ISE node failure & pre authorization ACL

Similar Questions

• list dACL on the open with pre authorization ACL mode switches

  Hi on board,

  This topic is perhaps correct in the switching section of the Board of Directors as well, but I'll try it here.

  Suppose I use authentication open on a switch port with a pre authentication ACL. Call the PORT-PRE-AUTH-ACL

  Preauthentication ACL contains the usual stuff like PXE, DHCP, DNS and so forth (Yes, we want to do profiling :))

  Now the customer behind the port is sucessfully authorized, and a DACL is applied to the session. The IP device followed by magic jumps and adds the IP address of the real connected customer in the part of the source of the ACL.

  Now the question: what happens with the content of the PORT-PRE-AUTH-ACL on the switch port?

  • ACL preauthentication is happy for the session?
  • The ACL are concatenated? Pre static permission ACL comes first, and the contents of the DACL comes after that?
  • The ACL are concatenated? The content of the DACL comes first and the pre authorization ACL static comes after that?

  I think the answer to this question is: it depends - right?

  From my point of view, it is highly platform and SW version dependent. Do you agree? I also think that the documentation is very poor in this particular case.

  For example on a 2960-X and 2960-S with IBNS2.0 config style 15.2 code running, the behavior is that the

  content of the DACL is placed above the static port ACL. But the static port ACL remains in place.

  Why I ask this question?

  • This is relevant when placing explicit deny statements somewhere in the port or list dACL
  • Resource AAGR economy on the switch. For example if I have enabled DHCP in the pre-auth-ACL, I must not let DHCP in the DACL if ACLs are concatenated. That's why I less entered ACE--> economy of the AAGR resources on the switch.

  Maybe it's a good idea if we assemble a list of "field experience". I begin with two devices from above:

  Platform	Version	Behavior	Remarks
  Cat no. 2960 X	15.2 (4)	Concat: list dACL then ACL port	IBNS2
  Cat no. 2960S	15.2 (2)	Concat: list dACL then ACL port	IBNS2
  Cat no. 4500 Sup8	3.7.0E	Concat: list dACL then ACL port	Last update 03/2016/31 NicolasDemonty (thank you)
  Cat no. 6800	15.2 (1) SY2	Concat: list dACL then ACL port	Update 08/2016/26 by jcockburn (thank you)

  Someone has Cat6k (ok - it is difficult with IBNS2.0 on this platform), Cat4k, Cat3k?

  Hello

  We have 6500's on IBNS1 and 6880's on IBNS2

  The same thing about the DACL and the PACLs...

  dACL is concat'ed on top of PACL.

  One thing to note, we have a posture or clean-up phase which redirects the client to the portal as well and when we migrated to IBNS2 we found different implementations.

  IBNS1 = list dACL, RACL + PACL

  IBNS2 = list dACL, RACL + PACL

  so if for some reason, you had a refusal not in the DACL the RACL will never matched... suffice to say.

• Posture inline ISE node register on a mistake of the head node

  When registering for a posture inline on my primary node node ise, I got this message"

  An error occurred during registration of node

  ISE - name - java.io.IOException:Server HTTP return

  Response code: 401 for URL:https://ise-name/deployment-rpc/persona".". Please, what is the cause of this problem and how can I solve it?

  Hello

  You have configured the certificates correctly? I'll start by checking here and also check that you are using the correct credentials (credentials of the inline ISE node GUI).

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Proxy node failure detection

  Question about the proxy node failure detection to extend clients.
  
  My impression is that, once the connection is established, you won't notice that this proxy node was missing until the next time that you try to access cluster (get, put, etc etc).
  Or there is nothing like something MemberListener that the customer will be notified when proxynode disappeared?
  
  This causes us some problem since we will be adding a map listener breast to expand customer, but we don't receive any notification if the proxy node has disappeared.
  To resolve this problem, we are to implement an approach to heart beat customers who will have a background thread periodically perform cache get to make sure that the connection remains valid.
  
  Above the approach has worked very well for the method of one-time replacement of node, since if the pulse failed, we know something wrong.
  
  However, the approach of heartbeat create new issue when there is more than one proxy node configured in the remote cache of the client system.
  
  That's what we observed.
  
  A client extension configured with a remote cache system has proxyA and proxyB as a proxy list.
  
