Failure of nodes ISE

Similar Questions

• Saving a second node - ISE 1.2

  Hi guys,.

  I am trying to record a second knot on my head node of ISE. But, I get the following error:

  	Impossible to authenticate ISE xxxx... Please check the server and the configuration of the CA certificate and try again.

  I did import/export certificates in two ISEs.

  They can ping by IP address and domain COMPLETE each other.

  Zone are the same, but I did still not active NTP. (I thing that may be the problem, although they have the same time)

  I did the import/export tab "local certificates". I have not used "Certificate Signing Request".

  Anyone know if something has changed in ISE 1.2 and now local certificates no longer works?

  I also have can´t add my ISE to RFA, but this is another fight.

  Any advice will be appreciated!

  Good job on finding a solution to your problem and for taking the time to share with everyone! (+ 5 from me) :)

  For your first step: I really don't know why you had to perform this step. The name of user and password that you created during the initial installation (from CLI) should have worked to enter the secondary node.

  For your second step: you're right, the FULL domain name must match or the cert will fail.

  If your problem is resolved please mark it as "answered" :)

• ISE node failure & pre authorization ACL

  Hi all

  I would like to know who, in what should be the best practice for the following configuration.

  (1) access for devices/end users network if both nodes ISE become inaccessible? How we can ensure that full network access should be granted if the two ISE nodes become unavailable.

  (2) what is the best practice for setting up pre authorization ACL if IP phones are also in the network?

  Here is the configuration of the port and the pre authorization ACL which I use in my network,

  Interface Fa0/1

  switchport access vlan 30

  switchport mode access

  switchport voice vlan 40

  IP access-group ISE-ACL-DEFAULT in

  authentication event failure action allow vlan 30

  action of death event authentication server allow vlan 30

  living action of the server reset the authentication event

  multi-domain of host-mode authentication

  open authentication

  authentication order dot1x mab

  authentication priority dot1x mab

  Auto control of the port of authentication

  periodic authentication

  Server to authenticate again authentication timer

  protect the violation of authentication

  MAB

  dot1x EAP authenticator

  dot1x tx-period 5

  *****************************************

  IP access-list extended by DEFAULT ACL - ISE

  Note DHCP

  allow udp any eq bootpc any eq bootps

  Note DNS and domain controllers

  IP enable any host 172.22.35.11

  IP enable any host 172.22.35.12

  Notice Ping

  allow icmp a whole

  Note PXE / TFTP

  allow udp any any eq tftp

  Note all refuse

  deny ip any any newspaper

  Thank you best regards &,.

  Guelma

  Hello

  On question 1, since you use 'authentication mode host multi-domain' then "action dead event server authentication allows vlan X" is the way to go.

  But if you use "authentication host-mode multi-auth" then you should use "action death event authentication server reset vlan X"

  On question 2, it is not mandatory to use pre permission ACL. My current deployment have IP phones, since I use the profiling and CDP RADIUS then ISE can detect and allow the IP phones, even if the switch blocks all packets. "Why I didn't need pre-authorization ACL.

  Please rate if this can help.

• Distribution system to ISE with 4 nodes & Licensing

  Hello

  Question 1

  -------------

  We 04 devices ISE and we intend to deploy distributed system such that 02 ISE will act as PRI/SEC with the PAD/M & T roles and other 02 as Act PRI/sec with the PDP.

  Pair of PAD/MT configuration is straighforward and has no doubt, but there is problem with the two other nodes which is (PDP) as PRI/SEC.

  ISE that warns us that at least one node should have the role of monitor allowed, however at the time where Admin role is already activated when we cannot have the people with reduced mobility.

  If someone has made, appreciate can guide me in the right direction or share any document how to achieve this requirement.

  Question 2

  -------------

  My another querry is on licensing on this requirement. We have only 1 Base and 1 Adv license for all these 04 boxes for about 500 endpoints. However we can generate licenses against 1 single ISE unit giving its serial number and which will install on primary PAP/MT box only, and what other two boxes that will act as PDP PRI/SEC and it will still give a warning that he is s no license.

  Question 3

  -------------

  When deploy us distributed systems with above senario, which addresses to IP node ISE we need to set up on n (switch), will all be 04 ip address or it will be the pair of PAP/MT or PDP... ?

  Thanks in advance.

