Reimage ISE 1.1.4 on NAC 3355 Server Issues
g ' Day All,
I have problems with an ISE recreate the image of a server of the NAC 3355 currently. I successfully download the iso for 1.1.4 ise and it burned on a dvd, I went through the process of remiage, with all packages being installed successfully (or so it seems) there is no problem during the packages downloaded and installed from the DVD.
My question is, when the box reboots and I am introduced to the login prompt where I can type "setup" to launch the initial config script, I can enter all relevant details and the system displays the network interface, pings the default gateway and the server names with success (I don't see any errors that the pings have failed) and it seems to start installing the ISE.
I get the screen message on does not use 'Ctrl C from this point', then I see the "installing applications...." "on the message screen, but rather than see the 'ISE installation' on the message of the screen as detailed in the installation guide hardware 1.1.x my install goes straight to the screen message"generating configurations"then restarts the box.
Once reboot the box, I can not connect with the name of username/password combo that I entered in the initial configuration script, but I get no more on the screen messages or prompts to create a password database, etc.. I only get the cli command prompt. I am able to navigate the fine cli, I can ping the gateway and nameservers of the CLI fine, but if I apply for a show, he comes back with nothing. If I make a request to configure ise, the cli says that EHT is not installed.
Help Please guys.
See you soon,.
MSI
Please keep this thread updated to date.
Jatin kone
Tags: Cisco Security
Similar Questions
-
Reimage ISE to 1.2, could not load software install
Hello
We have a few servers ISE 3355 prepared to set up, out of the box, and we want to upgrade to version 1.2 before you configure them. I had the iso image for 1.2 but Im having problems with the reimage process.
I was able to run the reimage on 2 of 4 devices, but at the moment, the reimage process is blocked once I chose the optios start trying to load the initrd.img file...
Start: 1
loading vmlinuz.............................................................
Loading initrd.img...
They have the same problem with the second device, but after letting it start everything down without starting with the dvd and run the installer, I could restart, start from the ISE 1.2 dvd and load the reimage process...
I'm doing something wrong?... the reimage link does not help... and it's the same thing I ve done...
Any help is very appreciated!
You can try to use an iso 1.1.4 to see if you can reimage the device and then run the upgrade to version 1.2.
I also have the best chance with activeiso burner when I burn iso images. Give that a try if you can before attempting the 1.1.4 can evolve into version 1.2
Sent by Cisco Support technique iPad App
-
ISE general questions: DOT1x, NAM, NAC etc...
Hello
I have two questions. One is a question that I am face and second is a probability I want to check
question: I have a stack of 3 switches: 2 x WS - C3850 - 48Pand 1 x WS-C3850 - 24 p, running IOS - XE 03.03.01SE. Now on some ports when I try to put the following commands, it gives me the output below.
authentication event fail following action method
^
Invalid entry % detected at ' ^' marker.GCB2-FF-C1-SW1(config-if) #$tion event server dead action allow voice
action of death event authentication server allow voice
^
Invalid entry % detected at ' ^' marker.GCB2-FF-C1-SW1(Config-if) # authentication host-mode multi-auth
^
Invalid entry % detected at ' ^' marker.GCB2-FF-C1-SW1(Config-if) # authentication order dot1x mab
^
Invalid entry % detected at ' ^' marker.GCB2-FF-C1-SW1(Config-if) # authentication priority dot1x mab
^
Invalid entry % detected at ' ^' marker.Auto control of the port of authentication GCB2-FF-C1-SW1(Config-if) #.
^
Invalid entry % detected at ' ^' marker.Periodic GCB2-FF-C1-SW1(Config-if) # authentication
^
Invalid entry % detected at ' ^' marker.GCB2-FF-C1-SW1(Config-if) # timer authentication authenticate new server
^
Invalid entry % detected at ' ^' marker.GCB2-FF-C1-SW1(Config-if) # breach authentication restrict
^
Invalid entry % detected at ' ^' marker.MAB GCB2-FF-C1-SW1(Config-if) #.
^
Invalid entry % detected at ' ^' marker.GCB2-FF-C1-SW1(Config-if) # dot1x EAP authenticator
^
Invalid entry % detected at ' ^' marker.and in the same switch, I have some ports which have accepted these commands... I have not undrestand the injustice done to a single port.
any help will be appreciated.
now, to calculate the probability, I would like to check:
2: CAN WE HAVE A CISCO ANYCONNECT CONFIGURED ON THE WINDOWS COMPUTER AS A SUPPLIANT WHO SUPPORTS PEAP AND SMART CARD AT THE SAME TIME. SO IS THERE ARE SEVERAL USERS, SOMW WHO OPERATE SMARTCARD AND SOME GENERIC USERNAME AND PASSWORD ON THE MACHINE, TWO OF THEM COEXIST?
