ISE v1.2 patch PSN 5 down, deleted endpoint identity

Similar Questions

• CWA ISE 1.2 Patch 7 possible comments bug

  Just upgraded an ISE implementation to patch 7 and discovered the patch broke comments CWA portal the wireless. I have not tested the wired CWA but wireless is down.

  In summary, the redirect works fine, but when you enter valid credentials comments nothing happens including no newspaper in the ISE. If you enter the credentials that do not exist in the comments group, you get an authentication failure and the corresponding journal. As soon as I drove back to patch 6 everything worked again.

  If TAC see what engineers do not hesitate to continue - I would connect a case but the kit is NFR and I can't be bothered going through the process of logging to a job on the NFR kit.

  Please visit CSCuo16503

• ISE pass 1.3 (876) in ISE 1.4 patch 7 or newer

  Hi all

  I have a set for active connections approx. 12000 upward with almost 19000 termination points based VM environment. Nodes as below

  (1) an Administrator main node (20 GB of RAM)

  (2) NHP 3 (RAM: 20 GB each)

  (3) a DEM (RAM: 16 GB)

  Above set up is active, it is in production, we must move to the version mentioned without interruption of service. After reviewing all the documentation, I found that the downtime is applicable to almost 1.5 to 2 hours or at least 30-40 minutes for PSN and 1 HR for MNT, we use no profiling, database dot1x/MAB

  We have an admin for the secondary node, but it is not added to the deployment, please specify best practices and steps to upgrade with or without secondary node admin and downtime there is

  ++ Important: as you notice we run large-scale (12000 connections) with fewer resources, we expect to increase the RAM so

  In my opinion /searches on Web pages, it is preferable to increase the RAM first and then plan upgrade. I have a few questions is not the documents in the guidelines of cisco

  (1) in case update us the RAM, it is true that we have a new facility for ISE VM (new admin/PSN/MNT), because it can see the upgrade of RAM but will not use the same with old VM, for the record, it is mentioned that we have new facility where we intend to upgrade

  (2) I can see the CPU is near 3%, but I regularly receive alerts in average load, is calculated based on Terrain or overall. What is the command to check the CPU peak value and the number of cores assigned, we have 6 hearts at the ISE (see inventory)

  Thanks in advance

  Kind regards

  Sam

  Hi Sameer,

  Let me know if you have any additional questions. Otherwise, please close by scoring it.

  Concerning

  Gagan

• 1.2 of the ISE and made maximum PSN supported in my Persona config

  Hello people, I am setting up a way large-scale distributed of ISE and I was wondering if anyone could tell me what the maximum number of PSN is allowed in this configuration.   I was reading through an older training document with version 1.1 and suggested 5, that's why I wonder if the specs changed on 1.2 but I can't find them anywhere to practice.

  I have a large virtual machine running the MAIN admin character who is also secondary to my report & follow-up in my main data centre.

  In another State (bound to 10G) is another large VM acting as my character high school admin with primary oversight & reports.

  Across several States I want to have multiple Ssnp through geographic patterns of each State, but I don't know if I can put across enough with my current version of 1.2 and my persona config Ssnp listed above.    I need about 12 to 15 Ssnp.

  I was wondering if I need two VMs more out of my control as a node in DC1 and secondary surveillance in DC2 for more extensibility PSN.

  Any help would be greatly appreciated.

  -Thank you

  As Marvin suggested, I would look at using 1.3 at this point, unless you have any specific concerns of this version and I really want to stay with 1.2. That being said, here are my recommendations/comments:

  -Two v1.2 and v1.3 fits in fact up to 40 knots PSN

  -If none of the nodes of your PSN will be put in the same place and are layer 2 adjacent I recommend putting them in a group node and behind a load balancer. If you do not have a load balancer, I would always put them in a node group. At this time a node group can have up to 10 PSN

  -If you have 10-15 knots PSN then you should spend 2 nodes for specifically for the character of monitoring

  -The period of maximum round trip between all nodes must not exceed 200 ms

  For more information, you can always reference the "Network deployment" section in the installation guide material for ISE:

  v1.3

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html

  v1.2

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/installation_guide/ise_ig/ise_deploy.html

  Thank you for evaluating useful messages!

• ISE 1.2 patch 3 - lag default portal Sponsor changed to non-existent ECT

  Hello world

  We applied Microsoft3 to our ISE 1.2 cluster and after the upgrade all the sponsors accounts (outwardly autenticated on Active Directory) are now GMT + 01:00 Europe/ECT as time zone default. So the guest account have the same time zone time and invited the authentication will fail.

  It's the mistake of ise - console.log:

  Comments:-com.cisco.cpm.guest.exceptions.PortalUserException: java.lang.IllegalArgumentException: zone of datetime id "ECT" is not recognized

  Comments:-to com.cisco.cpm.guest.edf.GuestUserAdaptor.isAcctValid(GuestUserAdaptor.java:489)

  I checked the interface of administration and documentation 1.2 but could find no default setting for users of sponsor zone

  Time zone for the 3315 is THIS:

  clock timezone THIS

  One solution is to update its zone on sponsor Portal setting has each user of sponsor, but it is impratical.

