ISE design question

I have a few design questions about ISE v.1.0.4.573

  1. The ISE 3395 gigabit ports are supported on the aggregation of links?  How can I use all 4 ports uplink?
  2. When you perform an installation of 2 x 3395 HA, is there a connection of heart rate between the two ISE or they will use the same link to the network of pulsing and synchronization?
  3. I'm designing ISE with WLC. My setup WLC (5508) looks like 5 floors with different VLAN but same SSID. How can I do ISE authenticate in this scenario because WGB AP is not supported in ISE v.1.0. Is there a work around for this type of WiFi to the ISE configuration?
  4. Continuous configuration above, roaming from one floor to another floor after changing of Vlan, the user will be re - authenticate or use the same session?

Thanks for the help.

Kind regards

Zohaib

1. the current version does not support the aggregation of links...

2. they use the same link to the network of pulsing and synchronization.

3. my suggestion is to assign your SSID, a group of interfaces, containing all interfaces belonging to your VLAN, on your WLC and set AAA replacement. And then, at ISE, create authorization profiles include the appropriate VLAN. Use the Called-Station-ID RADIUS attribute with your MAC address of the AP as a condition.

4. they use the same session.

Tags: Cisco Security

Similar Questions

  • ISE Design Arch. VM

    I am preparing political security for a hotel by implementing ISE VM on c220 TRC #2, I use L-ISE-VM-K9 = or L-ISE-5VM-K9 =, that by my knowledge for the design of the ISE, would require mulitple nodes and review of redundancy. for example in the Admin node, node monitoring, node policy, redundant posture Inline and ISE node service.

    any suggestion or recommendation for the VM solution.

    Thank you

    number of ISE VM license you need depends on number of cucurrent endpointsin deployment. If it is a stand-alone deployment, and redundancy is required, then you will need 2 L-ISE-VM-K9 =. Let us know the number of

    cucurrent endpoints.

  • vSphere 5.0 and 5.5 SSO design question

    Hi all

    Currently we have a configuration with two virtual center servers installed.  One at our Production site and one on our site of Dr.  Our site of Production and the location of the DR are in a different location in the city, they are currently on a dish network, but this is subject to change to treat us like a totally different place.  We also currently do not use vCenter Linked Mode because we don't have two vCenters and like separation, however if its requried we can install it.

    The plan is to upgrade the DR site first to iron out everything before the upgrade of the production, with that said we where thinking about install SSO as such:

    http://www.VMware.com/files/PDF/vCenter/VMware-vCenter-Server-5.5-technical-whitepaper.PDF

    Page 11: I joined the design image

    We think where to install the first SSO on the site of DR and when completely modernize us our production site install an another SSO as another site to keep the replcatio SSO in place aka option:

    vCenter Single Sign-On for an additional vCenter server with a new site

    The end config looks like the second ssoconfig2 of attachment

    I wanted to just a few oppinons on this choice and if this is the best way to go with what we design.


    Any help is greatly appricated,


    Thank you

    Hello

    I mean, this is Option 3 will be necessary if you want to use related modes.

    With regard to your questions:

    1. Yes, you can keep the two separate vCenter and a simple installation or see option 1 install both

    2 linked Mode requires option 3 works. But you can still use Option 3 without related modes if you want to have the replication of single-domain SSO (means that if you create a user in SSO VC1, it is replicated to the other SSO).

    Let's say you do not use option 3 for your second vCenter, subsequently if you decide to use bound mode, you must uninstall and reinstall SSO for your second vCenter to shape Option 1 to 3 Option replication of your first vCenter

  • Fashion design question (several sites)

    Hello

    I test View5 to vSphere5 and I have a question of design across multiple locations. See the image below. We have two locations, each has its own data center. Unfortunately, these two specific locations are currently connected only via an internet VDSL 20/20 Mbit connection and it is now improving.

    The LOCATION 2 is actually an office with many clients and also its own small data center (also based in vSphere5). The primary data center is in LOCATION 1 and is where I would put all my workstations virtual (not only for LOCATION 2, but for all the other places as well) and where the view connection manager will be. The problem is that on the LOCATION 2 (office) there are some servers of files users on this site using heavily.

    Question No. 1:

    (a) selling virtual offices on LOCATION 1-> in this case PCoIP will provide me with a pretty good connection, the problem is to access the file is used on 1 LOCATION of virtual desktops (it's GREEN Lane).

