ISE 2.0 and Ganymede

Hello

Anyone know when ISE version 2.0 came and Ganymede will be supported?

Thank you in advance.

Joana.

ISE will support most of the GANYMEDE + v1.5 features. This version is scheduled for November 2015.

Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.

Charles Moreton

Tags: Cisco Security

Similar Questions

ISE with WLC AND switches

Hello

We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.

I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.

version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!

interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcp

radius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authentication

any help would be really appreciated.

I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.

Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.

Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...

Cisco ISE 2.0 and WLC 5508 with 7.6.130.0

I have looked on the release notes and compatibility n for ISE 2.0 and have not seen the answer to that. For the WLC 5508, the minimum AirOS is 7.0.116.0 but he limited the AAA authentication and support for comments. The recommended version of AirOS is 8.0.121.0.

http://www.Cisco.com/c/en/us/TD/docs/security/ISE/2-0/compatibility/ISE _...

What airos 7.6.130.0? I know that AirOS release works with 1.3 and 1.4, even if they show the same support for version 2.0. I'm just afraid that something may have changed with 2.0. I am concerned only about the AAA authentication and guest access. No BYOD, posture or MDM is necessary.

No change. Works well.

RADIUS and Ganymede + running simultaneously?

I have a Secure ACS 5.3.40 running GANYMEDE + and I need to also run 802.1 x radius to meet DISA requirements, I've been working on it for a week. I am unable to get the characteristics of work, all AD connections are already there for GANYMEDE + and so I'm not sure how config, Ray can someone help with the procedures.

Hello

in the configuration of the aaa you must specify the two authentication 802. 1 x that points to the RADIUS and peripheral administration of Ganymede.

Configuration of the network device ACS apply both radius and Ganymede keys.

There will be no conflict for the same as the two have different sets of commands.

Thank you

Please rate if useful...

Can I use an ACS as RADIUS and GANYMEDE to the same ASA Server?

I want to GANYMEDE to make the accounting of the SAA, meanwhile, the ASA need RADIUS for authentication ssl vpn. Is it possible to reach this object with only a CSA?

Yes, you can use both. Allows you to add ASA as radius and Ganymede.

ACS-->---> aaa-client network configuration

(1) ASA---> 1.1.1.1---> authentic using Ganymede

(2) ASA1---> 1.1.1.1---> optout by radius

Don't forget the host name cannot be the same.

Kind regards

~ JG

Note the useful messages

AAA and GANYMEDE servers

Hi all

I want to download a free, yet reliable servers AAA and GANYMEDE , can you guide me? Also, I need help with their configuration for study purpose.

Both of them are GANYMEDE, do you also need RADIUS (your post says AAA)? Assuming you just need GANYMEDE:

Probably the best known is:

http://www.shrubbery.NET/tac_plus/

Also, the go RANCID.

For a solution based on Windows you can also consult:

http://www.TACACS.NET/

If cela messages answers your question or is useful, please consider rating it and/or mark as answered.

Cisco ISE posture assessment and client provisioning

Hello

I have the Cisco ISE and Cisco IOS device. I configured the RADIUS between these devices.

Also, I configured RADIUSbetween ISE of Cisco and Cisco ASA. Now I want to know that how to posture assessment for these devices (ISE of Cisco and Cisco ASA or ISE Cisco Cisco IOS). Please give me the steps together for assesment for cisco ios device posture in Cisco ise.

In addition, please give me related to posture assessment and the provisioning client logs.

Thanks in advance.

You can go through the list link below to download a PDF link

Assessment of the posture with ISE.

http://www.Cisco.com/Web/CZ/expo2012/PDF/T_SECA4_ISE_Posture_Gorgy_Acs.PDF

~ BR
Jatin kone

* Does the rate of useful messages *.

ISE license consumption and freeing licenses [RADIUS]

Hi people EHT,.

There are a lot of questions of ISE issued by me in the last time. And guess what - another here.

I wonder how the ISE license consumption and freeing licenses actually works. At least I have not find any good document or post on it.

From what I understand, a license (no matter if basic, plus, apex whatever) is consumed based on RADIUS accounting messages.

Example:

An endpoint is authenticating and allowed successfully with 802. 1 X without profiling or posture or whatever (simple). The ISE knows that this endpoint must use a base license and basic license consumption is increased by one.

As soon as the client is disconnected from the network, the n (switch, WLC) sends an accounting stop message to the ISE and the ISE again releases the base license.

(am I right so far?)

