ISE and ASA5505
Hello all - I'm working with a client on a deployment of the ISE and that they would like remote locations enjoy to dot1X. The potential problem I see is - what - they have ASA5505s for the tunnels to the main location, which is great, but they also use the integrated... switch I know there are problems with the largest ASAs requiring the IPN. I wonder if they will need a different switch to make it work? Don't think they plan on posture or whatever it is advanced. More just to lock the switchports and avoid problems when people plug random devices to keep them out of the network...
any suggestions are appreciated.
Scott J.
Scott,
If you are referring to the ports on the SAA, these are not supported dot1x. You will need a switch different in order to get this dot1x features you're looking for.
Thank you
Tarik Admani
* Please note the useful messages *.
Tags: Cisco Security
Similar Questions
-
Hi all
I have a problem to install ISE and ACS on VM server. Linux Redhat Enterprise is detected by the system when the iso file is selected.
But some dependencies of the package are noticed as openssl kernel-devel or cisco...
The installation will stop from print virtual daemon.
Any help!
OK, I recommend:
1. check that all the VM gusts are configured to meet the required specifications (RAM, CPU, disk space, etc.)
2 re - download the ISO file and try the installation again
3. download and try OVA
Let us know how it goes :)
Thank you for evaluating useful messages!
-
I am very new to Cisco ISE and Meraki. I try to get the Radius configuration for wireless authentication. When I do a test of the Meraki to ISE, it passes.
When I try to connect from my laptop, I look at the logs of the Radius and it passes; However, it does not connect me to good policy. I keep hitting the default policy. I have my Meraki police above the default policy in the strategy defined in article. I have attached what looks like my strategy game.
Devices does not really matter. Here is what I see when I create a device group (where you add the access point to this group), and then create the condition:
And here is where I create the condition of strategy game and you should be able to select the Meraki access points:
This will give you the condition similar to what I posted above. This is perhaps why you aren't hit that is not matching the condition for this game.
-
ISE and AirWatch MDM integration
I have been using ISE with the integration of AirWatch for over a year. Recently, it seems that AirWatch has updated their certificates and now I can't get ISE and AirWatch to communicate. I can access the AirWatch API URL through a browser, and I see that the browser uses TLS 1.2. According to TAC, Cisco, ISE does not support TLS 1.2. I have cases open with two TACS, but have yet to find a resolution.
Someone at - it ISE / Airwatch integration currently work?
Wes,
I have a client who had what sounds like the same issue. It came down to AirWatch change the host he was using. It was a long journey to get to the right answer but when AirWatch changed host, things started working again. It took several calls with AirWatch until someone had the idea to make this change.
Hope that helps.
Tim
-
1.2 of the ISE and made maximum PSN supported in my Persona config
Hello people, I am setting up a way large-scale distributed of ISE and I was wondering if anyone could tell me what the maximum number of PSN is allowed in this configuration. I was reading through an older training document with version 1.1 and suggested 5, that's why I wonder if the specs changed on 1.2 but I can't find them anywhere to practice.
I have a large virtual machine running the MAIN admin character who is also secondary to my report & follow-up in my main data centre.
In another State (bound to 10G) is another large VM acting as my character high school admin with primary oversight & reports.
Across several States I want to have multiple Ssnp through geographic patterns of each State, but I don't know if I can put across enough with my current version of 1.2 and my persona config Ssnp listed above. I need about 12 to 15 Ssnp.
I was wondering if I need two VMs more out of my control as a node in DC1 and secondary surveillance in DC2 for more extensibility PSN.
Any help would be greatly appreciated.
-Thank you
As Marvin suggested, I would look at using 1.3 at this point, unless you have any specific concerns of this version and I really want to stay with 1.2. That being said, here are my recommendations/comments:
-Two v1.2 and v1.3 fits in fact up to 40 knots PSN
-If none of the nodes of your PSN will be put in the same place and are layer 2 adjacent I recommend putting them in a group node and behind a load balancer. If you do not have a load balancer, I would always put them in a node group. At this time a node group can have up to 10 PSN
-If you have 10-15 knots PSN then you should spend 2 nodes for specifically for the character of monitoring
-The period of maximum round trip between all nodes must not exceed 200 ms
For more information, you can always reference the "Network deployment" section in the installation guide material for ISE:
v1.3
v1.2
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/installation_guide/ise_ig/ise_deploy.html
Thank you for evaluating useful messages!
-
I have a client that 5508 WLCs runs through the area, and I'm catching IEEE802.1x authentication for the enterprise WLAN and WebAuth for WLAN of comments... they PSK now :(
They have ad and ISE and NAC great interest, so my immediate thoughts are to integrate ISE AD and use ISE as RADIUS server for .1x on the WLC. Then use the WLC and ISE do WebAuth for comments... It's all of the standard stuff, but it gives the background.