  There are the following roles that can be assigned to a deployment:

  -Administrative node (aka SCAP). Must be 1 PAP and possibly a secondary antibody

  -Monitoring Node (aka M & T). Must have at least one and optionally a standby

  -Political service knot (aka PDP): running the RADIUS and profiling functions

  Each node can take one or more of these roles

  For your configuration, I recommend the following:

  -The node 1: administrative

  -Node 2: monitoring

  -3: Policy Services node

  -4: Policy Services node

  all connected in a deployment with a single license

  Create 1 node first, then add all the others for deployment

  In addition, you must enable the secondary administrative functions on one of the nodes (you must choose which) can act as a backup. He will get used only in case of failure of the main administration role. Can also activate secodnary M & T on a node, but be aware that it is a function of active and therefore is still operational

  Hope that helps

• ISE-impossible to register a node

  Hi all

  We strive to integrate a new node ISE as a PSN for our current configuration. When we try to register, we get below error messages. -What someone faced same question. Also need clarity on these error messages.

  When you try to record with the IP address that we get the error message as below:

  Cannot authenticate ISE secondary_ise_name. Please check the server and the configuration of the CA certificate and try again.

  When you try to record with the domain name FULL we get the error message as below:

  FULL "XYZ.local.com", which is not resolved domain name. Please check your DNS configuration.

  If need to clarity if it is a DNS issue or certificate.

  Kind regards

  Avinash

  Hello

  Please ensure that your FULL domain name can be resolved by your ISE.

  For this you must add the entry for your server's DNS.

• Best practices for the restart of the nodes of the ISE?

  Hello community,

  I administer an ISE installation with two nodes (I'm not a specialist of the ISE, my job is simply to manage the user/mac-addresses... but now I have to move my ISE a VMWare Cluster nodes to another VMWare Cluster.

  (Both VMWare environments are connected to our network of the company, but are different environments. vMotion is not possible)

  I want to stop ISE02, move it to our new VMWare environment and start it again.

  That I could do this with our ISE01 node...

  Are there best practices to achieve this? (Stop request first, stopl replikation etc.) ?

  Can I really just reboot a node ISE - or I have consider something before I do this? After I did this?

  All tasks after reboot?

  Thanks for any answer!

  ISE01
  Administration, monitoring, Service policy
  PRI (A), DRY (M)

  ISE02
  Administration, monitoring, Service policy
  SEC (A), PRI (M)

  There is a lot to consider here.  If changing environments involves a change of IP address and IP extended, then your policies, profiles and DACL would also change among other things.  If this is the case, create a new VM ISE in the new environment in evaluation license using the and recreate the old environment deployment by using the address of the new environment scheme.  Then a new secondary node set rotation and enter it on the primary.  Once this is done, you can re - host license from your old environment on your new environment.  You can use this tool to re - host:

  https://Tools.Cisco.com/swift/LicensingUI/loadDemoLicensee?formid=3999

  If IP addressing is to stay the same, it becomes simpler.

  First and always, perform an operational backup and configuration.

  If the downtime is not a problem, or if you have a window of maintenance of an hour or so: just to close the two nodes.  Transfer to the new environment and light them, head node first, of course.

  If the downtime is a problem, stop the secondary node and transfer it to the new environment.  Start the secondary node and when he comes back, stop the main node.  Once that stopped services on the head node, promote the secondary node to the primary node.

  Transfer of the FORMER primary node to the new environment and turn it on.  She should play the role of secondary node.  If it is not the case, assign this role through the GUI.

  Remember, the proper way to shut down a node of ISE is:

  request stop ise

  Halt

  By using these commands, the risk of database corruption decreases by 90% (remember to always backup).

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• Posture inline ISE node register on a mistake of the head node

  When registering for a posture inline on my primary node node ise, I got this message"

  An error occurred during registration of node

  ISE - name - java.io.IOException:Server HTTP return

  Response code: 401 for URL:https://ise-name/deployment-rpc/persona".". Please, what is the cause of this problem and how can I solve it?

  Hello

  You have configured the certificates correctly? I'll start by checking here and also check that you are using the correct credentials (credentials of the inline ISE node GUI).

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• CLI admin for nodes of the ise

  How CLI admins can be created for node ISE cisco?