THANKS IN ADVANCE...
Nick...
You did make sure that these ports are actually defined as access ports before loading the config of dot1x?, it will fail on e.g. routed ports.
-
Cisco NAC authentication server stopped?
Hi all
is 1_ there a way to specify an order for authentication on NAC Manager v4.7.2 servers? the needs of the customer, is the primary server (AD) fails it switches to the RADIUS? Is this possible?
is 2_ possible for a role on a server auth?
Thanks in advance.
Dumlu
Dumlu,
If you configure AD SSO, it is the way it works right now. You need to set the RADIUS or LDAP auth provider, and if so the SSO AD fails, they would see the choice to open a session using this provider.
For your question, yes you can map roles to suppliers. When you set a provider, you can provide a default role that uses the provider.
HTH,
Faisal
-
Cisco ise 1.2 installation of certificates for the issue of cluster ise
Hello everyone I have a cluster ise 4 devices. 1 main admin/secondary monitor, admin of admin/primary secondary 1 and 2 knots of policy
I need to install the Cert CA public on them. can I generate 1 CSR on one of the nodes, which includes a San with all the nodes DNS names?
So get 1 single certificate by the CA and export and import the cert even in all other nodes?
or do I have to generate 1 CSR for each node and 4 certificates of purchase? Wildcard certificates is not an option. Thank you
Yes, you are right. The document was created before ISE 1.2. You can generate the CSR from the interface of ISE and add SAN.
Kind regards
Jatin kone
* Make the rate of useful messages *.
-
The NAC Manager/Server license question
I use a pair of NAC Manager failover with 5 games of CAS servers. Each set of CAS servers is authorized to perform the different amounts of users. (i.e. 1500 or 3500) I loaded all the licences in the Manager. (All Coses PAK have been validly submitted by using the MAC address of the Senior Manager.) Is it possible to assign... or... How will I know which set of servers will be assigned the appropriate license for a specific set of users max?
It was only from pak or was it separate paks... because he's going like that with a pak u generate license for cam (this is the license for the number of servers it can handle)... for that you must provide the mac cam address. then for each server FO u can use even PAK or a new and mentions the mac address of the server here and makes the exact differenc... If you had separate Pak. each PAK is given based on the license you requested from...
-
NAC Guest server - time for questions
Hi all
I'm having trouble with our NGS. He used the 2.0.0 version but only tha start-end type according to time worked with this version. We decided to upgrade to version 2.0.1.
We now have other types of the function of time and that they are working correctly but start and end time profiles stopped at woking. New users cannot be created using these profiles of time because the month field is empty and impossible to select the month. If the date is selected using the calendar, the month field is left blank. Creating user can be started, there is no error message but the END does not create the user and the page expires.
I tried to restart the server, but the problem remains.
Has anyone seen this problem? Any solution or workaround?
Hello
You might be hitting CSCsz80188. Please see the bulletin which. He planned to be fixed in 2.0.2, but workaround listed too.
HTH,
Faisal
-
Cisco ISE and the new Version of AntiVirus... not DAT
I am ready to go to our VPN ISE users. It was a great test and it seems that we are ready to roll.
Then comes a new version of our corporate AntiVirus software. We had Kaspersky EndPoint Security v8 since last August. Kaspersky now comes to Endpoint Security v10. It took about 3 months for compliance in ISE Module to allow the NAC Agent to recognize KESv10. But now, when we connect I get an error from the NAC stating bascially that the version of installed KES is no posture installation rules and he can't do anything. (see attachment for the exact wording)
I remember when we first set up the ISE, there was a screen that broke down the different manufacturers of AV and the different versions that would support ISE/NAC. I have no idea where it is now.
How to I update my sanitation/policies/rules to take account of two KES10 including, or simply change to allow version 8 +, or even ANY version?
I'm sure this is a simple solution, but I can't find it. I looked through a lot of documentation, and I even looked through a PDF of global laboratory on-site ISE posturing, and he can find.
Thank you
Dirk
Unfortunately, there are various known bugs related to the use of the browser "bad" that have been around for a while
-
Hi guru,.
Do we need Cisco NAC appliance or controller wireless with Cisco NAC server or Cisco NAC Guest server comments can work independently?
Is it possible to implement the server Cisco NAC comments without NAC device or wireless LAN Controller?
Best regards
Ahmed Shahzad.Can you please check if you can access this link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html.
It's a fully detailed 'Integrated Cisco Web authentication deployment and Configuration Guide Local'.
HTH,
Tiago
-
I want ISE + ACS work together what license should I add?
They are separate products without special integration between them. Therefore, neither requires a license for interoperability with others.
I guess you could technically use ACS as external to LSE identity store (although I never saw anyone do that). If you do so, no specific licence would be required.