  1 extend the client starts by connecting to proxyA.
  2. extend the clients subscribe to ABC key for jesuca
  3 kill the proxyA process.
  4. the wire heart rate control background make a heartbeat can jesuca. It seems that during this operation of cacheX.get (), coherence will automatically create a new connection to proxyB. Our application doesn't even notice that there is a switch of proxy node.
  
  Now the question is whether an ABC key update occurred between steps 3 and 4. Our application does receive any notification at all. And we don't even notice there's a new connection created for a different proxynode at all.
  
  Our business requirements demand that we miss no update notification entry to extend clients (unless all the proxy nodes are down) as long as there is at least one available proxy node.
  
  Is there a better approach for this requirement?

  To get events when your connection is lost you need to use a MemberListener

  for example, you can use the cache that you have added the listener too...

  cache.getCacheService().addMemberListener(memberListener);
  

  When you lose the connection range then the memberLeft method will be called on your memberListener and you can then add your listeners to cache.

  JK

• ISE nodes both become primary

  Hello

  We deploy devices ISE 2 x 3415 for a customer as a cluster of admin primary/secondary. We took the 1.2.0.899 - 5-93975 Version. Everything was going to plan for the deployment and when we manually promote the secondary everything worked fine. Then, we tried a few tests before going into production. We have simulated a failure of the switch port isolated into force our primary ISE. We have promoted our secondary ISE and so we had to then both as primary Admins of the ISE has solved the problem of the switch. At this point it would be good for simply "downgrade" back to secondary school, but this isn't an option. We tried to break the cluster to cancel registration of primary school education. Then, we walked into a situation where we could not completely break the cluster and the end result is that the secondary image shows an internal error 500 (see attachment) and we are unable to browse to the GUI. I think I need to recreate the secondary image now and re - join on the cluster.

  Is it whatever it is documented as to how to recover a situation when the two devices will be primary? Looks like it should be simple enough. Anyone also met the 500 internal error when you attempt to log into the device and if so, how you resolve. CLI all services are running.

  Any help/advice would be appreciated.

  Dean

  I have the same scenario as yours: ise1 Admin/MNT primary and ise2 secondary is Admin/MNT.  ise1 IP is 192.168.1.1/24 and ise2 192.168.1.2/24.  They are both on the same subnet.

  simulate a disaster: stop the switchport ise1 is connected to.

  1. manually promote ise to primary Admin/MNT.  After that, make a bunch of changes to ise2.

  2 bring back ise1.  At this point, the ise1 and the ise2 are indicated as the main administrator

  3 - from the Web UI in ise2, select ise, then press 'sync-up '.  That will force ise1 to become secondary Admin

  4 - once everything is Sync, connect to the ise1 Web interface and manually promote ise1 to become primary Admin/MNT.

  Who is?

• Node failure scenario: Messages in NO PERSISTANTS distributed topics

  Hello
  
  In the case of a failure of a node in a cluster with a distributed subject, NO PERSISTANTS messages (which have been already published) are guaranteed to be delivered to the other nodes in the cluster active? I would particularly like to understand regarding the following
  
  1. what would be the behavior of replication Desitributed topic (given that the messages are replicated to all members of topics)
  
  2. what would be the behavior of the partitioned subject distributed (as the message is put only on one of the members of the topic... what happens if the node hosting the subject Member goes down)
  
  3. does specifying the unity of the order in the JMS message has any effect on behavior in above two scenarios of topic (like WebLogic JMS redirects messages with the same disorder unit and to have a distributed target for the same destination Member distributed... what happens if this particular destination member node crashes)
  
  4. made using topicMessagesDistributionMode = a copy - by application of the MDB has any effect on behavior? (As with a copy-by application, that a single MDB instance for an application across the cluster Gets the message... What happens if the node (in which runs the particular instance of MDB consuming messages) goes down)
  
  Just to emphasize again, I speak only the case of Non-persistent messages.
  
  Please notify.
  
  Kind regards
  Arif

  3. If I understand correctly, with unit-of-order, weblogic places the message in the members as one destination... However, because it is a distributed replicated, this member of the particular destination will forward the message to all other members distributed about destination... So, in this case, if the node hosting the original member of destination (where the message was set by jms weblogic) goes down... Then where messages will still be available for the consumption of other members of destination of the subject?

  Yes, the order and unique semantic treatment of PUA in scenarios is kept on a basis by Member. Of course, we assume that the topicMessagesDistributionMode is the compatibility or the one-per-server copy mode. See the answers to the following question for the one-copy-by-app mode.