  Doesn't have all the known world the same problem?

  Kind regards

  Hello

  You hit CSCuj91050 bug I guess. This will be fixed in patch 4 I think, but for now, you can go back to patch 2.

• Obligation of posture ISE to check if the USP of the endpoint port is disabled

  Hello

  I wonder if it is possible to define the USP Port disabled in the endpoints as a requirement in the Posture of the ISE?

  Appreciate your comments.

  Mike

  If your question relates to the ability of the ISE, the disabling of the USB port on a PC, the answer is no.

  The NAC agent using, however, you can check various programs and may be able to check the status of the USB.

  You will need to create a new Condition of Posture and corrections.

  The condition that I will use in this example is a registry key.

  If the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" key has a value of 3, the USB is enabled.  A value of 4 is disabled.

  So set a Condition of Posture:

  Click policy > policy elements > Conditions

  

  Posture , choose the left menu:

  

  Then choose Registry Condition in the left menu.

  Click on + Add to add a new Condition of Posture:

  

  Then, you must create remediation Actions.  Click the results button at the top of the left Menu:

  

  Choose the repair Actions then reclamation that you want to use.  I chose the link cleanup.

  + Add to add a new link to the corrective measures:

  

  Requirements , choose the menu on the left, and then create a new result of remediation:

  

  Of course, you can choose different corrections if necessary for your environment.

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• ISE 2.0 authorization number (patch 1)

  I'm running into a bit of a strange problem with ISE 2.0 (patch 1).  I have a laptop Win 7 passing authC/authZ, get an IP address, but cannot access internal or external resources.  It uses 802. 1 x with EAP - TLS with machine and user of AD certs.  With this question, I'll have a MAR, but TAC addresses this issue.

  I just can't understand how the device can get an IP address, but not access anything on the network.  The laptop can do a release/renew the IP address, so it becomes somewhere on the network.

  DRM for ideas.

  -Dan

  Looks like a dhcp snooping/analysis of device issue, the sess auth does not know the ip address of your windows pc and then the ACL is not applied. You can check with 'show ip access-list interface x/x '. Can you do a 'show ip analysis device int x/x' and see if the ip of the device shows as active? Also have you configured the settings recommended in the switch using the configuration of the switch guide universal trustsec?

• ISE 2.1 LDAP

  Hi all

  We run ISE 2.1 Patch 1 and has faced a problem interesting yesterday our PSN main say-the domain join which means our SOE machines were lack of 802. 1 X and fall back to MAB.

  Are there other mechanisms of failover for AD authentication (for short failover to the secondary NHPS) we can implement if this happens again?  This happened to anyone before?

  Thank you

  James

  Hi James,

  If your PSN has been disconnected from the AD domain. But the PSN is still active. Failover will occur when main PSN goes down then it will be resumed at the next PSN set to n.

  However, if you use the sequence identity in ISE store in order to move from AD to LDAP/internal/RSA as your configuration by.

  I hope that helps!

  Concerning

  Gagan

  PS: Note If this can help!

• 2012 f2 patch

  Receipt on 2012 LabVIEW f2 patch pushed for me.  After installation and reboot, none of my applications will run.  I have two error messages: "no supported languages not installed" followed by "can't open resource files.

  Help please!

  A note added to the 2012 LabVIEW f2 Patch KB:

  A problem has been discovered where install the "f2" LabVIEW 2012 patch (Windows) on the f1 2012 LabVIEW patch (Windows) can inadvertently delete files from the runtime LabVIEW 2012, causing LabVIEW built error to launch applications. For example, the example Finder fails silently throw, and the Web server of the system NOR fails to launch with an error.

  We have removed the 2012 LabVIEW f2 patch distribution until this issue is resolved.

  If you are affected by the above question, please repair your installation of LabVIEW 2012 to replace the missing files and to solve the problem. We apologize for the inconvenience.

• Cisco ISE and the fast user switching

  Greetings,

  In our deployment, we are interested in using the "fast user switching" which lies in the functionality of Windows.   After searching for a while, I see that the native Windows supplicant is not compatible with the fast user switching.   It does not appear that Anyconnect is either.   Can you please inform me as to what suppluicant, I need research to enable the functionality of Switchign user?

  We currently use ISE 1.2 Patch 4.

  Thank you for any assistance.

  David

  Cisco EHT NAC Agent does not support Windows fast user change when you use the native supplicant. This is because there is not clearly the older user disconnecting. When a new user is sent, the Agent is hung on the ID process and the old user session and therefore a new posture cannot take place. According to Microsoft Security policy, it is recommended to disable the fast user switching.

  Source:

  http://www.Cisco.com/en/us/docs/security/ISE/1.2/user_guide/ise_pos_pol.html

• Cisco ISE 1.1.2.145 Admin authentication via the LDAP protocol

  I have configured the LDAP protocol and able to retrieve our LDAP directory structure. Now, I'm trying to point authentication "Admin Access" Source 'External identity', which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for some reason the LDAP configuration does not work. I learned that the ISE can automatically return to local auth as external sources Idenitity are inaccessible. How can I test the LDAP authentication with breaking them our Admin Access? I thought to open two parallel sessions, one with Super Admin account Local and one with the domain account. But I noticed that ISE communication is smart enough for the closing session/connection no matter what other sessions in different browsers so, basically, I can't open two parallel sessions the same machine to test. Suggestions? or am I missing something here?