    (b) selling virtual desktops on the LOCATION 2-> in this case will have to go through the Manager connections, then the Virtual Office on the 2 LOCATION and to the customer... no idea no how this work (it's the PURPLE path)... it seems like a heavy network load? However, that could result in a quick access to files on the LOCATION 2 servers.

    Another solution is to put the Connection Manager view also in LOCATION 2, but that would make me administer another system, and I want to keep things simple.

    What do you suggest me?

    Question No. 2:

    I have to route traffic to LOCATION 2 to 1 of the LOCATION where the view connection manager lives by VPN or is the PCoIP traffic encrypted by itself and is OK to put it in the DMZ (controlled)?

    Thanks for the help!

    1986788.png

    The Orange path in the attached picture would be more precise if secure tunneling has been disabled?

  • Blackberry design question

    Hi all

    I developed Blackberry application development using native blackberry.  In what I have to add several resolution devices supported.  In the design point of view I fill and margins to the fields in my screen. So I think that's not good programming.

    Please someone tell me any way to write code in blackberry supports all resolutions (i.e. jre 6 and 7).

    After going through many links I got information about LWUIT components. So please someone tell me what is the best use of coding or LWUIT native blackberry to blackberry.

    Thanks in advance

    Simon suggested, I wrote some of my thoughts as part of a number of tutorials, see here:

    http://supportforums.BlackBerry.com/T5/Java-development/tutorials-for-new-developers-part-1/m-p/1621...

    I think the user interface of one is 10 tutorial.

    As Simon said, the thing with the user interface is either:

    (a) the creation of a specific Interface for the form factor, you post (so it comes to take into account the size of the screen (pixels), resolution (DPI) and orientation)

    (b) creating a General UI that is appropriate at run time to match the form factor.

    For most applications where you don't need pixel perfect poster, I think that (b) works very well, there are a variety of approaches you can use.  Take a look at this tutorial.

    For example, Simon chooses the UI (such as icons) in assets based on the screen resolution, so choose icons of different size according to the screen (Android does something similar, and you can do this same sort of thing in BB10).  Otherwise, I'm trying to understand the bigger picture in construction and he adapts the device.  My experience is that the scale on the device works OK, but I suspect that some will say an image of 96 x 96 pixels scaled down the device to 64 x 64 pixels could not look as good as the image 64 x 64 prepackaged, try and see.

  • Nexus 5600 HSRP design question for VLAN stretched between 2 areas of vPc.

    To our new data center network, I have 4 5672UP Nexus in two data centers. Between data centers is a redundant vPc with fiber 2x10Gb. I have configured two areas VPC, one for each data center. I read that HSRP within a VPC domain is active/inactive, but I wonder what would be the right way to configure the HSRP configuration for the VLAN tense because they are two areas different vPc?

    If you need isolation of FHRP between sites, this can be achieved by configuring the HSRP authentication in the same place so stop the HSRP Hellos between the treatment sites and allow each site to act in active / standby. Due to the HW on the 5600 Nexus architecture, control plane packets multicast are punted to the CPU, ignoring any PACL or MAC - ACL. So with a PACKAGE, you will not be able to filter the Hellos HSRP, ARP, BPDU, etc. that need to go to the CPU, because there is an ACL predefined to redirect traffic to control CPU and this ACL that overrides the ACL configured by the user. It is advisable to set up "no arp ip free hsrp duplicate" to repress unnecessary GARPs at each location in this design as well. Note 4-way HSRP is supported only on the latest versions of NX - OS, see also CSCuy89705.

    Another solution is to run FabricPath DCI with Anycast HSRP, which will allow all the 5600 to act as an active gateway by default, refer to page 22 of the FabricPath Cisco best practices.

    -Jeffords Tyler

  • Sip Trunk design question

    Hello

    I have a requirement to pass an h323 to SIP environment environment. I'm looking for good practices, especially around security. I have 2 servers CUCM (8.5) in cities separated for redundancy. I have also 2 voice gateways which, at the present time, h323 to the PSTN, are each located in different cities.

    My requirements are:

    1. create a sip trunk instead of the supplier of the use of PRI.

    2 If the Wan link fails on a gateway provider, router replacing in the other location should be able to receive installation messages and if a user connects via extension mobility, should be able to answer the call.

    Is there a simplified design docos on for this? I hesitate to create a SIP trunk directly to the supplier for safety, thus thinking to end the call on the routers of voice with the CUBE. I am sure that it is managed from the factory and would appreciate comments.

    See you soon!

