Group of endpoint Cisco ISE 1.4 hotspot

Patch 1.4 Cisco ISE 6

Cisco WLC 8.0.121

Setup

the WLC has a named Hotspot SSID. It uses mac auth with radius of the NAC to redirect to the Hotspot portal of reviews on the ISE.

drops flexconnect users in vlan 401 (with preAuthAcl), after the PSU, it is initially a COA to move users to VLANs 413 with permitInternetAcl

Description of the problem:

users connect to the SSID of the access point and get an IP address valid in vlan 401

redirected to the page of the hotspot on the ISE with a PSU and the PIN code request.

are they disconnect from the network and reconnect, the ISE sends a certificate of authenticity to move to 413 without the Hotspot portal.

what I've noticed, is that as soon as users get the redirect of the original Web page, they are moved to the endpoint group defined in the hotspot portal.

What I've read about this behavior makes me understand that it is a default behavior, but if that's the case then I'm not sure on how I can make my font to check if the PSU has been accepted.

Thank you

Maarten

Cisco WLC 8.2.100

Patch 1.4 ISE 6

Similar Hotspot ISE installation, of similar rules except change VLAN. I have observed the same behavior.

This configuration was working on patch 5.

Update:

I found a solution based on the following bug. Use the following attribute in the authorization rule. The success page remains but no Instant Internet access is available using this workaround solution.

https://Tools.Cisco.com/bugsearch/bug/CSCux22558/?referring_site=bugquic...

' Workaround:
"Use the LEAST 24 endpoints: LastAUPAcceptanceHours for example (means PUA agreed less than 24 hours ago).

Tags: Cisco Security

Similar Questions

  • Cisco ISE point endpoint assets use Reset

    Hello

    I have a Cisco ISE running version 1.1, and I was wondering if it would be possible to reset the license use/active end point shown on the dashboard? Noted after a restoration of EHT due to the replacement of the material and I noticed that endpoints use County/active license doesn't seem to go down.

    The following methods have been tried, but without success:

    1. reboot the Server/service of ise

    2. turn off all devices in the network use the ise as there are no customers/device access; example of switch/wlc/etc...

    3 remove all use of endpoints in the Group of identity/identities

    4 disable profiling at the ise

    As the ise has been installed with a basic license; not too sure if it can be either a bad restoration (all service/application work however) / accounting bad Ray which is not expired on the ise / etc...

    Any help is appreciated on how to reset the active use of point of termination/license.

    Thank you.

    Here is a method to remove outdated records. Please try this:

    http://www.Cisco.com/en/us/docs/security/ISE/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1072950

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Session of endpoint on Cisco ISE 2.1

    Hello

    I installed 2.1 ISE with patch 1.

    I have a question about the session on Cisco ISE calendar.

    If a n receives an Access_Accept message for an endpoint, ISE installs a session that is visible on the Live session section.

    If endpoint disconnects from the network, which is the time-out for this session?

    Is it possible to set this timer?

    I try to put an end to the session with the CoA on Live Session Action, but this action fails because my switch does not support cost.

    So I reboot Cisco ISE and after its reloading, the session is deleted.

    In a case that it is not possible to use the feature of 'end', is it possible to delete the session in some other way?

    Thanks in advance

    Antonio

    Hi Antonio,.

    • Completed sessions are cleaned up 15 minutes after the end.
    • If there are authentication, but no accounting, these sessions are deleted after an hour.
    • All idle sessions are cleaned after seven days.

    But your n should send account opening and stop the message for the best operation.

    For the manual uninstall, you can use under method as shown in the link I pasted. You can consult the section "withdrawal embusked sessions.

    http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-4/api_ref_guide/API _...

    Also, you might be interested in the discussion below:

    https://communities.Cisco.com/thread/61587?start=0&TSTART=0

    Kind regards

    Kanwal

    Note: Please check if they are useful.

  • Cisco ISE 1.2 and the ad group

    Hello

    I have Cisco ISE installed on my EXSi server for my test pilot. I added several ad groups at ISE as well.

