ISE traffic prioritization

In ISE can us priortize VoIP or any other type of traffic such as QoS?

Hello Muhammad-

ISE has no capabilities around QoS features like tagging, noticing, police, shaping, etc. ISE can apply a tag SGT/TrustSec can then be used by a switch/router to apply the QoS policy based on this tag.

I hope this helps!

Thank you for evaluating useful messages!

Tags: Cisco Security

Similar Questions

at the DB level traffic prioritization

Hi all
Oracle version: 11g r2
operating system: hp - ux
business hours querires reports are running in production which degrades performance and consuming most of the resources, in fact user reports had a 4 open sessions
running queries with parallel processes, consuming resources DB intensively, and after having killed the session other users that connect to db was very good, in the future, how we can avoid this scenerio?
"what traffic prioritization" at the level of the DB, don't not cannibalizing the resources, to avoid this problem in the future
Enjoyed the entries
Prakash G R

PMP, how many sessions limit you to a user via the user profile is a management decision. Users have a legitimate reason to have multiple connections to the database? If not, then 2 1 or more likely would be a reasonable value, but it could be that many more is warranted. How the application works such enters the recommendation that you give the direction. If the user uses the default profile, then you will need to create another profile. Other users can run the same query, while there might be users who should also be added in the new profile.

- -

Another factor to consider is how big a degree of parallelism was in use on each statement and how this degree has been assigned. Parallelism should be used sparingly because it is easy for a negative impact on the entire database of spawning too many parallel session as you saw. The default level of parallelism at the level of the table may be necessary to visit. You haven't posted your database for the PQO feature setting. This may also need adjustment. This depends on how the PQO option is currently being implemented and controlled in your environment.

- -

The mentioned database resource manager feature managed via the dbms_resouce_manager may also be part of the solution.

- -

HTH - Mark D Powell.

Registration of URLS for comments using comments anchor traffic and ISE

Hi all, there

I am looking for a solution by which I can connect information URL to the users wireless invited to ISE. The anchor THAT WLC is located in a DMZ behind the ASA and the ISE is on the internal network. I found this document (see LINK below), which is similar but using a comment of the NAC server and not an ISE.

I wonder if someone managed to do it using ISE?

http://www.Cisco.com/en/us/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc

Hello. I have this script successfully work. The only thing different from the configuration of the supplied link, it's that you must specify the port UDP 20514. Refer to the following line:

host of logging inside the 192.168.215.16 17/20514

Here the number 17 means UDP and the 20514 number is the port number.

Please rate if this can help

Best practices of priority network traffic at the switch

What is usually the best way to prioritize the specific traffic a VLAN specific?

I work with the differentiated Services to match the traffic of a VLAN specific and assign a queue of 6 switch to give traffic a higher priority than normal traffic. But I'm not sure that with this configuration. I red on the priority of traffic from the switch but I didn't understand any of this I think.

The police are certainly working. In the web interface, I see that are packages offered for the DiffServ, according to me, I'm missing something...

Config:
Policy-map {policy name} in
class {class name}
Assign-queue 6
output
interface port-channel 1
service-policy in the {policy name}

Just a brief update: I think that my setup works fine. I figured out that the ping response delay has more to do with the terminal and then with the configuration of the switch :)

AnyConnect FireSight through ISE user

Hello!

We installed the ISE 2.1 for AAA process for users VPN to ASA5545x. AnyConnect users authenticate successfully and you can see the username within newspaper at ISE. Also we have modules of firepower in the ASA and the virtual appliance FireSight 6.1. How we can use ISE as a source of identity for FireSight?

Inspect traffic to the power of fire based on groups of users, or a user.

Thanks for the help.

Hello Serge, you can certainly do that by integrating both via PxGrid.

Thank you for evaluating useful messages!

QNetworkAccessManager or similar for synchronous data traffic

Hello world

I use a priority_queue (in a separate thread) for my data to prioritize applications (e.g. thumbnail images first, then expansion of images, unless the user wants a specific expansion, then this application is accelerated) and JSON API calls.

