Profiles of logics in ISE 1.2.1

Similar Questions

• New profile NAM AnyConnect of ISE to the customer

  Hello

  I'm in the middle of implementing Cisco ISE in a network. After some users connected via Dot1x and had installed AnyConnect, which I configured for Client Provisioning, they came to me the question whether wireless networks could automatically be pushed with the AnyConnect profile. One thing is certain, I said, and I changed the profile of NAM.

  Then all is well with the new connection of users, but users who have already logged do not get the profile up to date. Is it possible to push an AnyConnect profile or new configuration of Cisco ISE?

  Greetings,

  Carlo

  That is a good question.

  I don't know if it's the most effective way or only; but couldn't force you users to go back in the commissioning Client by adding a policy Posture in order to evaluate the profile of NAM?

• How to install the web 32-bit server on Oracle Linux 7 (64 bit) for Siebel SWE?

  Hello community,

  I'm being a sandbox Siebel installation in a Virtualbox machine using Oracle Linux 7, Oracle DB 12 c and Siebel 15.5.

  I did very well for all installation process since it became a large number of Frank from previous versions.

  However, I still have a remaining item left which I have not been able to solve: Web server

  Originally, I installed 64 bit version of HTTP Server Oracle 11g of Web tier that filled well.

  However, after you apply the profile SWE logic, web server would fail start given that 32 libraries cannot be interpreted in 64-bit.

  Therefore, I tried to download 32 bit Web layer HTTP server only to find out that I could not even install using the linux32 command.

  Finally, I tried to build my own Apache server that required me to also build apr and apr-util libs.

  It was beautiful.

  [siebel@sbl-lab bin] $. / apachectl v

  Server version: Apache/2.4.17 (Unix)

  Built-in Server: 11 November 2015 00:41:35

  For the Server Module magic number: 20120211:51

  Server loaded: APR APR-UTIL 1.5.4 1.5.2

  Compiled using: APR APR-UTIL 1.5.4 1.5.2

  Architecture: 32-bit

  Server MPM: event

  thread: Yes (fixed thread count)

  forked: Yes (variable process count)

  Server compiled with...

  D APR_HAS_SENDFILE

  D APR_HAS_MMAP

  D - APR_HAVE_IPV6 (mapped IPv4 addresses enabled)

  D APR_USE_SYSVSEM_SERIALIZE

  D APR_USE_PTHREAD_SERIALIZE

  D SINGLE_LISTEN_UNSERIALIZED_ACCEPT

  D APR_HAS_OTHER_CHILD

  D AP_HAVE_RELIABLE_PIPED_LOGS

  D DYNAMIC_MODULE_LIMIT = 256

  D HTTPD_ROOT = "/ opt/siebel/apache".

  D SUEXEC_BIN = "/ opt/siebel/apache/bin/suexec".

  DEFAULT_PIDLOG = ' log/httpd.pid' d

  D DEFAULT_SCOREBOARD = "logs/apache_runtime_status".

  D DEFAULT_ERRORLOG = "logs/error_log".

  D AP_TYPES_CONFIG_FILE = "conf/mime.types"

  D - SERVER_CONFIG_FILE = conf/httpd.conf"

  However, once I started the web server after you apply the SWE, I received the following message:

  [siebel@sbl-lab bin] $. / startapa

  httpd: syntax on line 503 of /opt/siebel/apache/conf/httpd.conf error: structure of the API module 'swe_module' in the file /opt/siebel/apache/modules/libmod_swe.so is garbled - signature expected 41503234 but 41503232 - perhaps it is not an Apache DSO module, or has been compiled for a different version of Apache?

  I've been contemplating installing a chroot, a container or even another virtual machine exclusively for the web server.

  Before proceeding with additional measures that I might regret, could you please how you would proceed in this case?

  Thanks in advance

  Kind regards

  Alejandro Soto Laguas

  Nevermind, I checked certifications and Apache 2.2 should be used instead of Apache 2.4

  Everything is ok now.