Now, we come to the interesting bit... they want to run BYOD. They are involved in the financial markets, so the BYOD must be tightly controlled. They ask on ISE coupled with the NAC, but I am not convinced that I need the NAC since the arrival of the ISE1.3. Of course, I will examine three (min) SSID, corporate knowledge, comments and BYOD, just logically distinct. I have nothing that ISE 1.2 cannot press the company and comments but BYOD must full profiling and reclamation prohibition or device before access to the net.
Someone at - he comments or suggestions? Is ISE 1.3 enough NAC-like that I don't need more, or if this is not the case, what additional benefits does that ISE can support
Thanks for your advice/comments/experiences
Jim
Hi Jim -.
Version 1.3 offers an integrated PKI and a significantly improved services reviews experience. The internal PKI is nice if the customer does not have a PKI solution in place. Don't forget however that the PKI ISE internal can only issue certificates to BYOD devices which have boarded through the ISE BYOD "flow", you cannot use the ISE PKI to issue certificates to computers in the domain.
With regard to the NAC: you need to specify exactly what is needed here. If you were to make "posture assessment" then ISE can do for machines based on Windows and OSX. You can check for things like: A / V, a/s, status of the firewall, Windows hotfixes. If you want to make the posture on mobile devices, so you will need to integrate ISE with MDM (mobile device management) solution such as: Airwatch, Mobile, Extend360 iron, etc. ISE may question the MDM for things like: the device is protected with a PIN, is the rooted device, is the encrypted device, etc.
I hope this helps!
Thank you for evaluating useful messages!
-
Cisco ISE and WLC Access-List Design/scalability
Hello
I have a scenario that wireless clients are authenticated by the ISE and different ACL is applied depending on the rules in the ISE. The problem I have seen is due to the limitation on the Cisco WLC that limit only 64 input access list. As the installer has only a few IVR/interfaces and several different access lists are applied to the same base on user groups interface; I was wondering if there may be an evolutionary design / approach according to which the access list entries can evolve next to create a vlan for each group of users and apply the access list on the interface of layer 3 instead? I illustrated the configuration below for reference:
Group of users 1 - apply ACL 1 - on Vlan 1
User 2 group - apply ACL 2 - on the Vlan 1
3 user group - apply ACL 3 - on the Vlan 1
The problem appears only for wireless users, he does not see on wired users as the ACLs can be applied successfully without restriction as to the switches.
Any suggestion is appreciated.
Thank you.
In fact, you have limitations on the side of the switch as well. Long ACL can deplete resources AAGR of the switch. Take a look at this link:
The new WLCs based on IOS XE and not the old OS Wireless/Aironet will provide the best experience in these matters.
Overall, I see three ways to overcome your current number:
1. reduce the ACL by making them less specific
2 use L3 interfaces on a switch L3 or FW and the ACL is applied to them
3. use the SGT/SGA
I hope this helps!
Thank you for evaluating useful messages!
-
Difference between ISE and NAC?
Dear all,
Can you please help to understand difference ISE and NAC?
Thank you
Eve.
ACS + NAC Profiler + comments the NAC + Manager = EHT NAC NAC Server
ISE does:
Centralized strategies
RADIUS server
Evaluation of posture
Guest access services
Profiling feature
MDM
Monitoring
Troubleshooting
Reporting -
Profilinh ISE and Thin Clients
I have 1.2 ISE and HP T610 customer light on the network
802.1 x authorization works correctly, but clients are looming as HP-devices generics or HP printers
I don't know how to create a strategy profiling custom for device "HP Thin Client.
What conditions YES to assign customers HP T610?
Thanks in advance,
Vice
Refer to the Profiler service to power down
Profile services food application for permit in advance
-
ISE and WLC for sanitation of the posture
Please can someone clarify a few things regarding the ISE and posture wireless.
(1) is the ACL-POSTURE-REDIRECT used for conversion, or is it just an ACL to redirect some of the posture of the kickoff checking traffic?
(2) can / a dACL/wACL list must be specified as a sanitation ACL?
(3) the WLC ACL should be written in long format (manually specify source and dest ports/doesny direction any job?)
(4) does anyone have working example ACL for redirect (CPC) posture and sanitation (dACL)?
(5) any other advice or pointers would be as useful as any docs I have found so far, what he TrustSec2, CiscoLive or anything else, do not seem to help me understand sanitation and WLC posture
Thank you
Nick
Yes,
This means that strategy available to your customer does not have a rule that will correspond to an entrepreneur who joined the network. Can you post a screenshot of the provisioning of customer policy?
Thank you
Tarik Admani
* Please note the useful messages *. -
Hi all
Im trying to get my head around the use of 3d party certificates with the ISE and I think that I need advice here.
I have a setup of 6 knots ISE, 2xAdmin, 2xMonitoring and 2xPolicy.