Assuming that I am just using the example above:

RADIUS is not say that really reliable. No matter that it uses UDP (which is unreliable), RAY has a mechanism of recognition built in (Accouting request / respone). But this mechanism gives up after a few attempts. Suppose that a client is disconnected, but the message of stop RADIUS is not received by the ISE.

Fact the endpoint stay forever in the State of the current session and therefore to consume a license forever? (Assume that there is no timer of dot1x re-authentication).

Or is it a mechanism of 'time-out' for endpoint licences?

Kind of a side story here:

I wrote a simple wrapper for the freeradius tool 'eapol_test '. Go Linux applications unique command line EAP (e.g., EAP - TLS) can be issued to a RADIUS server. If the Linux client acts as "supplicant" X 802.1 and authenticator. It's cool to quickly test the availability of the service of an authentication server.

My simple wrapper for "eapol_test" performs a ping 'EAP' at the time of convergence of measurement and measurement of authentications per second in a lab environment. The wrapper can also change endpoint of each session of RAY MAC. When I do ping EAP in a laboratory of my number of licenses on the ISE exploded, because eapol_test does not deliver messages from accounting RADIUS to EHT :)

Johannes has soon

Hi Johannes-

You're right about the consumption of license:
```
Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.
```
However, in addition to this:
```
Note Sessions without RADIUS activity are automatically purged from Active Session list every 5 days or if the endpoint is deleted from the system. 
```
This information used in the documentation of ISE 1.x, but for some reason, he is not :) in the 2.x here's the info from 1.2: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.pdf I hope this helps! Thank you for the useful job evaluation!

authorization for AAA and GANYMEDE unavailable server scenario

I installed a PIX for users authentication for telnet and enable access. I have permission to install a subset of users can run only display orders. This set works as expected.

The problem is when I simulate and network failure and try to get access the PIX console. I can't run the enable command because the command shall not be permitted. I have to use means of recovery of password to access the PIX. How to do this? Can I have permission to order processed locally? Can I associated with the command show a lower level of the priveledge? If so, how and how can I limit the user to this level of privilege (via GANYMEDE)? I confiscate doing?

Thank you

If the PIX is configured for GANYMEDE authentiaction and RADIUS server is unavailable for authentication, there is no way to rescue or get around this issue at this time.

You can configure the pix to get back to local authentication if Ganymede is not available.

Release then (I think 6.3 and above) who will be available.

ISE Local certificate and the certificates in the certificate store

Hello

I'm pretty new to ISE and read the document in the link below to create understanding "Local certificates" and "certificate store certificates. It seems that in the former certificate is used to identify the EHT on customers and is later used to identify customers at the ISE.

http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/installation_guide...

Now, what part of the ISE configuration told him to check the certificate sent by the client in its certificate store? I am somehow the mixture up with "Certificate authentication Profile", which is used in the identity Source sequence. But I guess that the certificate authentication profile is used to verify the certificates from a source of external identity as AD or LDAP. So where do we consider 'certificate certificate store' in our configuration of ISE.

Thanks in advance for help out me.

Kind regards

Quesnel

Hi Quesnel-

(ISE) server certificate can be used for are:

1 HTTP/HTTPs - is for the ISE web server that is used to host various portals (comments, Sponsor, BYOYD, my devices, etc.). This certificate is normally issued by a public CA such as VeriSign or GoDaddy. A public certification authority is not necessary, but outside your environment, customers who do not trust the certification authority that issued the certificate will get an error HTTPs warning to users that the certificate could not be verified.

2 EAP - this is for EAP based authentication (EAP - TLS, EAP-PEAP, EAP-PEAP-TLS, etc.). This certificate is usually issued by an internal CA. The same certification authority issues usually user and/or computer-based certificates that can be used for the authentication type EAP - TLS.

The certificate store is used to store root certificates and intermediate certificate authorities you ISE to trust. By example, if a computer is running a machine ISE authentication must trust the certification authority who has signed/issued the machine certificate. Therefore, the machine will also have to trust the certification authority which has issued/signed the ISE server certificate that you torque to the EAP process.

Profile of teh authentication certificate is required if you want to use certificate based authentication. The CAPE tells ISE which attribute of the certificate should be used for the usernmane. Then based on that you can create more specific authorization profiles/rules information. You can also configure CAP to make a comparison of binary certificate with AD and confirm wheather or not the certificate is/has been published to AD.

I hope this helps!

Thank you for evaluating useful messages!

same host for radius and Ganymede

Hello

can I put a host (asa for example) twice in the acs Server? one for Ganymede to grant administrators access exec and the other for radius authenticate remote users.