• What is the trigger of the IOM process?

  What is trigger in IOM process? Please explain briefly? How to create the trigger custom?
  
  
  Thank you

  What is the trigger of the IOM process

  He decided to "what tasks must get triggered on the evolution of the field in the IOM user profile." Logic is already implemented in IOM and this requires a small configuration to add new triggers.

  Just to add a little thing in the commentary of Suren:

  You will find entries as in the research

  USR_LAST_NAME - Name of the task (task any name)

  It means so whenever there is change in the user's last name (USR_LAST_NAME) in the IOM then it will trigger all these tasks that are mapped in the search. You can have more than one task for the same domain.

  USR_LAST_NAME - Task1 (any task name)
  USR_LAST_NAME - Task2 (any task name)

  Suern shared the steps for the creation of new triggers.

• Several Thunderbird in different OS on the same computer to access profile on common logical drive

  I installed Windows 8.1 under another OS on a machine who already have Windows 7 (and Thunderbird). The hard disk is partitioned and you Bird profile files are on a different logical drive available to both operating systems having the same name of player.

  I met two problems:

  1. While the new facility to Win 8.1 you Bird sees all mail folders and messages (and can get new messages from the POP3 account, this configuration does not see also within this same profile address books, and)

  2. it does not correctly send SMTP (even with the same account settings.

  Regarding the last, I remember working with you Bird and its predecessor as the SMTP password has been set from the first use, but never appeared for editing purposes; the only time wherever he appeared was during the creation of a new source of SMTP. In this case, I don't see where I can re - enter the SMTP password. And, I tried to create a new configuration of SMTP, but it did not help. I have entered the correct password, but it failed. Any ideas on how I can get this set up?

  With address books, even if this new facility you Bird knows where the profile (as evidenced by the fact that he doesn't see mail folders and messages), he does not see the address books. Still, I don't see where there is the setting of the location of the address book. I looked for the familiar file that tells the program where to find everything, but I could not find in this new facility to Win 8.1.

  Any ideas on these two issues would be greatly appreciated!

  I finally found the answer. I was able to display the users folder in Win 8.1. I just copied files of Thunderbird of the Win 7 Users\UserName\AppData\Local Users\UserName\AppData\Roaming files directory and directory to the same location on the 8.1 users folder.

  As soon as I did that and restarted my SMTP has been fixed and all address books were available. (And of course, it still works in the world of Win 7, too).

  From what I can glean the data in these records communicate key information at the Thunderbird not covered by the option setting for the folder in the program itself.

  I don't know if the copy of these records is this 3rd party promise to help with the relocation of existing facilities, but should be.

  As a reminder, I try 8.1 win on the same computer as a pre-existing Win7. I wanted to use my same familiar programs, including obviously Thunderbird, with the same configuration and access to the books of mail and same address located on a common additional logical drive.

  Copy these files to the new operating system, as well as pointing to the new installation of program to the existing profile of you bird accomplished all of this.

• Securing network with ISE profiling HP devices

  Hello

  How can I create a profile for Hewlett Packard printers and leave them on the network without allowing any other HP device access. I want to only allow HP printers. I don't want to leave laptops HP, desktop computers, notebooks, etc..

  I prefer not to leave on the network using MAB.

  Thank you

  Bob

  It is a common use case. The profiling of ISE Design Guide (see page 76 go) presents at least a way of doing this - using a probe nmap Scan Endpoint.

• revalidate previously profiled endpoints of ISE

  Hello

  I had a peek at MAC spoofing with ISE 2.1.0.474

  I use RADIUS/SNMP trap and queries and probes DHCP. A Cisco 7911 phone correctly is profiled as "Cisco-IP-Phone-7911. Endpoint in ISE shows all the correct details of cdp/lldp/dhcp

  When I connect my windows laptop (MAC spoofing phones), the laptop computer is authenticated as the phone. Endpoint is always profiled as "Cisco-IP-Phone-7911" - endpoint shows details of correct dhcp for the laptop but retains the cdp/lldp profile phone details previously. I checked the n and cache device sensor has no cdp/lldp details for the laptop connected and accounting device sensor sends only mobile dhcp from tlv to ISE.