  Is not documented, but do not see there is a limit. However you can point the admin access to AD now in the latest version of the ise. You can map ad groups to a specific role within the configuration preset of the ISE.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Probe BEAM on to ISE WLC

  I'm doing a Proof-of-Concept for the wireless, and I get the infamous 'unknown' endpoint for a device that should emerge as a Workstation Windows based on the info I received from the endpoint identity-points section.  My question is if it's possible extract the information from the list of attributes of the endpoint (for example, the tcp 135 port) to use as a profile?

  Here are the attributes:

  Endpoint

  * MAC address

  * Policy assignment

  Static assignment

  * Ranking in an identity group

  Ranking in a static group

  List of attributes

  135 - tcp msrpc

  139 - tcp netbios-ssn

  3389 - tcp ms-word-serv

  445 - tcp microsoft-ds

  DomaineAD truncated

  AcsSessionID ise-poc/133205055/184

  Airespace-Wlan-Id 10

  AuthState authenticated

  AuthenticationIdentityStore AD1

  AuthenticationMethod MSCHAPV2

  AuthorizationPolicyMatchedRule truncated

  CPMSessionID 0a64001d00000005502568b6

  Called-Station-ID 64-d9-89-43-09-70:NACTEST1

  Calling-Station-ID 18-3d-a2-92-0a-ec

  DestinationIPAddress

  DestinationPort 1812

  IP address of the device

  Types of peripheral devices Type device Type #All #WLCs

  DeviceRegistrationStatus notRegistered

  EapAuthentication EAP-MSCHAPv2

  EapTunnel PEAP

  18-3D-A2-92-0A-EC EndPointMACAddress

  Unknown EndPointMatchedProfile

  Unknown EndPointPolicy

  EndPointProfilerServer ise - poc

  EndPointSource probe RADIUS

  ExternalGroups ad.tdfadfa.org/departments/is/groups/sms-remote\,truncated

  FULL CL20 domain name - isnetwrk03.ad.xxxxxx.orgg.

  Framed-IP-Address

  Fake IdentityAccessRestricted

  Unknown IdentityGroup

  Default IdentityPolicyMatchedRule

  LastNmapScanTime 2012-Aug-10 16:30:41 CDT

  Location location location #All #.

  MACAddress 18:3D:A2:92:0 A: EC

  Unknown MatchedPolicy

  MessageCode 5200

  Model name unknown

  NAS-IP-Address truncated

  NAS-identify truncated

  NAS-Port 13

  NAS-Port-Type Wireless - IEEE 802.11

  NetworkDeviceGroups device #All Device Type Types #WLCs, location #All locations #truncated

  NetworkDeviceName WLC09

  NmapScanCount 2

  YES Intel Corporate

  PolicyVersion 4

  PostureAssessmentStatus NotApplicable

  RequestLatency 54

  Answer {username = foo\\webb; State = ReauthSession:0a64001d00000005502568b6; Class = CACS:0a64001d00000005502568b6:-poc/133205055/184; Termination-Action = RADIUS-Request; MS-MPPE-Send-Key = 9 c: b0:32:f4:ec:35:91:8 has: 6a: fc:87:05:ba:6 has: a 4:3 c: fd:7e:3 has: bb: ff: dc:c6:cd:36:ed:14:63:3 b: 88:34:18; MS-MPPE-Recv-Key = d 16:62:80:7: 6f:1e:09:5f:24:ed:f5:5e:c5:af:7 d: fb:ef:95:c4:12:f8:55:f8:52: da: dd:b0:7 b: 9f:69:04:; }

  Access to the network by default SelectedAccessService

  Internal SelectedAuthenticationIdentityStores AD1, internal users, endpoints

  SelectedAuthorizationProfiles PermitAccess

  Type of box service

  Unknown software version

  Fake StaticAssignment

  Fake StaticGroupAssignment

  Total certainty factor 0

  attribute-52 00:00:00:00

  attribute-53 00:00:00:00

  Cisco-av-pair audit-session-id = 0a64001d00000005502568b6

  Truncated IP

  operating system Microsoft Windows XP SP2 or SP3

  James,

  It is possible, but you have enabled dhcp probe and have you thought about establishing a statement of support ip or assign the node ISE as one of on the WLC dhcp servers?

  It is built in failure that contains the dhcp class identifier MSFT will profile endpoint as a windows workstation.

  However if this is not the case you can create the following condition under the policy elements > Conditions > profiling > new Profiler, you use the create (Advanced...) then select NMAP > 135 - tcp > then set the EQUAL operator to msrpc.