    I created a condition of authorization policy, that is WIRELESS_DOT1X_USERS (see screenshot)
    Basically, I just replicate the default Wireless_802.1X and added Network Access: EapAuthentication, Equals, EAP - TLS.

    My problem is, I have been unable to join the wireless network, if I added my ad group to the authorization strategy (see screenshot). The user I is a member of WLAN USERS. If I removed the authorization policy group, the use is able to join the wireless network.

    I have attached the screenshot of ISE newspapers as well. I checked the ISE, AD/NPS, WLC, laptop computer time and date, and they are all in sync.

    I also have the WLC added as NPS client on my network.

    I checked the newspaper AD and I found it, it was the local management user WLCs trying to authenticate. It is supposed to be my wireless user Credential is not the WLC.

    It's the paper I received from the AD/NPS

    Access denied to user network policy server.

    Contact the server administrator to strategy network for more information.

    User:

    Security ID: NULL SID

    Account name: admin

    Domain account: AAENG

    Account name: AAENG\admin

    Client computer:

    Security ID: NULL SID

    Account name: -.

    Full account name: -.

    OS version: -.

    Called Station identifier: -.

    Calling the Station identifier: -.

    NAS:

    NAS IPv4 address: 172.28.255.42

    NAS IPv6 address: -.

    NAS identifier: RK3W5508-01

    NAS Port Type: -.

    NAS Port:                              -

    RADIUS client:

    Friendly name of client: RK3W5508-01

    The client IP address: 172.28.255.42

    Information about authentication:

    Connection request policy name: Windows authentication for all users use

    The network policy name: -.

    Authentication provider: Windows

    Authentication server: WIN - RSTMIMB7F45.aaeng.local

    Authentication type: PAP

    EAP Type:                              -

    Identifier for account: -.

    Results of logging: Accounting Information was written in the local log file.

    Reason code: 16

    Reason: Authentication failed due to incompatibility of user credentials. The provided username is not mapped to an existing user account or the password is incorrect.

    Hello

    The problem is with what ISE name, it's choosing to search of the AD. If you look in the ISE newspapers down, you'll see the username that use ISE (firstname, lastname) to search for the AD.

    In your certificate template see what attribute containst name AD (possibly the dns name or email or the name of principle of RFC 822 NT), go to your profile to authenticate cerificate and use this attribute for the user name.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Is it possible to map a promoter group in Cisco ISE to a group of users in Active Directory, using a RADIUS server?

    Hello!!

    We are working on a mapping between a promoter Cisco ISE group and a user group in Active Directory, but the customer wants the mapping through a RADIUS SERVER, to avoid the ISE by querying directly activate Directory.

    I know it is possible to use a RADIUS SERVER as source of external identity for ISE... but, is possible to use this RADIUS SERVER for this sponsor group manages?

    Thank you and best regards!

    Hi Rodrigo,

    The answer is no. There is no way to integrate the portal Sponsor config with a RADIUS server. Your DB for authentication Portal Sponsor options;

    AD
    LDAP
    User internal ISE DB

    Sent by Cisco Support technique iPhone App

  • revalidate previously profiled endpoints of ISE

    Hello

    I had a peek at MAC spoofing with ISE 2.1.0.474

    I use RADIUS/SNMP trap and queries and probes DHCP. A Cisco 7911 phone correctly is profiled as "Cisco-IP-Phone-7911. Endpoint in ISE shows all the correct details of cdp/lldp/dhcp

    When I connect my windows laptop (MAC spoofing phones), the laptop computer is authenticated as the phone. Endpoint is always profiled as "Cisco-IP-Phone-7911" - endpoint shows details of correct dhcp for the laptop but retains the cdp/lldp profile phone details previously. I checked the n and cache device sensor has no cdp/lldp details for the laptop connected and accounting device sensor sends only mobile dhcp from tlv to ISE.

    If I delete the end point of the ISE and connect my laptop (even once, spoofing phones MAC), ISE profiles properly the laptop as "Microsoft-workstation.

    When I disconnect the laptop and reconnect the phone, ISE re-profiles the end as a "Cisco-IP-Phone-7911" based on newly learned information from cdp/lldp point.