  If I delete the end point of the ISE and connect my laptop (even once, spoofing phones MAC), ISE profiles properly the laptop as "Microsoft-workstation.

  When I disconnect the laptop and reconnect the phone, ISE re-profiles the end as a "Cisco-IP-Phone-7911" based on newly learned information from cdp/lldp point.

  ISE can learn new details of endpoint by the probes and reporter endpoint as shown above. I reason to say that ISE postpone endpoint based on the fact that some attributes (for example cdp/lldp) kept from appearing - when new attributes are learned?

  Thank you
  Andy

  Hello Andy,

  What you are experiencing is correct and should the behavior with the current mechanisms of ISE. There is an enhancement request that was put in place some time, but he has not seen much traction:

  https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCur48184

  The only time wherever a device would move one profile to another group is when a profiling rule with certainty factor higher is reached. For example, if you create a custom CF rule of 100 and this rule is struck then a device profile will never move to another rule which has CF which is<= to="">

  As you can tell, profiling is not the test. This is why it is recommended to restrict access to the network for targeted devices. For example, IP phones should just join the subnets of the voice and the PBX, printers should only need to access the print servers on specific ports, etc.

  I hope this helps!

  Thank you for evaluating useful messages!

• ISE v1.4: "WARNING: Profiler Queue size limit is reached.

  Hi all

  We have improved our nodes 10 v1.2.1 Patch v1.4 ISE 6 weekends. Since then, we have been doing the above alarm message very frequently (often every five minutes) and it's really annoying.

  Six of the ten nodes have the character of PSN and they seem not to be under any large load (less than 10,000 active endpoint points shared between them) and the readings of CPU and memory and latency are all very low.

  I wonder if I ran into the following Cisco Bug:

  https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCuw93839

  Unfortunately, Cisco provide little information on the bug above, I can't be sure.

  Has anyone encountered this?

  Thank you.

  rgrds,

  Inayat

  I think that maybe it's actually the following problem

  CSCuy20317 Error "profile tail limit reached" in the patch 1.3/4 5 +.

  If that is the question, the good news is that 1.4 patch 7 has been posted and includes a fix for this problem

  Curious to know how you go

• ISE is profiling not properly devices

  Hi friends,

  can someone else help me? I use ISE 2.0, but this is really not peripheral profiles, printers are explained as cisco routers and switches.

  Thank you.

  Two questions:

  1. what should I sensors profiling, you have activated

  2 - is for wired or wireless

  Thank you for evaluating useful messages!

• PC profiled as a phone by ISE 1.4

  Hello

  I see that attached to the Cisco phones PC profiled by ISE 1.4 (patch 3) as Cisco phones. When first attached to the n (Cisco 6880 - last worm 15.2) the phone is emerging as a "Cisco-IP-Phone-7911" correctly and the PC is 802. 1 x authenticated ok and profiled as "Microsoft-workstation.

  In the minute the PC varies "Microsoft-Desktop" to "Cisco-IP-Phone-7911"in the list of endpoint ISE."

  When I opened the PC in the endpoint list, I see that he "inherited" details cdp of the phone. When I disconnect and reconnect the phone/PC, they all have two get profiled by ISE that phones - the n is configured to access Multi field (a device authorized in both voice and data) then the switchport is off because of a security breach.

  To work around this problem, I have disabled cdp on the n and active lldp. The phone is now emerging as "Cisco-IP-Phone" (Cisco-IP-Phone-7911 profile requires cdp) and the PC is profiled as "Microsoft-workstation.