  Pass under the Microsoft-desktop, and then select the option create a corresponding identity Group (it's much easier rather than using the option in the hierarchy) and define the certainty factor 30. Then add this new condition, then assign certainty 30 also.

  Hope that helps,

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• ISE - printer

  Read some guides & other threads, it is correct to say that two of the most important ways to profile printers are SNMP & NMAP probes?

  I was following the HowToGuide-30 profiling, where it shows how to do a NMAP probe, but when I go on our nodes ISE under Admin / system / deployment, I don't see any button to make NMAP.

  What I'm missing here?

  Manual scan NMAP is still supported in ISE 2.1?

  ISE - nmap.jpg

  

  Hello! Manual scan 2.1 ISE is located under:

  Work centers > Profiler > manual scans

  I hope this helps!

  Thank you for evaluating useful messages!

• ISE v1.2 patch PSN 5 down, deleted endpoint identity

  Please refer to the diagram. I'll make it simple and clear.

  Patch version 1.2 of ISE 5

  3xPOL (2xVirtual devices)

  1 LUN

  1 Admin

  Since Janauray the 8th we have problems with ISE. problem encounter were end of endpoint profiling devices like (Cisco 1140 AP) but the devices is a portable Motorola running Windows CE. Also the mac address of Motorola deleted endpoint identity, every 4 to 6 hours, and we need to put the mac address manually to start the authentication to work.

  We open a cisco with TAC. and TAC advice there is a bug in the software and must be upgraded to patch 17 or be upgraded to 1.4 as EHT it more stable than version 2.

  a few days later after one of the node POL3 (in the language of cisco PSN) went down. and one of our clinets SSID WiFi lost the connection that they were unable to authenticate (security WLC are on POL3 with ISE group created AD HOC Network devices with filtering MAC.) to solve the problem, we change the WLC AAA to POL1 (PSN) security to make it work. given that his work.

  later the next day an another POL2 (up/down beat) other clients of SSID (DATA) are starting to declare connection drop. change us again the WLC AAA authentication ip in the direction to POL1 since his works very well.

  now on 3 only 1 POL's work and three SSIDS end clinet is authenciated by the ip address of this POL.

  We arrived at cisco help, they looked in this and said POL node are not syn. so EHT needs a reboot to fix this. US management decided if this requires a reboot to fix theye why do not upgrade us to version 1.4 EHT. Cisco TAC mention upgrade can take up to 3 to 4 hours, or maybe more depends on the server. Now we want to go to upgrade but our network structure is complex, we do not want to lose the ise for 3 to 4 hours. We are a hospital and all verification devices/doctor patients computers/handheld devices/records are authenticated through ISE. We using ISE mainly for the wireless.

  Now, it's the background story. now, I have a question can reload us the POL nodes 1 by 1 to resolve this problem. I also noticed there is another work around, we had another node ISE from another hospital of trust in our data center. It is a virtual appliance (ise - psn.web.com) in our controller ip address SSID (WLC) one of our leading hospitals of authentication setting two AAA is POL1 and next is the ip address of the ISE - PSN. WEB.COM if we recharge our ise and wlc, we note the ip address of the ISE - PSN. WEB.COM will be this keep the SSID client remains connected.

  Please let know us that we are in a desperate situation where we need advice to minumis downtime of our patient critical application that are connected wirelessly.

  Hi there and sorry you are in such a crappy situation. It's no funny!

  To answer your questions:

  #1. I would certainly recommend the upgrade to a later version of ISE or at least get your current version on the last patch!

  #2. Yes, you can reload the Ssnp one at a time with zero and without interruption of service. Your WLC detects that your first PSN is down and then move to the second that is configured under the SSID > AAA servers. It is very important that your PSN is in a node group. This way if the PSN-1 goes down, none of the sessions that have been in the middle of the AAA process will get absorbed by another node in node group. If the PSN is not in a group of clients node trying to authenticate to the network at the time of charging will have to start again.

  #3. Once that clients are authenticated and authorized their rail traffic is no longer the PSN. So, reload the PSN will not affect clients that are already on the network. However, if a customer needs to re-auth (in due to inactivity, slowed down or re-auth timer) then a job THAT PSN is necessary, otherwise the AAA session will fail.