    Pieter

    Simple answer use ALWAYS the CUBE.  With IOS 15.1 T and more you have security against fraud free of charge that you can use to restrict which can address IP contacted the CUBE, that's all you need.

    HTH,

    Chris

  • Cisco ISE and question Admin CLI

    Hello.

    I have a strange problem with my installation of ISE. First of all, I use AD users for authentication. It works very well on HTTPS. I can connect with my admin AD by HTTPS.

    The problem starts when I try to log in via the CLI (SSH). I got login prompt. When I type my credentials AD that he said "Login Incorrect" and I got the same result if I try it with the local administrator account.

    I tried to reset the password for the local administrator over HTTPS to check this kind of wrong password. But no effect.

    My ISE is installed VMware.

    Experiences with it?

    ARM

    CLI authentication which is the base Linux OS is not / cannot be bound to AD to the admin authentication. Only, you integrate the application on top of Linux, which in this case is ISE, to AD. So, if you want to connect to the cli shell, you will need to use the username/password you configured during installation. If you do not remember those you need to perform a rest of password via the installation CD / ISO

    Thank you for evaluating useful messages!

  • Double firewall, config VPN design question?

    All,

    I'm looking to implement a design of double firewall with different suppliers, i.e. Cisco at the front and another seller behind that. The Cisco ASA will manage the ends of the VPN. It's a design recommended to us.

    The reason was the front towards the firewall (cisco) will block most of the noise, and then the second firwall will make inspection of the IPS etc. Apparently, this is also done incase there are vulnerabilities with the first provider. The DMZ interface will in fact come the second firewall.

    I am currently working, what if all remote users terminate their VPN at the edge of the ASAs, what is the best way have to move towards the second firwall, then again on the internet so we can apply the policy to users / and inspection?

    There are no facilities on the front to ASAs IPS inspection, just a bog without visibility L7 stock Firewall (as this responsibility will lie with the second firewall).

    Looking for information so that I can start looking...

    The MCV is a great place to start.

    http://www.Cisco.com/en/us/solutions/ns340/ns414/ns742/ns1128/landing_iEdge.html

  • ISE upgrade question

    Try to 1.1.1.268 upgrade patch 5 at 1.1.2.145.  It fails to say that the package is not in the correct format via the GUI.  Tried via CLI and I see it in the newspapers.

    3 jan 18:25:42 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [245] []: install initiated with bundle - ise-appbundle - 1.1.2.145.i386.tar.gz, repo - patches

    3 jan 18:25:42 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [259] []: stage area - /storeddata/Installing/.1357237542

    3 jan 18:25:42 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [263] []: get the package to the local computer

    3 jan 18:25:42 oranetise02 debugd [2507]: [22327]: transfer: cars_xfer.c [54] []: ftp copy in ise-appbundle - 1.1.2.145.i386.tar.gz asked

    3 jan 18:26:12 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [272] []: Got bundle at-/storeddata/Installing/.1357237542/ise-appbundle-1.1.2.145.i386.tar.gz

    3 jan 18:26:12 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [282] []: unbundling package ise-appbundle - 1.1.2.145.i386.tar.gz

    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [294] []: made the separation. Checking input parameters...

    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [316] []: manifest file is at the - /storeddata/Installing/.1357237542/manifest.xml

    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [326] []: Manifest file appname - ise

    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [364] []: fixes batch contains patch ((null)) for app version (1.1.2.145)

    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [367] []: patch for the version of the application (1.1.2.145) does not match the version of the installed app

    3 jan 18:26:53 oranetise02 debugd [2507]: [22327]: application: install install_cli.c [691] []: error message: the Patch can not be applied to the version of the installed application.