  4. an MDB (with "topicMessagesDistributionMode" = "one-copy-by-app") is deployed on a distributed subject replicated cluster. If a node goes down, the message get delivered to the MDB instances on other nodes?

  My current understanding is that with one-copy-by-app mode, each MDB listen to messages on the distributed subject local member of destination with a special message selector (set by weblogic JMS) so that it only retrieves the local messages (and not forwarded messages)... Does this mean that when a node goes down (which included the Member of destination where the message has been original), then the corresponding replication/forward messages cannot be consumed by the MDBs on other nodes in the cluster and the message is essentially lost. This interpretation is correct?
  Your interpretation is correct.

• How much time does it take for consistency detect node failure?

  Hello everyone
  
  We have an application that, among other things, using a call to NamedCache.invoke (object, InvocableMap.EntryProcessor)
  distribute work to agents hosted in about 80 JVMs, different with each probably manages a portion of the cache
  key range. In the present case, the cache is managed by a service with a backup-counter 0. EntryProcessor agents
  "on the other side" get an entry based on the key value and put it in the cache. Our questions:
  -If a JVM that hosts the service fails all of a sudden, how much time it take the coherence length to detect failure?
  -How long it take consistency to move the key range that manages a server failing to another JVM?
  -Are the requests sent through InvocableMap.invoke () be queued or retried when the key refers to a series of treaties
  by a failed server?
  
  It is feared that we can face visible to the user failures using a cache in a service with a backup-counter 0.
  
  Thanks for any help
  -Mike Murphy
  
  P. S.
  Sorry for the user1172219 user id tag - I understand that it will take an hour or two for a new handle to appear.

  Mike_M wrote:
  Hello everyone

  We have an application that, among other things, using a call to NamedCache.invoke (object, InvocableMap.EntryProcessor)
  distribute work to agents hosted in about 80 JVMs, different with each probably manages a portion of the cache
  key range. In the present case, the cache is managed by a service with a backup-counter 0. EntryProcessor agents
  "on the other side" get an entry based on the key value and put it in the cache. Our questions:

  -If a JVM that hosts the service fails all of a sudden, how much time it take the coherence length to detect failure?

  Depends on coherence version 3.6 running dead ping detection database too is really very fast (about 1 seconds, I think).
  detection of death based on ping earlier or not running is a bit slower, but still fast enough.

  -How long it take consistency to move the key range that manages a server failing to another JVM?

  If you have a backup-counter 0, you will lose all data in partitions in the abnormally missing node. That's why these partitions will bleed on their new owner, and this mission is quite fast. On the other hand, some other partitions must be rebalanced, which can take some time depending on the size of data.

  -Are the requests sent through InvocableMap.invoke () be queued or retried when the key refers to a series of treaties
  by a failed server?

  They can be retried, but since you have lost the partition, you can end up with incorrect data. I don't know what is really happening in this case.

  >

  It is feared that we can face visible to the user failures using a cache in a service with a backup-counter 0.

  It depends on what your application, if the content of the cache is missing.

  Best regards

  Robert

• 1.2 VMware 4.1 ISE Installation failure

  An assessment of the customer, we are trying to install ISE 1.2.1.198 on a VMware ESXi 4.1 VM to an iso image in VMware data store mounted as the DVD drive on the virtual computer. the installation starts, but after the initial startup fails with an error that the ISE software DVD is not in the DVD player.  I wonder:

  (1) everyone knows this?

  (2) has anyone installed this version of iso in a data store?

  Refers only to the installation guide installation ISO with DVD in the Player VM host.

  I am currently downloading the .ova file to work around the problem, but as Cisco provided the .iso image file to the client, I prefer to do this work if possible.

  TIA

  JonS

  Jon,

  I have install from an iso in the data store all the time.  Whenever I have seen the error you receive, it is because of a damaged/corrupted iso file.  Try to download the iso file again.  No doubt, who will fix the problem.

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• Dead with ISE server access

  Hello
  I´d would like to know how to give access to users when ISE is dead.
  I m requesting because I m using pre authentication ACL, so even with the order of authentication server dead action events allow vlan XX access will be limited, will it not?

  My pre authentication ACLs allow access only to ISE, DNS and DHCP requests.

  Kind regards.

