "P5_COD" changes, it runs the PL/SQL code above to fill the page elements with data from database:

  Select

  PERIOD,

  BEGIN_DATE,

  END_DATE

  in

  : P5_PERIOD,.

  : P5_BEGIN_DATE,.

  : P5_FINISH_DATE

  Of...

  BEGIN_DATE and end_date are page elements "selection list. They are "Cascading LOV Parent article (s)" of the PERIOD (select list too).

  The problem is: 'onChange' dynamic action doesn´t work to load the elements of page BEGIN_DATE and end_date.  BEGIN_DATE and end_date loading default data, not the data of database.

  Any idea?

  Thank you

  Bsalvador

  Bsalvador

  First of all the code you listed does not change the value of objects client only in session state-side. In other words only on the server.

  Use a dynamic action of type 'Set value' to change the value on the client side.

  Then change the value of P5_PERIOD will trigger the change of the P5_BEGIN_DATE LOV: P5_FINISH_DATE and the values of these elements are initialized to null (client side only).

  In a similar challenge to define the value of the mother and child at the same time, I'm done setting the value of the child element in a hidden item. And on the afterrefresh event of the child, the value is set to the child.

  See this demo , I realized for the challenge.

  Nicolette

• Possible opacity bug

  Or my lack of understanding.

  The rectangle on the stage. Convert to symbol. Name it "box". Action for the click box:

  $(e.target).css("opacity","0");

  Another rectangle with script inside:

  var box = sym.$("box");

  Alert (Box.CSS ("Opacity"));

  1, he warns that it is visible or not.

  For me.

  Hey John,

  When you use e.target opacity is applied to the div that you select. A symbol is just a fancy div, it follows the same structure as HTML, which means that the clickable area for the symbol is the layer of lastmost of your object, and e.target seize some div that you select.

  Say you have 4 rectangles within a symbol (let's call it four_rect_sym) and used your code. At the level of the stage, you apply $(e.target)... css as a click to four_rect_sym event, but if you click on one of the rectangles, the code will hit the rect and not necessarily the entire symbol.

  In this case, you would be better reference the element symbol if you want than the opacity to be applied to the symbol. SYM.$("four_rect_sym").CSS ("opacity", "0) Yes;

  Sarah

• Hiding authentication ISE in CWA for comments

  Ciao,.

  do you know how I can put a guest authentication cache?

  For example, a guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After each time comments logoff and login, no authentication is needed for the same days.

  Thank you

  With ISE 1.3, you can set the portal reviews auto register the mac address of devices when they connect for the first time as a guest. The next time that they connect, you can authenticate the mac address instead. Endpoint purge rules can be configured so that, if you wan't to reconnect again ise will remove the mac address of the specific group for this portal of comments and the user having to reconnect, e.g. once per day, or every time you wan't...

  If you're on ise 1.2, the only way is to change the timers inactive on the WLC to a value greater than the value default 300 seconds, which is really not a good way to do it if you plan to have a lot of users use this, it will consume power of memory and the process on the WLC.