All the these have the abc.local domain name.
I want to use MS-CHAPv2 and customer service without certificate error.
So I register all my six knots with some 3d CA? Or only the nodes 2xPolicy?
I know that the best solution would be the six, but just to know if it is possible.
How to work around the problem with .local? I don't think that it is possible to get a certificate with .local as a domain in the FULL domain name.
Is that useful here of SAN certificates? How would look (even .local in CN..?)
Other things to consider in the present?
concerning
Mikael
That's right, that you must issue the CSR based on the currently configured for ise host name that corresponds to the fqdn.
Your problem is that the public certificate authorities will not issue you a cert because you use a .local and not a public domain such as .com, .edu or .org to name a few.
The only way to solve your problem is to use a Microsoft private certification authority that is simple to configure. Or change your area om ise and use the public domain of your company name.
Thank you
Sent by Cisco Support technique iPad App
-
Clock synchronization on WLC ISE and AD
Hello
I'm stuck in NTP, deployed WLC CWA using ISE which is integrated into AD. I tried to use AD as source NTP but no luck (universal fact that Cisco uses NTP while Microsoft uses SNTP).
The question is, if the time is not synchronized between WLC, ISE and AD; redirect Web stopped work and no authentication takes place.
I tried software installting Meinbergglobal NTP to distribute time to my Cisco devices. It works with Cisco devices, but it acts as master and does not synchronize its time with AD.
I am trying to find a way to sync with Microsoft Cisco, is it possible in this world to do?
Help, please...
Thanks in advance
DO NOT USE MS NTP/SNTP as a source of time is valid. MS is the WORST method SNTP/NTP because MS does NOT conform to the NTP/SNTP standards.
-
Hello
We plan on implementing eap - tls for our iPads company and in the past, I've successfully tested it authentication with the ACS5.3, but now that we moved to ISE (1.1.1.24) I get an error.
I tried two different profiles, one with a certificates and credentials of the AD and the other with just the certificates but the error message are the same for both.
EAP - TLS is enabled in the result of the 'Access to the network by default' authentication.
Anyone can shed some light on where I'm wrong?
Thank you
Martin
Yes that's right, the certificate that is presented to the ISE does not include the identity of the client, this is the reason why the attempt fails.
Thank you
Tarik Admani
* Please note the useful messages *. -
Cisco ISE and the fast user switching
Greetings,
In our deployment, we are interested in using the "fast user switching" which lies in the functionality of Windows. After searching for a while, I see that the native Windows supplicant is not compatible with the fast user switching. It does not appear that Anyconnect is either. Can you please inform me as to what suppluicant, I need research to enable the functionality of Switchign user?
We currently use ISE 1.2 Patch 4.
Thank you for any assistance.
David
Cisco EHT NAC Agent does not support Windows fast user change when you use the native supplicant. This is because there is not clearly the older user disconnecting. When a new user is sent, the Agent is hung on the ID process and the old user session and therefore a new posture cannot take place. According to Microsoft Security policy, it is recommended to disable the fast user switching.
Source:
http://www.Cisco.com/en/us/docs/security/ISE/1.2/user_guide/ise_pos_pol.html
-
Login media 2.0 ISE and social
Hi all
I have a trial version of Cisco ISE 2.0 and so far I have found no option to connect users invited by using their Facebook, Twitter or any other social media accounts. I wonder, because we use the NAC of Huawei so-called Agile solution. It has the same function as Cisco ISE, but it supports the connection of social media as well.
Is there a Cisco solution?
Thank you!
Kind regards
István Kelemen
For now, it is done with Meraki wireless or with MSE/CMX to do that, ISE does not have this built-in feature. It is however in the list of planned features.
Maybe you are looking for
-
I use YOSEMITE 10.10.5. My gmail and Icloud mailboxes (and several smart mailboxes) disappear from the list under "Mailbox store" in the mail. When I try to recreate my gmail account using the "new mailbox...» "(using the sign on the side down and to
-
HP Pavilion Notebook - 17-f100: Internet connection, drivers problem
Hello I have the HP Pavilion Notebook - 17-f100 (with bios, specifications: http://support.hp.com/hr-en/product/HP-Pavilion-17-f100-Notebook-PC-series/7234909/model/7492687/doc...) and after installing Windows7 have a problem to connect to internet,
-
Dealing with acquisition from multiple sources
Hello My problem is that I need to read up to 28 test data and acquisitions begin at different times for each test, and I have to read data at different speeds. I also need to show data and save in a MySQL database. And if the acquisition is out of t
-
Ideas: Programs that you have problems with windows 7 Error messages Recent changes to your computer What you have already tried to solve the problem Remember - this is a public forum so never post private information such as numbers of mail or telep
-
HelloI think it is since the update of the pacifier in vain the apps widget in micro apps change. I reset the phone without success.You have an idea?Thank you