  André-

  I'm afraid that you don't have a lot of options here. I have encountered this problem before during my deployments. The problem is that the ISE is necessary in order to signal the switch to remove the pre authorization ACL using a DACL. However, since ISE is not available, the switch can allow endpoints to a VLAN, but not you need another method to remove the ACL of pre approval. In the past, I've accomplished this via one of the following:

  1 script EEM that reconfigures the switch and sets the pre authorize "license ip any any" ACL (or remove the ACL of pre approval all together) when / if the ISE servers become unavailable. I thought that this required functionality of the IP Services, but by looking at the following doc looks like you could do with IP Base too. I guess you can give it a try and see what happens :)

  http://www.Cisco.com/c/en/us/products/collateral/iOS-NX-OS-software/IOS-software-releases-12-2-special-early-deployments/product_bulletin_c25-614546.html

  example of script EEM:

  http://www.alcatron.NET/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.PDF

  2. the second method requires a switch to converged access (3850, 3650). These switches can be configured with the profiles where the pre authorization ACL can be replaced by an ACL critical interruption of the ISE.

  I hope this helps!

  Thank you for evaluating useful messages!

• Changing IP after ISE CoA

  I've heard of this problem before, but am not sure of how to stop it...

  Client connects to the switch, switch contacts ISE on the backend. Client gets the IP address on VLAN 30 in the meantime. ISE determines the customer belongs to VLAN 60 and performs the CoA. Switch change VLAN, but the customer is always an IP to VLAN 30.

  Someone at - it a good way to stop this? The only thing I've heard is to put a pre authorization ACL on port denying DHCP. But I'm having issues even getting this to work.

  Thank you.

  I've had this problem before and have posted on similar topics. I have never tried DHCP with an ACL of blocking, but it would be interesting to know if it will work. I see two problems with it if:

  1. the ability to use the critical auth VLAN in the case of ISE descending is not really an option unless you use the cat 3850 s or 3750 with IP Services where you can use a script to EEM to remove the ACL of pre approval. In the case otherwise, even if ports are allowed, it is not Radius Server to push a dACL to replace the ACL of pre approval

  2. I like to use the flow of comments/CWA when 802.1 x and MAB fail. Of course, this requires an IP address

  3. a lot of good information for profiling are obtained by DHCP.

  In the past, I used the static IP on these devices, and that seems to work ok. Overall, I really don't like the substitution VLAN dynamic for this exact reason. That's why I recommend just letting everyone on the VLAN by default and restrict access via the ACL or DACL on the L3 interfaces. If an additional segmentation is needed, you can always go to SGT/SGA :)

  Thank you for evaluating useful messages!

• EAP-FAST + new user without certificate

  Hello classmates

  can Yyou you please share a situation with me?

  I ISE 2.0 with certificate based authentication using EAP-FAST. When a new user who never logged on the machine, try to connect... the user certificate does not exist and anyconnect found no valid certificate... and that's my problem.

  I have to allow this user to connect on my PKI and run the GPO update to download the certificate.  is it possible to impllement without any certificate eap-fast authentication? example:-anonymous certificate or self-signed certificate?

  Thank you

  Hello!

  So what you see here is the expected behavior. Your machine is not allowed on the network until it has the appropriate certificates, but you can't get the appropriate certificates until you connect to the network :)

  So, what are your options here:

  1 use the mode of low Impact instead of the closed mode. This allows you to define a pre authorization ACL that grants limited access to new machines so that they can enter all necessary GPO, certificates, etc..

  2. you can configure a rule based only on the computer certificate that allows limited access that will allow the user certificate to be issued. After that, a certificate of authenticity can be started and the user will then authenticate using both the user machine identification information +.

  I hope this helps!

  Thank you for evaluating useful messages!

• Right way to restart the ISE PSN node in a distributed deployment

  Hi all

  Two of my ISE nodes (in a 1.2 8 node deployment) have expired admin CLI past (I know I'm stupid!)

  One is the secondary node MnT and one is a PSN node (1 of 4).

  I have some information on what I need to do to get a new password, but I have to unregister the nodes first or can I restart them.

  Will be my other three nodes PSN automatically re - authenticate users on PSN restart node or should I ask the downtime?

  Thanks for any help in advance

  Mark

  Right, shouldn't be a problem.  You certainly wouldn't want to remove it - you'd only if you need to reimage or something like that.

  Just as a tip, if you speak only use wireless cases, you could always disable this particular NHP since authentication Radius and Radius Accounting servers in the world (not over the WLAN).  If you make a change to the WLAN, it will "bounce" the WLAN.  But, if globally disable you "admin" that particular NHP, it will keep just the WLC as NHPS by up to that turn you it on again.