If I use QNetworkAccessManager as it is and dump queries in it, it will not address higher priority requests. I would like to make synchronous traffic. Is there a way to do it with QNetworkAccessManager, or is there another alternative way to do what you recommend?

/ Alexandre Yngling

In case anyone else ends up here with the same question, I finished by using cURL instead. (He included with the ndk, just #include and put the file .pro LIBS +=-lcurl inyour.) Works very well.

CF. http://curl.haxx.se/libcurl/c/example.html

/ Alexandre Yngling

Cisco ASA failover KeepAlive - classification and prioritization

Hello

I have a busy layer two link between data centers and must ensure that traffic keepalive failover between ASA firewalls at each data center goes through.

I want to implement layer 2 quality of service on the route. Can you classify and prioritize ASA failover keep alive the traffic? If so what ports should I use or it is already ranked by the ASA?

Thank you

Hello

If you want to apply the QoS on switching between ASA link, you need to do:

-Mark traffic on switches facing interface failover ASA

-All intermediate switches must approve the value of QoS and applye your QoS policy (reservation of bandwidth based on qos value chosen before).

Assume that your main unit failover ip is 192.168.100.1 and 192.168.100.2 for the secondary unit.

The acl to classify the traffic is:

Of with the ASA2 ASA1

HA - ASA extended IP access list

permit ip host 192.168.100.1 192.168.100.2

Of ASA2 to ASA1:

HA - ASA extended IP access list

ip licensing 192.168.100.2 host 192.168.100.1

Hope that answers your question.

Thank you.

PS: If this solved your problem, please do not forget to note and mark it as correct.

Check the ISE for the VPN Cisco posture

Hello community,

first of all thank you for taking the time to read my post. I have a deployment in which requires the characteristic posture of controls for machines of VPN Cisco ISE. I know that logically once a machine on the LAN, Cisco ISE can detect and apply controls posture on clients with the Anyconnect agent but what about VPN machines? The VPN will end via a VPN concentrator, which then connects to an ASA5555X that is deployed as an IPS only. Are there clues to this?

Thank you!

The Cisco ASA Version 9.2.1 supports the change in RADIUS authorization (CoA) (RFC 5176). This allows for the gesticulations of users against the ISE Cisco VPN without the need of an IPN. Once a VPN user connects, the ASA redirects web traffic to the LSE, where the user is configured with a Network Admission Control (NAC) or Web Agent. The agent performs specific controls on the user's computer to determine its conformity against one together configured posture rules, such as the rules of operating system (OS) patches, AntiVirus, registry, Application, or Service.

The posture validation results are then sent to the ISE. If the machine is considered the complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After validation of the successful posture and CoA, the user is allowed to access internal resources.

http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-Appliance-ASA-software/117693-configure-ASA-00.html

ISE with WLC AND switches

Hello

We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.

I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.

version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!

interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcp

radius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authentication

any help would be really appreciated.

I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.

Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.

Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...

ISE v1.2 patch PSN 5 down, deleted endpoint identity

Please refer to the diagram. I'll make it simple and clear.

Patch version 1.2 of ISE 5

3xPOL (2xVirtual devices)

1 LUN

1 Admin

Since Janauray the 8th we have problems with ISE. problem encounter were end of endpoint profiling devices like (Cisco 1140 AP) but the devices is a portable Motorola running Windows CE. Also the mac address of Motorola deleted endpoint identity, every 4 to 6 hours, and we need to put the mac address manually to start the authentication to work.

We open a cisco with TAC. and TAC advice there is a bug in the software and must be upgraded to patch 17 or be upgraded to 1.4 as EHT it more stable than version 2.

a few days later after one of the node POL3 (in the language of cisco PSN) went down. and one of our clinets SSID WiFi lost the connection that they were unable to authenticate (security WLC are on POL3 with ISE group created AD HOC Network devices with filtering MAC.) to solve the problem, we change the WLC AAA to POL1 (PSN) security to make it work. given that his work.

later the next day an another POL2 (up/down beat) other clients of SSID (DATA) are starting to declare connection drop. change us again the WLC AAA authentication ip in the direction to POL1 since his works very well.

now on 3 only 1 POL's work and three SSIDS end clinet is authenciated by the ip address of this POL.