  #4. Certainly, you can set up a third NHPS under your SSID and use your PSN which is in another hospital. As long as this node is located in the same deployment of ISE and is synchronized with the PAN then you should be good to go. You can quickly test it by creating a temporary SSID > do as PSN its main Radius Server > test it with a test computer.

  I hope this helps!

  Thank you for evaluating useful messages!

• Deployment of ISE in network routing and Vlan

  Hello world

  New bee to ISE. I want to help/suggestions on how to deploy ise in my network or comment if my plan is working

  Machines to ISE, Servers (ALL) and Corporate (Dot1x and field) in vlan 10

  Comments should be in the vlan separate 20

  By default that all switch ports must be in the vlan 30 having nothing but only to DHCP.

  Each endpoint must come through vlan30 and then pushed to vlan respective IE 10 if corp (Dot1x) PC and comments vlan 20 if mab and do not appear in the endpoints.

  What is a successful deployment?

  Secondly the fact inter - vlan routing is required in this scenario for the endpoints to be controlled properly.

  ISE are able to communicate and of endpoints that are not in the VLAN of the police.

  Hello

  Deployment of the ISE requires a lot of consideration in many aspects. Suggest you read the cisco documentation carefully to become familiar.

  http://www.Cisco.com/c/dam/en/us/TD/docs/solutions/enterprise/security/T...

  Node ISE Cisco plays many roles; Admin, monitor & Service policy. The crux of the political service (PSN) is one who plays the role of RADIUS (RADIUS of tip to be precise) server to handle requests from the AAA.

  For authentication dot1x internal hosts, you can have a PSN ISE in-house LAN (VLAN even as servers) or users. Whereas, for wireless clients, you can use a dedicated NHP or share the PSN according to safety requirements.

  See you soon,.

  Vidy

  Please don't forget to rate this post so useful.

• Why I can't ftp files from my workstation to the ISE?

  Hello

  I get this message when I try to download the upgrade files 1.2 ISE on my local drive of nodes ISE...

  ISE-01 / admin # Copy ftp: / //ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz. drive: /.

  Username: rsundstrom

  Password:

  % Error: transfer not possible

  When I enter the command "dir" to the ISE CLI appears the name of file, but the file size is 0 (zero).

  I'm trying to follow the instructions for the upgrade to V. 1.2. Place the files for upgrade to the local drive of the ISE is considered to be important.

  Any ideas?

  Robert,

  Is there a firewall between your computer and the server of the ISE? Also there is the newspaper from the ftp server that exclude the server to deny the download?

  In the case of a new rotation of filezilla by default permissions for the created user account will be reviewed.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• ISE 1.2 Active Directory issue

  Hello

  I have a question about the use of Active Directory as a Source of external identity.

  Our client has 4 servers in their field and so 4 DNS entries for the domain. When I join ISE domain DNS resolves an address and use this machine to perform the join operation. What happens if the machine breaks down afterwards - my node ISE should leave and then re - join the domain or is managed by another method?

  Thank you

  Alan

  Assuming that they are part of the same domain ISE ad will learn all the domain controllers in the domain and you'll probably find after a while that it attributed to a different domain controller. We have more than 100 DCs in our area and it works fine, no intervention is required so that it can connect to a different domain controller so that it connected to disappears.

• How can I create a repository in ISE for update 1.2?

  Hello

  I'm upgrading to 1.1.4 nodes ISE to version 1.2 in the coming weeks. Following the guide from Cisco for this, I should create repositories on both nodes of our admin and store the upgrade file on the spot. These repositories cannot be created using the user interface. They must be created using the CLI interface.

  How can I create and name the deposits so that I can ftp the file to upgrade to this place?

  Thank you.

  Hi Robert,.

  Here's the example to create the repository using CLI in ISE 1.1.4.

  You can refer to the following documents as reference.

  http://www.Cisco.com/en/us/docs/security/ISE/1.1/cli_ref_guide/ise_cli_app_a.html#wp1013913

  Example:

  Node1-poda / admin # configure terminal

  Enter configuration commands, one per line.  End with CNTL/Z.

  Node1-Poda/admin (config) # demo repository

  URL to node1-Poda/admin(config-Repository) # ftp://64.103.172.80/

  Node1-Poda/admin(config-Repository) # user admin password simple admin123

  output node1-Poda/admin(config-Repository) #.

  output node1-Poda/admin (config) #.

  Node1-poda / admin #.