  Thanks in advance.

  Hi Srinivas,

  Even if you configure LDAP as a source of external identity of admin access, you can always internal relief without having locked. According to the ISE user guide:

  During the operation, Cisco ISE is designed to "fall back" and try to perform the internal identity database authentication, if the communication with the external identity store has not been established, or if it fails. In addition, whenever an administrator for which you have configured external authentication launches a browser and initiates a logon session, the administrator must still the option authentication of demand through the local Cisco ISE database by choosing 'Internal' to the Selector drop-down storage of identity in the Connect dialog box.

  http://www.Cisco.com/en/us/docs/security/ISE/1.1/user_guide/ise_man_identities.html#wp1351543

  Please see the attached screenshot by my lab ISE:

  

  I configured the admin authentication against AD, but I still see both 'Internal' and 'AD' at the time of the connection.

  I hope this helps.

  Thank you

  Aastha

• ISE 2.0 domain domain not machines Auth problem

  Hello

  Anyone can suggest me for authorization policy of ISE 2.0 for computer in domain domain & no.

  Requirement: Computer in domain to authenticate domain user id & password using the PEAP Protocol. but the machine not domain should not authenticating using domain credentials begging Windows.

  I tried using the parameter user or computer and selecting the authorization (computers in the domain & domain users) policy

  Thank you

  Kamlesh

  If you make a substitution VLAN on the invited guests? The reason why I ask is because I've never been able to get this feature works well. Instead, I always preferred to use DACLS (Switched invited) and Named-ACL (WLCs).

  If you use this feature I suggest to increase the timers a little and see if it works.

  For your question of license:

  The license of Cisco ISE is counted as follows:

  • A basic or advanced license is consumed based on the function that is used.
  • An endpoint with multiple network connections can consume more than one license per MAC

  address. For example, a laptop computer connected in wired and wireless at the same time. Licenses

  for VPN connections are based on the IP address.

  • Licenses are allocated on the simultaneous, active sessions. An active session is the one for which a

  RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

  Note Sessions without activity of RADIUS are automatically purged from the list of Session Active each

  5 days or if endpoint is deleted from the system.

  To avoid service interruptions, ISE Cisco continues to provide services to the endpoints that exceed the license

  right. Cisco ISE relies instead on RADIUS accounting functions to keep track of the simultaneous on endpoints

  the network and generate alarms when the endpoint number exceeds the authorized amounts:

  • 80% info
  • 90% WARNING
  • 100% critical

  Thank you for evaluating useful messages!

• BlackBerry new Z10 Delete window

  The update came with the old window remove hub or remove hub and the good server thing, I accidentally hit don't show this again option how to return this window?

  Welcome to the forums.

  You can change this setting by clicking on more-> settings-> display and Actions, in the hub.

  From here scroll to the bottom of the page and select the menu drop-down delete on.

• Cisco ISE machine has no machine authentication

  Hey, since we migrated to ISE 1.2 patch 7 we have problems with our company SSID.

  We have a rule that essentially says:

  The user is a domain user.

  The machine is in the field.

  But for some reason, some workstations are is denied by this:

  ISE 24423 was not able to confirm the previous machine successfully authentication of user in Active Directory

  I was wondering if I could force a sync?

  Hmm, you when you restart the machine you should see an entry of authentication which starts by "host /" Let's try this:

  1 uncheck the box 'Remove' repeated successful authentications and the "suppress abnormal customers'

  2. wait 10 minutes

  3. restart the computer and try again and let us know what happens

• PC profiled as a phone by ISE 1.4

  Hello

  I see that attached to the Cisco phones PC profiled by ISE 1.4 (patch 3) as Cisco phones. When first attached to the n (Cisco 6880 - last worm 15.2) the phone is emerging as a "Cisco-IP-Phone-7911" correctly and the PC is 802. 1 x authenticated ok and profiled as "Microsoft-workstation.

  In the minute the PC varies "Microsoft-Desktop" to "Cisco-IP-Phone-7911"in the list of endpoint ISE."

  When I opened the PC in the endpoint list, I see that he "inherited" details cdp of the phone. When I disconnect and reconnect the phone/PC, they all have two get profiled by ISE that phones - the n is configured to access Multi field (a device authorized in both voice and data) then the switchport is off because of a security breach.

  To work around this problem, I have disabled cdp on the n and active lldp. The phone is now emerging as "Cisco-IP-Phone" (Cisco-IP-Phone-7911 profile requires cdp) and the PC is profiled as "Microsoft-workstation.

  Is this a bug ISE or IOS? I had this problem with all available versions of the track 15.2 for the 6880. I am aware of the bugs CSCuu97659 and CSCuu94127 but these thought related to ISE 1.3 and earlier versions

  Thank you
  Andy

  Hi Andre, I think you're hit these bugs... and add to the mixture CSCuu76087 :)