    ISE can learn new details of endpoint by the probes and reporter endpoint as shown above. I reason to say that ISE postpone endpoint based on the fact that some attributes (for example cdp/lldp) kept from appearing - when new attributes are learned?

    Thank you
    Andy

    Hello Andy,

    What you are experiencing is correct and should the behavior with the current mechanisms of ISE. There is an enhancement request that was put in place some time, but he has not seen much traction:

    https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCur48184

    The only time wherever a device would move one profile to another group is when a profiling rule with certainty factor higher is reached. For example, if you create a custom CF rule of 100 and this rule is struck then a device profile will never move to another rule which has CF which is<= to="">

    As you can tell, profiling is not the test. This is why it is recommended to restrict access to the network for targeted devices. For example, IP phones should just join the subnets of the voice and the PBX, printers should only need to access the print servers on specific ports, etc.

    I hope this helps!

    Thank you for evaluating useful messages!

  • Cisco ISE

    Hi all

    I intend to implement cisco ISE in my network. I have 1000 endpoints and some mobile devices. I plan to use approach distributed and all licenses possible.

    It is: should I buy licenses for all nodes. For example 1000 for the head node, 1000 for high school, 1000 for surveillance and so forth?

    Or should I buy license only 1000 (I mean 1000 base + 1000 advances + 100 mobile) ones and apply them to all nodes?

    Concerning

    Max

    Hi Max.

    ISE is authorized by the deployment. So if you have a distributed with us deployment will tell ISE 10 nodes or servers you will always only the node main Administrator license.

    Now, if you plan to have two deployments (say a deployment for the EMEA region and the other for APAC) then you would need licenses for both deployments (you allow the node primary admin in each deployment).

    I hope this makes sense :)

    Thank you for evaluating useful messages!

  • Cisco ISE and Meraki RADIUS

    I am very new to Cisco ISE and Meraki.  I try to get the Radius configuration for wireless authentication.  When I do a test of the Meraki to ISE, it passes.

    When I try to connect from my laptop, I look at the logs of the Radius and it passes; However, it does not connect me to good policy.  I keep hitting the default policy.  I have my Meraki police above the default policy in the strategy defined in article.  I have attached what looks like my strategy game.

    Devices does not really matter. Here is what I see when I create a device group (where you add the access point to this group), and then create the condition:

    And here is where I create the condition of strategy game and you should be able to select the Meraki access points:

    This will give you the condition similar to what I posted above. This is perhaps why you aren't hit that is not matching the condition for this game.

  • Cisco ISE 1.3 disable "Identity Resolve" step?

    Currently, I am working for a client with a Cisco ISE 1.3 deployment.

    The Cisco access point are currently authenticated by MAB, the customer wants to improve that I proposed to implement EAP-FAST speed of the MAB for the AP for a quick and easy solution.

    I work in the test and production environment, but I was cycling through the authentication process and found something strange.

    I created a rule that if the Tunnel network protocol is EAP-FAST are authenticated by internal users.

    It works very well, the ISE recognizes the flow and internal users through authenticatie.

    15041 assessment political identity
    15048 questioned PIP - Network Access.EapAuthentication
    15048 questioned PIP - Network Access.EapTunnel
    15004 Matched rule - EAP-FAST
    15013 selected identity Source - internal users
    24210 Looking user in IDStore of internal users - >
    24212 found user in internal users IDStore
    Authentication 22037 spent

    On the way he also decided to search for the user in Active Directory.

    Given that the user has not been created in Active Directory, that it does not.

    Looking 24432 user in Active Directory - >
    Identity resolution 24325 - >
    Search 24313 of corresponding accounts at the junction - >
    24318 no corresponding account found in the forest - >
    24322 identity resolution detected no corresponding case
    Failure of the 24352 - ERROR_NO_SUCH_USER identity resolution
    24412 not found user in Active Directory - >
    15048 questioned PIP - >. ExternalGroups
    15048 questioned PIP - Network Access.EapTunnel
    15004 Matched rule - AP_EAPFAST
    15016 selected the authorization - AP_Lan profile
    11002 returned access RADIUS acceptance

    So the authentication and authorization is successful but he try's to resolve the user in active directory.