  Is this a bug ISE or IOS? I had this problem with all available versions of the track 15.2 for the 6880. I am aware of the bugs CSCuu97659 and CSCuu94127 but these thought related to ISE 1.3 and earlier versions

  Thank you
  Andy

  Hi Andre, I think you're hit these bugs... and add to the mixture CSCuu76087 :)

• Authorization profile of ISE to grant limited access to wireless clients

  Hello

  I'm at the end sponsored building access as a guest for customers wireless in ISE running in software version 1.3.

  I wonder if there is a way to keep the prompt on the vlan initial after a successful authentication and to grant Internet access only. I mean, I don't want to assign different VLANs and restrict its access by an ACL applied on the Vlan Interface Layer-3.

  I could have done it of dACL, if the client connects through the wired network, but because wireless controller not accept DACL, I'm not aware of any way to do it without changing the vlan

  Appreciate your idea.

  Mike

  Of course, simply create the ACL you wan't to use for your guests directly on your WLC and then reference the name of the ACL in your authorization profile in the option named 'Airespace ACL Name '.

• ISE licenses and profiling service

  Hello

  I tried to find the explanation of the use of the licenses of the ISE, but I'm still not sure about one thing.

  With the license, when the profiling service is enabled; is the number of endpoints consumed by the more license for each endpoint that has been profiled and authenticated or the number will be consumed basic license first?

  A properly authenticated device builds on the basic license.

  A device profile doing the license more.

  A properly authenticated device profile attracts both.

  That's why you need at least as much as more basic or licenses of the Apex.

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• ISE on the download profile of embarkation process

  Dear all,

  I have a small question about ISE on boarding and the delivery process.

  When the client connect of the SSID, EHT will download the configuration for the client, and will change the configuration of the adapter.

  My question is, verification of the configuration of the client profile happens every time the customer connect? If Yes, the ISE will download the profile whenever the customer connect or not?

  In case the ISE download configuration once and check the configuration each time the customer connect (which makes sense), do we have a cache on the ISE for any customer that is to say that this customer has a correct profile or not? If so, after how long the cache entry should be deleted?

  Kind regards

  Mohammad incredibly

  Hi Mohammad.

  Once that a device is put in service/onboarded this device should not go through the process 'customer provisioning '. Instead, he has to hit a different rule that is placed over your 'customer provisioning' rule at ISE. For example, if your integration is to configure the client to perform EAP - TLS with certificate then once the supplicant device is configured to complete the EAP - TLS and got a certificate then you should have a rule over the rule of integration which checks the EAP - TLS.

  I hope this makes sense. Let me know if you need further clarification.

  Thank you for evaluating useful messages!

• [ISE or ACS] EAP - TLS or profiling as the same SSID

  Hello

  I can only configure one SSID to connect 2 types of devices:

  • Devices with certificates connect on this SSID using EAP - TLS
  • Devices without the ISE profiles certificates (or ACS verifies their MAC addresses)

  Could this work?

  How can I configure this type of SSID on WLC?

  • 802. 1 X works
  • 802.1 X + MacFiltering works.
  • I failed to configure 802.1 X or MAC filtering...

  Thanks for your help,

  Patrick

  Hello Patrick.

  Unfortunately, I don't think that's currently possible in the world of wireless Cisco with a unique SSID. For your example, you will need two separate SSID. Something similar has been asked before:

  https://supportforums.Cisco.com/discussion/11941331/isewireless-nacone-SSID-MAB-and-dot1x

  I hope this helps!

  Thank you for evaluating useful messages!

• Cisco ISE profiling - Split-Corporate/guest access

  Hi all

  I currently deploying a Cisco ISE for my wireless network and I would like to divide my WLAN in two different "authorisation profile": comments and Corporate.

  For now, I use my active Directory to authenticate users and profiling to authorize the device with the host name. I would like to sort by domain name with DHCP probe but I can't because there is always an answer of DHCP message with the domain given by the DHCP server, you have a solution to separate unit with domain name or other attributes?

  Thanks in advance for your answer!

  You can create different authorization profile based on the identity group they belong to, therefore, make two profiles based on two membership group (guests / corporate AD users) and assign them different access. consult the ISE 1.2 config guide.