We arrived at cisco help, they looked in this and said POL node are not syn. so EHT needs a reboot to fix this. US management decided if this requires a reboot to fix theye why do not upgrade us to version 1.4 EHT. Cisco TAC mention upgrade can take up to 3 to 4 hours, or maybe more depends on the server. Now we want to go to upgrade but our network structure is complex, we do not want to lose the ise for 3 to 4 hours. We are a hospital and all verification devices/doctor patients computers/handheld devices/records are authenticated through ISE. We using ISE mainly for the wireless.

Now, it's the background story. now, I have a question can reload us the POL nodes 1 by 1 to resolve this problem. I also noticed there is another work around, we had another node ISE from another hospital of trust in our data center. It is a virtual appliance (ise - psn.web.com) in our controller ip address SSID (WLC) one of our leading hospitals of authentication setting two AAA is POL1 and next is the ip address of the ISE - PSN. WEB.COM if we recharge our ise and wlc, we note the ip address of the ISE - PSN. WEB.COM will be this keep the SSID client remains connected.

Please let know us that we are in a desperate situation where we need advice to minumis downtime of our patient critical application that are connected wirelessly.

Hi there and sorry you are in such a crappy situation. It's no funny!

To answer your questions:

#1. I would certainly recommend the upgrade to a later version of ISE or at least get your current version on the last patch!

#2. Yes, you can reload the Ssnp one at a time with zero and without interruption of service. Your WLC detects that your first PSN is down and then move to the second that is configured under the SSID > AAA servers. It is very important that your PSN is in a node group. This way if the PSN-1 goes down, none of the sessions that have been in the middle of the AAA process will get absorbed by another node in node group. If the PSN is not in a group of clients node trying to authenticate to the network at the time of charging will have to start again.

#3. Once that clients are authenticated and authorized their rail traffic is no longer the PSN. So, reload the PSN will not affect clients that are already on the network. However, if a customer needs to re-auth (in due to inactivity, slowed down or re-auth timer) then a job THAT PSN is necessary, otherwise the AAA session will fail.

#4. Certainly, you can set up a third NHPS under your SSID and use your PSN which is in another hospital. As long as this node is located in the same deployment of ISE and is synchronized with the PAN then you should be good to go. You can quickly test it by creating a temporary SSID > do as PSN its main Radius Server > test it with a test computer.

I hope this helps!

Thank you for evaluating useful messages!

Can WOL while the port is configured to authenticate through ISE

Hi all

I tried setting up WOL

The L3 switch configuration I have no problem in it

Configuration of the L2 switch without configuration of ISE

interface fa0/1

switchport access vlan 100

switchport mode access

spanning tree portfast

It works well, but after that I put the ISE configuration on the port, WOL is not working.

so please help can I use ISE + WOL or there will be problems because of that.

I read a custom ' authentication control direction in "which should enable ISE and WOL.

then, which will affect on something.

Thank you.

Yes, that's correct. If you add the command "authentication control-direction in" on a switchport then he will allow the "Magic Packet" WoL should be sent to the unit of the end and wake him up.

By default, a switchport configured to dot1x will only allow EAP traffic initially to the switchport (thereby breaking WoL) you don't need to add the command "authentication control-direction in" to allow WoL functionality to continue working while ensuring that the endpoint can still only send EAP frames to the switchport prior authentication of 802. 1 x.

FireSight and ISE User Identity Integration

We are eager to move from CX/PRSM has the power of fire/FireSight. I am researching feature parity.

Today, I use the integration of CDA with ISE to passively capture the identity of the user of the 802.1 x authenticated wireless employees.