    I checked the authentication for MAB process, and here I see the same error.

    The MAC address of the device used to MAB also is added to the ISE, then authentication through internal users, authentication and authorization is successful, but ISE wants to solve the (MAC address of the device) user in Active Directory.

    We also see this step for the flow of EAP - TLS, and in this case the identity stage via resolution is successful.

    Is it possible that I can disable the resolution of identity through AD when the internal user group? (or in the world?)

    I did some research and found this (search for LDAP users)

    http://www.Cisco.com/en/us/docs/security/ISE/1.0/user_guide/ise10_man_id...

    When I look at our deployment, it is nothing configured under LDAP.

    If you have rules in your authorization rules that use ad groups that are in front of your MAB or the EAP-FAST rules, ISE will do a search to see if it needs to match this rule. Put your MAB and EAP-FAST rules about AD membership rules, and it won't do the research.

  • Access VPN ASA and cisco ISE Admin

    Hello

    Currently I'm deployment anyconnect VPN Solution for my client on ASA 9.2 (3). We use the ISE 1.3 to authenticate remote users.

    In the policy stipulates the conditions, I put the condition as below.

    Policy name: Anyconnect

    Condition: DEVICE: Device Type Device Type #All Device Types #Dial - in access EQUALS AND
    RADIUS: NAS-Port-Type is equal to virtual

    I'm authenticating users against the AD.

    I am also restrict users based on group membership in authorization policies by using the OU attributes.

    This works as expected for remote users.

    We also use the ISE to authenticate administrators to connect to the firewall. Now what happens is, Cisco ASA valid also against policy, administrators and their default name Anyconnect.

    Now the question is, how to set up different political requirement for access network admin and users the same Firewall VPN.

    Any suggestions on this would be a great help.

    See you soon,.

    Sri

    You can get some ideas from this article of mine:

    http://ltlnetworker.WordPress.com/2014/08/31/using-Cisco-ISE-as-a-generic-RADIUS-server/

  • Cisco ISE 1.3 question Active Directory

    Hi people

    I'm having a problem with our Cisco ISE and would love some comments or a solution. I configured to ISE to use our Active Directory setup and so far it seems to be functional. I could connect to retrieve ad groups and use AD for authentication. The problem I encounter is that when I try to go to the ' Administration > Identity Management > Sources external page and select our instance AD in the window side left hand screen hangs and won't load.  Any advice?

    You are using a supported browser and have you tried an alternative one?

    If you are using a supported browser, it looks like a bug in the layout of the page. I was opening, in this case, a case of TAC. I had this same work of page very well for me in the three different 1.3 deployments.

  • SealthWatch intrgration with Cisco ISE-3315

    Hello Experts,

    I have Cisco ISE-3315 version 1.3

    Can I order and SealthWatch Lancop and use it with this series of ISE 3315? Or I must have the SNS?

    Hi Imran-

    3315 unit supports all personas running ISE 1.3

    http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/Release_notes/ise13_rn.html#pgfId-527567

    Now, that being said, don't forget that this devices has a lot less resources compared with the NHU devices. So, if you decided to run all personas on it then you will be greatly limited the number of concurrent endpoints.

    Thank you for evaluating useful messages!

  • Cisco ISE profiling - Split-Corporate/guest access

    Hi all

    I currently deploying a Cisco ISE for my wireless network and I would like to divide my WLAN in two different "authorisation profile": comments and Corporate.

    For now, I use my active Directory to authenticate users and profiling to authorize the device with the host name. I would like to sort by domain name with DHCP probe but I can't because there is always an answer of DHCP message with the domain given by the DHCP server, you have a solution to separate unit with domain name or other attributes?

    Thanks in advance for your answer!

    You can create different authorization profile based on the identity group they belong to, therefore, make two profiles based on two membership group (guests / corporate AD users) and assign them different access. consult the ISE 1.2 config guide.

  • Cisco ISE 1.1.1 with Windows posturing

    Hello

    We tired for configured windows posturing here's the scenario

    We saw five ise boxes 3315 with version 1.1.1 off them 2 is admin, 2 is PS and 1 MNT

    and we have local Symantec and WSUS Server.