    The 3 January 18:26:53 oranetise02 debugd [2507]: [22327]: application: installation install_cli.c [694] []: error during installation - batch of patches: ise-appbundle repository - 1.1.2.145.i386.tar.gz: ErrorCode patches:-623 3 January 18:25:42 oranetise02 debugd [2507]: [22327]: application: installation cars_install.c [245] []: Install initiated with bundle - ise-appbundle - 1.1.2.145.i386.tar.gz, repo - patches
    3 jan 18:25:42 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [259] []: stage area - /storeddata/Installing/.1357237542
    3 jan 18:25:42 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [263] []: get the package to the local computer
    3 jan 18:25:42 oranetise02 debugd [2507]: [22327]: transfer: cars_xfer.c [54] []: ftp copy in ise-appbundle - 1.1.2.145.i386.tar.gz asked
    3 jan 18:26:12 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [272] []: Got bundle at-/storeddata/Installing/.1357237542/ise-appbundle-1.1.2.145.i386.tar.gz
    3 jan 18:26:12 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [282] []: unbundling package ise-appbundle - 1.1.2.145.i386.tar.gz
    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [294] []: made the separation. Checking input parameters...
    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [316] []: manifest file is at the - /storeddata/Installing/.1357237542/manifest.xml
    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [326] []: Manifest file appname - ise
    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [364] []: fixes batch contains patch ((null)) for version (1.1.2.145) app
    3 jan 18:26:52 oranetise02 debugd [2507]: [22327]: application: install cars_install.c [367] []: patch for the version of the application (1.1.2.145) does not match the installed app version
    3 jan 18:26:53 oranetise02 debugd [2507]: [22327]: application: install install_cli.c [691] []: error message: the Patch can not be applied to the version of the installed application.
    3 jan 18:26:53 oranetise02 debugd [2507]: [22327]: application: install install_cli.c [694] []: error during installation - batch of patches: ise-appbundle repository - 1.1.2.145.i386.tar.gz: ErrorCode patches:-623

    David,

    You can pass only the ise node when its autonomous and through cli mode. Please, use the command to upgrade the application to do the upgrade.

    Here are a few reference documents.

    http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/upgrade_guide/upg_sta...

    Sent by Cisco Support technique Android app

  • ISE general questions: DOT1x, NAM, NAC etc...

    Hello

    I have two questions. One is a question that I am face and second is a probability I want to check

    question: I have a stack of 3 switches: 2 x WS - C3850 - 48Pand 1 x WS-C3850 - 24 p, running IOS - XE 03.03.01SE. Now on some ports when I try to put the following commands, it gives me the output below.

    authentication event fail following action method
    ^
    Invalid entry % detected at ' ^' marker.

    GCB2-FF-C1-SW1(config-if) #$tion event server dead action allow voice
    action of death event authentication server allow voice
    ^
    Invalid entry % detected at ' ^' marker.

    GCB2-FF-C1-SW1(Config-if) # authentication host-mode multi-auth
    ^
    Invalid entry % detected at ' ^' marker.

    GCB2-FF-C1-SW1(Config-if) # authentication order dot1x mab
    ^
    Invalid entry % detected at ' ^' marker.

    GCB2-FF-C1-SW1(Config-if) # authentication priority dot1x mab
    ^
    Invalid entry % detected at ' ^' marker.

    Auto control of the port of authentication GCB2-FF-C1-SW1(Config-if) #.
    ^
    Invalid entry % detected at ' ^' marker.

    Periodic GCB2-FF-C1-SW1(Config-if) # authentication
    ^
    Invalid entry % detected at ' ^' marker.

    GCB2-FF-C1-SW1(Config-if) # timer authentication authenticate new server
    ^
    Invalid entry % detected at ' ^' marker.

    GCB2-FF-C1-SW1(Config-if) # breach authentication restrict
    ^
    Invalid entry % detected at ' ^' marker.

    MAB GCB2-FF-C1-SW1(Config-if) #.
    ^
    Invalid entry % detected at ' ^' marker.

    GCB2-FF-C1-SW1(Config-if) # dot1x EAP authenticator
    ^
    Invalid entry % detected at ' ^' marker.

    and in the same switch, I have some ports which have accepted these commands... I have not undrestand the injustice done to a single port.

    any help will be appreciated.

    now, to calculate the probability, I would like to check:

    2: CAN WE HAVE A CISCO ANYCONNECT CONFIGURED ON THE WINDOWS COMPUTER AS A SUPPLIANT WHO SUPPORTS PEAP AND SMART CARD AT THE SAME TIME. SO IS THERE ARE SEVERAL USERS, SOMW WHO OPERATE SMARTCARD AND SOME GENERIC USERNAME AND PASSWORD ON THE MACHINE, TWO OF THEM COEXIST?

    THANKS IN ADVANCE...

    Nick...

    You did make sure that these ports are actually defined as access ports before loading the config of dot1x?, it will fail on e.g. routed ports.

  • Newbie design question

    Try to understand how it works under the covers, so I can make better design decisions.

    I understand that phonegap is basically web browser running your application on the phone. When you build your installation iphone (I've never done that), is that basically take all your web stuff (files, html, images, js, etc) and wrap them as an "application" and put them on the phone of the person (in your "app") and run the whole thing locally (via phonegap) as a web server? That means that when you load index.html, it loads a local copy (on the phone) and not a http://mywebsite/index.html version.