The aim is on request, produce reports map a username to their traffic in a passive way.

I was told by an engineer Cisco ISE has been a source of identity consumable for FireSight in the same way that LDAP is with the User Agent. Furthermore I was assured that this was the case without the permission of the PXGRID.

I'm unable to find information proving it's true. The only thing I find is how to use ISE as an authentication method.

I don't want to authenticate users actively. I want to just user name information of scape for reporting purposes. I read the following URL and not what I'm looking for on our current configuration.

http://www.Cisco.com/c/en/us/support/docs/security/firesight-management-...

I think before moving that Cisco plans to integrate these kind of multiple data sources in the user through PxGrid. Even if I would prefer CDA as it appears more stable than SFUA.

There was some proof of concept of laboratory work has shown in Cisco Live Milan a couple of weeks.

ISE behind the load balancer

I have a question about ISE profiling of the servers that are placed behind a load balancer:

If you have an ISE environment where computers and users are be authenticated and restricted access Machine (MAR) is enabled (so that users can authenticate only on a machine already authenticated), the ISE servers up-to-date with all authentications of succesfull computer manipulated by other servers in the ISE?

For example:

There are 2 aircraft of ISE (ISE01 and ISE02) behind a load balancer.

A user starts the computer and the computer authentication is managed by ISE01 (and the authentication is successful). For the moment, that the user logs on to this computer, the load balancer selects ISE02 to authenticate the user.

ISE02 will be aware that the computer has been already properly authenticated on ISE01, so that users are able to connect? Or she refuses authentication of the user, because he thinks that the computer is not (yet) authenticated and Machine Access Restrictions is enabled?

Kind regards

Bert

ISE servers are aware of all authentications of succesfull computer manipulated by other servers in the ISE?

=> N°

they are independent servers that replicate that configuration.

If a user must always authenticate with the same ISE.

In addition, a load balancer kills profiling since profiling requires you to cover a portion of the traffic at the ISE

Configs ISE Cisco switch

I guess Cisco ISE sends a redirect to URL to the switch and switch, it presents to the customer in the case of access comments get a redirect URL with acceptance of the user (guests and not wired) Page.

My question is, do we need to configure the server http and https on the switches (both pleading and authenticator)?

I don't know that it will take a confirmation, but just wanted to...

I checked the configuration for the supplicant and authenticator of ISE switches, and there no where not mentioned this part of the config.

http://www.Cisco.com/en/us/docs/security/ISE/1.0/user_guide/ise10_troubleshooting.html (a redirect to URL and possible cause problem is mentioned) - make sure that the config is necessary.

http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html

(the begging and authenticator switch configuration) - mentioned anywhere in the configuration of http/https for the two switches.

Yes, his need. The http/s server in the swtich is used to retrieve the user http traffic and redirect the traffic to the CWA portal, or a registration portal device or even for the portal of integrated Mobile Device Management (MDM). .

IP http server

IP http secure server

The info below, I caught Cisco ISE for BYOD and book secure access unified.

"Organization many want if ensure that this referral process to aid internal HTTP Server switch is dissociated from the management of the switch itself, in order to limit the risk of the user interacts with the intervace plan a switch of control and management." This can be accomplished by connecting the two following commands in global configuration mode:

active session modules IP http no

"IP http secure-active-session-modules no".

Activity 1.3 comments ISE

Hello

in the version of ise 1.3 is a possiblity that I can view comments activity and export it via FTP?

I'd like to see is: what user opens what site/service. What kind of activity is the guest made while using our wifi comments.

Concerning

Filip

Hello Filip. Such an option is available to the ISE. In addition, only the comments authentication traffic hits ISE. Once authenticated the guest user rail traffic is more of ISE, ISE has therefore no visibility to what the user is doing on the network.

This type of information would be better perceived by your web security appliance. If, for example, if you have Cisco WSA/CWSA.

Thank you for evaluating useful messages!

ISE traffic prioritization

Similar Questions

Maybe you are looking for