    We make posturing for Windows where I have a few questions

    (1) is there an integration here of the local WSUS server with Cisco ISE where Cisco ISE can automatically take all the mandatory WSUS update according to the crititcality of the WSUS server.

    (2) what is advised to set up the strategy of the Posture of the posture of windows in Cisco ISE and if manually configure windows political posture using specific KB and if there is an update available on Microsoft will we be able to configure the policy for the new update.

    (3) we have configured authentication dot1x in cisco ise and asked as well as on switch port where once the user must be connected to dot1x port of the switch it invites username and password dot1x and therefore, authorization policy, it gives vlan appropriate dynamics.

    But what are the ways where we can restrict the machine which is rather than the assets of the company and even if the user's user name and password in short any employee aware how we can restrict the user making the machine rather than the assets of the company?

    (4) can configure US policy posture for antivirus which will keep us in normal mode and at the same time, we can put posturing for windows which monioring mode which only monitor policy posture and reflected in the monitoring, log in which does not restrict the network for windows posturing

    That will be great if any one can please help me to get the issues

    Thank you

    Pranav

    What follows is under the POLICY-OF ELEMENTS of STRATEGY-POSTURE-> REQUIREMENTS > >

    What follows is located under

    POLICY OF-> ELEMENTS OF STRATEGY-> POSTURE->

    REPAIR-> WINDOWS SERVER UPDATE SERVICES REMEDIATION ACTIONS

    What follows is part POLICY-> POSTURE

    These settings work ALMOST flawlessly for me by forcing her we approved on our WSUS server for our group of workstations updated (all of our laptops are members of the) which meet the criteria of severity EXPRESS (critical and Important). Now, what I've discovered in the last few days is that... MS seems a bit random in their identification of what severity level they assign to their updates. For example... I think that a service pack of the operating system would be considered IMPORTANT if not CRITICAL... however... Look at this from the identification of the server WSUS from Windows 7 Service Pack 1:

    Thus, those who updates you deleted, I'd go throgh your WSUS server to identify how they are identified by gravity, then according to your needs set the parameters of the ISE accordingly to ensure that you get updates you plan.

    Hope this helps everyone out there who has similar problems.

    Thank you

    Dirk

  • Integration of CISCO ISE with another controller wireless lan of the seller

    Hi all!

    I am currently working on an assignment and eager to integrate the identity service provider in the network. the only problem is that the deployed wireless network earlier of another provider I just need to know that either ISE has integration with the other controller feature wireless provider and can provide guest access control. The LDAP integration is also required.

    Waiting for help!

    Hello

    According to my knowledge Yes, Cisco ISE can be integrated with another controller wireless LAN of the seller, but limited. (Aruba, Rukus) and if you want to add the external identity group to your network, then LDAP integration is required.

Maybe you are looking for

  • Mac Pro Win10 Bootcamp 6 problem

    I have a late 2013 Mac Pro with win10 installed via bootcamp. When I was playing with the correction of memory and Crossfire options for the video driver for my D700 had crashed and would never recover little matter how many times I rebooted, tried d

  • My site does not load on MY firefox, but it loads on the each other of my browsers and firefox of others.

    Help, please. www.madpandastore.com it worked fine until a few days ago, nothing has changed with my firefox or my website. I tried deleting all hides and cookies, restarted my computer, etc.. Nothing is going to make this page load. It crashes just

  • 4545 proBook s: Hdmi problem

    When I connect the Pc with Tv with HDMI to my tv screen after 5-6mins get a problem with the color and you don't see anything, because all the colors are demolished when I disconnect and connect to new work, but once again, after 5 minutes, it's the

  • I installed the same update 6 times and counting (KB2467175)

    Whenever I have, stop and restart it tells me I have an update, when it was installed 6 times already.

  • OfficeJet Pro 8600 Solutions Center has disappeared

    I am running Windows 7 Home Premium 64 bit on a laptop HP Pavilion series g.  After using my Officejet Pro 8600 for about a year with great success, all of a sudden when I click on the icon of the printer to my desktop, the Solutions Center (used to