    If this is the case, then I guess that means php calls are made via ajax or something, to my external Web server, and I guess I have to whitelist (I read that somewhere) or something.

    but the main key, I guess, is that the app on the phone seems to work a browser and small database web server too?

    Not quite.

    Assets (html, js, css, graphics) is stored in the app bundle and displayed in a native Webview component.

    There is no local server involved.

    PhoneGap is just the tool. It prepares your hybrid application signed .apk, .ipa, etc.

    PhoneGap is not active at run time! There is just a piece of javascript, which is included in your assets, to act as a bridge between your local native javascript and plugins.

    Scripts on the server side are to perform on a remote server on communication ajax (or via a socket). You design your app server MVC - ish.

  • Database design question

    Hello, I have a one-to-many relationship problem when designing a store management system. Each store can have several names, but there at least a name. Any suggestion? Thank you

    Try this:

    CREATE TABLE MyStores

    (

    --E t c...

    , Store_Name_Id VARCHAR2 (7) NOT NULL

    CONSTRAINT Fk_Store_name

    REFERENCES Store_Names_Tab (Name_Id)

    -- ...

    )

  • vCenter Expansion Design Question

    Hi all


    Currently, I have a relatively small environment with 4 guests in our location of companies in the United States and two guests to a second place in Europe.  I find that the number of virtual machines running in our environment Europe develops more and more.  I've been actively weighing the merits of adding a vCenter Server Appliance to our environment in Europe.  I have a few questions which I hope are simple which you can help with.  If you experience of the best that I look at the documentation for my answers, links to documentation would be very useful!

    1. If I add a vCenter Server Appliance to our VMWare Cluster in Europe, it connects to the database of vCenter running in our business location?  Alternatively, the vCenter device would simply manage the cluster in our European office location?
    2. If the answer to 1 above is that the device will manage vCenter only clusters in Europe, does that mean that I will be able to see an environment at a time when I opened my vSphere client?
    3. Require the device vCenter vCenter another license?

    This will be it.  Thanks in advance for your advice!


    S

    Hi Sean,.

    If I add a vCenter Server Appliance to our VMWare Cluster in Europe, it connects to the database of vCenter running in our business location?  Alternatively, the vCenter device would simply manage the cluster in our European office location?

    vCSA comes with a database (vpostgres) built-in and you can also link it with externam oracle DB (MSSQL is not supported). And NO, he won't already existing DB.

    If the answer to 1 above is that the device will manage vCenter only clusters in Europe, does that mean that I will be able to see an environment at a time when I opened my vSphere client?

    Yes, you need to connect individually as related modes is not supported on vCSA.

    Require the device vCenter vCenter another license?

    VCSA Yes you have to purchase another license to manage the two hosts.

  • DW CC - Responsive Design: Questions about properties inherited from CSS

    Hey all.

    I learn a lot, but I've only been designing web sites for a short time now.  I use Dreamweaver CC and use sensitive design patterns.

    Here's the long and short of it:

    The delicate design model uses 3 @media CSS selectors in the following hierarchy:

    -Global: (less than broad 481px)

    -Tablet: (between 481-wide 768px)

    -Desktop computer: (above 769px, 980px wide max)

    As you can see, overall is 'Mobile' design, but it is at the top of the hierarchy.

    I'm trying to display: no the .header h1, h2, p ONLY in the .header of mobile display.

    (No media selector: IE: overall)

    .header h1, h2, p {
          display: none;
}

    The problem is all h1, h2, and p in the css elements all have disappeared.  Even those of other classes in the other views.

    I did something wrong?  How can I create a selector for the (global) .header class it will affect, say, .other_class ?

    Get it; If I change something in the world, nothing further down in the hierarchy must be attached.  That is done through the display: xxxx ?

    Example:

    /* Global Settings: Mobile format (less than 481px wide)*/

.header h1, h2, p {
     display: none;
}


/* Tablet Layout: 481px to 768px. Inherits styles from: Mobile Layout. */
@media only screen and (min-width: 481px) {

.header h1, h2, p {
     display: compact;
}
}

    Any help is appreciated.  I can post full CSS / HTML if necessary.   I thought that these excerpts should be sufficient to demonstrate, though.

    Hello

    To change the display only in the mobile layout, you will need to use a media query, otherwise it will apply to all screen sizes-

    @media only screen and (max-width: 480px){

    .header h1, h2, p {
         display: none;
    }

    }

    PZ

Maybe you are looking for