  Tim

• Authorization of Cisco ISE

  Hello

  I want to know if its possible on enforcement dot1x ISE to authenticate computers in domain using EAP - TLS (certificate) and after a successful authentication, allow the user using domain AD users. I can't seem to get this to work, the ISE passes just the authorization policy that I created in AD reference.

  It seems that you can only authenticate and authorize with the same setting I've been able to achieve using MSCHAP VERSION 2.

  My goal is to authenticate the PC connection using the internal certification authority and also allows users using members of the AD.

  Thank you

  Although the chaining of EAP and EAP-Fast are not the property of Cisco, AnyConnect is begging him only I am aware of that currently supports the feature.

  The only other option that I said use you MAR machine access restrictions, but I recommend against it, unless the client knows the warnings associated with Mar.  With MAR the supplicant is configured to use "user or computer" when the user is disconnected from the device authenticates by using the computer account.  When the user logs in the begging starts the authentication process by using the credentials of the user.  With MAR ISE checks first that the authenticated before the user machine.   If this isn't the case, then the user is not allowed to connect.  The problem is that if the unit goes into hibernate instead of disconnection from the user may not authenticate as ISE does not see the computer an auth.

  EAP chaining is the answer to a lack of Mar.  This is because the computer and the user authenticate together each time.

  If their goal is to ensure that the device is a device owned company you can always consider posture as a way to ensure that.  You can have an entry in registry or file on the computer, which means that the device is a company-owned device.  You should always install the agent of posture and it would change the licenses required where as eap chaining is included in the basis of the regulations and requires more or apex.

  The other outside the idea of the box I've seen is to use GPO to change the name of the LAN NIC

  something like 'Local business network' and then using profiling, you can create a custom profile that matches.  See pages 91-114 there are several options listed, including those that I already mentioned.

  http://d2zmdbbm9feqrf.CloudFront.NET/2015/ANZ/PDF/BRKSEC-3697.PDF

• Change of IP address for Administration ISE 1.2 nodes?

  Hello world.

  Currently, I don't have the means to simulate this (it would be to create multiple virtual machines to test and I do not have access to this space memory and hard drive to do).

  I have currently deployed an ISE 6 knots, with 2 Central nodes configuration (Administration and monitoring), and 4 NHPS scattered around the country.

  The customer needs to move the hubs of their data center, and it will be to change the IPS for both nodes.

  What are the steps to do this? I've searched and couldn't find anything conclusive.

  My idea is this:

  1. take the secondary node and cancel the registration of the deployment.

  2 change the secondary ip address (cert regenerate if necessary)

  3. change the DNS record for the node admin secondary

  4. secondary displacement in the data center

  5. turn on the node admin secondary

  6 register admin secondary node

  7. to promote the admin school primary node

  8. repeat the steps for the primary (now secondary) node.

  Of course, in the meantime I have to change the IP addresses for servers RADIUS on all WLC and switches.

  Will this work?  Are there additional aspects that I need?

  Thanks in advance.

  Dear Sir

  Your proposed plan seems logical, but you must take care of the following:

  "If you have saved a secondary node of the Administration (the main new) after registering secondary nodes of Cisco political ISE of Service and monitoring, you must restart the secondary Cisco ISE nodes that were saved before the secondary management node was registered."

  City of ... http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_use.

  Thus, after step 7, you need to restart the Ssnp 4 to communicate with the administrator AGAIN.

• procedure to join unit ISE become node posture inline

  Hi all

  I ask, because I had 2 units of ISE-3315 device, we need to be the primary node of monitoring service admin-policy, another unit then become node posture Inline.

  For the preparation on the node line posture, what should you do about it?

  My question is:

  01 for the unit ready to become inline posture, so I simply start, install the OS of sractch (using version 1.1.1), then start the configuration to initialize etc, as the Normal Installer?

  02. until I regieter, which is the deplotment nodes should I choose to posture inline node unit?

  condition that the admin-service-management policy will become the primary node and node of posture inline registration will be the next action.

  Thank you

  Noel

  Noel,.

  The scope of my comment was based on the deployment of the ISE, the VPN nodes and Ipep use RADIUS. The connection to the IPEP and vice versa ISE node admin will have adequate certs in place because they use ssl to authenticate and encrypt their data.

  Thank you

  Tarik Admani
  * Please note the useful messages *.