I don't want remote users to be able to get exec mode.

Or how should I configure this?

Yes, you can do it. Network configuration ON acs

Add

ASA---> 10.1.1.1---> Auth using Ganymede +.

ASA1--> 10.1.1.1---> Auth using RADIUS

Host name cannot be the same.

Kind regards

~ JG

Note the useful messages

ISE, MAC, AnyC and Auth Machine?

I think I can be a lack of understanding type of problem, please do not tell my wife.

I have 1.4 ISE, and I'm pressed AnyC 1.4 w / a NAM profile to windows, two settings SSID. Works very well, the profile of NAM lands and configures the second SSID and boxes of Windows machine authC before user logon, then the user logs on and authc and we leave with full EAP chaining. Good looking.

But Apple MAC laptops... There is no NAM. So I guess that users need to connect to the second SSID manually. But how has he auth machine never place? I keep getting hit with "ISE 24423 was not able to confirm the successful previous machine authentication". The machine never auths. MAC joined AD, AD is set up as an external identity source, works fine on the windows auth host/machine.

Is EAP chaining on a MAC, a chimera, and I need to start writing policies? If I write policies that only auth user to set up a situation where it can provide any user with access to all companies not have Apple device, this creates the farm manager.

Apple does not currently a concept of authentication machine so you will continue to receive alarms for the authentication of the computer that failed. As an alternative, you can consider one of the following options that I've seen other people use.

1 using the authentication of users and whitelist

2. send your MAC customers through begging Provisioning to issue a certificate to the user. (Can not prevent the external devices)

3 deliver the customers Apple computer certificates and use a CAP in ISE is to look into the subject which would check the certificate is valid. Then check in authorization, groups of users drawn by ISE for the user (Machine), and a football game on the computer group.

4 posture customer company check on one file or registry provided that only devices company would have.

Attestation of ATP necessary for ISE 1.3 and 1.4

Hello

I have a question about ISE more and ISE Apex Licenses. Is it still a requirement to have a certification partner Advanced Technology (ATP) to order the licenses. I know it took to ISE 1.2 but I did not find anything in the guide of the licenses for 1.3 or 1.4.

Thanks in advanced for any ideas

Alex

Yes - except for the ISE Express Bundle licenses and mobility of the ISE.

Other license types (Basic, Plus and Apex) are still under the authorized technology provider (ATP) program.

ISE 1.4 and Apple 'captive Network Assistant"causing problems

I'm testing ISE 1.4 with 10.10.2/Safari 8.0.3 MAC and the boring revised downward Safari AKA "Captive Network Assistant" gets in the way. I wonder what other people did to work around.

According to the compatibility of network component Cisco ISE v1.4 Safari I must be compatible, in captivity Network Assistant says that this isn't, but I suspect its because the computer MAC laptop try to validate with ~ 200 areas (so I hear for this). My ISE/WLC have a DACL that allows certain IP addresses before finishing the AuthC/Z, and obviously I can't put in the DACL for all 200 of these areas. My ISE is configured with trustsec model where I have two SSID, a first on the front-end to detect if Anyconnect 4.x is installed and if it is not then redirect to a portal. Fails it MAC peripheral security check cause... or should I say will not display it. cause Apple Network Assistant captive.

I know I can disable the captive Network Wizard by renaming the file, but it will probably not an acceptable solution in my environment for political reasons. I wonder what others have done to bypass this annoying problem. Maybe something with a DNS record or something...

Thank you

e-

Common recommendation is to deceive the apple devices to think he has access to the internet by running this command on the command-line of your WLC:

config network web-auth captive-bypass enable

ISE distributed deployment and license management

Hello

I have 2 x ISE-VM-K9 = licenses, and I want to deploy ISE mode Standalone with HA.

IE, have 2 boxes Node1 and Node2 each hosting all three personas and closely located in 1 data center.

so, I want to have a third box 3 node in a data center remotely (only for purpose of DR).

What is the best way to design it.

1. do you have nodes 1 and 3 in a host group and use as aaa primary and 2 secondary node

2 have Node1 and 2 in a local host group, then the host of another entity 3

I'm worried about the condition of licence of the 2nd option

Any thoughts?

concerning

Sergeant

Do you mean group of PSN node when you say "host group"?

Licenses-wise, all the nodes in a deployment of share ISE licenses installed on the Pan

ISE 2.0 and Ganymede

Similar Questions

Maybe you are looking for