That said, the ACS is an AAA like ISE server.
ISE has always had its own RADIUS server that can act as server AAA for network devices (in addition to his main job as a network admission control system)
As of version 2.0, ISE has added support GANYMEDE + and almost all of the device can do most people do with ACS, administrative functions if you want to use ISE as RADIUS server, it requires licensed peripheral administration in no more basic, Plus, Apex or mobility or licenses.
-
NAC integrated with the comment server
Hi all
I met a problem that happened when I joined NAC with the comment server.
Hope I can find the solution here!
When I create an account to the comment server, the account will be created in the NAC as a local user.
If I chose "time profile - start-end", the account will be created in the NAC.
But if I chose "Time profile - first Login", the account will not be created in the NAC.
If the guest cannot connect with this account using "time profile - first Login.
All configurations of the document including "Radius Client and Accounting" has been correctly configured.
But I can't yet find the solution.
Please answer me if you know the answer. Thank you very much!!!
Jet Li
If Taiwan
Hi Jet Li,
This should be because only based on time with beginning and end is supported when you turn on the END with the NAC Appliance solution:
http://www.Cisco.com/en/us/docs/security/NAC/guestserver/configuration_guide/20/g_guestpol.html#wp1063409"Cisco NAC comments Server Version 2.0 supports only start/end and creating profiles when used with Cisco NAC appliances"
Kind regards
Fede
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it. -
NAC Depolyment for wireless network
Hi all
I intend to implement a NAC appliance server in one of our customers. The wired LAN is based on cisco catalyst switches and it's going to be a wireless LAN with a LAN Controller wireless and about 25 points of access (all Cisco equipment). I plan and deployment of virtual tape gateway and I wolud would like to know if it is possible to control the wired LAN and the network wireless with the same server of NAC CASE or if I need a server of the NAC for the wireless and another for the wired network local.
Concerning
Vicente,
You can as long as the wireless is adjacent L2, you can use the same CASE for OOB wired and wireless.
HTH,
Faisal
--
If you find this article useful, please note so that others can easily find the answer
-
Authentication (Windows Server 2013) AD Cisco ISE problem
Background:
Has deployed two Cisco ISE 1.1.3. ISE will be used to authenticate users wireless access admin WLC and switches. Database backend is Microsoft running on Windows Server 2012 AD. Existing Cisco ACS 4.2 still running and authenticate users. There are two Cisco WLCs version 7.2.111.3.
Wireless users authenticates to AD, through works of GBA 4.2. Access admin WLC and switches to the announcement through ISE works. Authentication with PEAP-MSCHAPv2 access and admin PAP/ASCII wireless.
Problem:
Wireless users cannot authenticate to the announcement through ISE. This is the error message '11051 RADIUS packet contains invalid state attribute' & '24444 Active Directory failed because of an error that is not specified in the ISE'.
Conducted a detailed test of the AD of the ISE. The test was a success and the result seems fine except for the below:
xxdc01.XX.com (10.21.3.1)
Ping: 0 Mins Ago
Status: down
xxdc02.XX.com (10.21.3.2)
Ping: 0 Mins Ago
Status: down
xxdc01.XX.com
Last success: Thu Jan 1 10:00 1970
March 11 failure: read 11:18:04 2013
Success: 0
Chess: 11006
xxdc02.XX.com
Last success: Fri Mar 11 09:43:31 2013
March 11 failure: read 11:18:04 2013
Success: 25
Chess: 11006
Domain controller: xxdc02.xx.com:389
Domain controller type: unknown functional level DC: 5
Domain name: xx.COM
IsGlobalCatalogReady: TRUE
DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Action taken:
Log Cisco ISE and WLC by using the credentials of the AD. This excludes the connection AD, clock and AAA shared secret as the problem.
(2) wireless authentication tested using EAP-FAST, but same problem occurs.
(3) detailed error message shows below. This excludes any authentication and authorization policies. Even before hitting the authentication policy, the AD search fails.
12304 extract EAP-response containing PEAP stimulus / response
11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated
Evaluate the politics of identity
15006 set default mapping rule
15013 selected identity Store - AD1
24430 Authenticating user in Active Directory
24444 active Directory operation failed because of an error that is not specified in the ISE
(4) enabled the registration of debugging AD and had a look at the logging. Nothing significant, and no clue about the problem.
(5) wireless tested on different mobile phones with the same error and laptos
(6) delete and add new customer/features of AAA Cisco ISE and WLC
(7) ISE services restarted
(8) join domain on Cisco ISE
(9) notes of verified version of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Find anything related to this problem.
10) there are two ISE and two deployed WLC. Tested a different combination of ISE1 to WLC1, ISE1 to WLC2, etc. This excludes a hardware problem of WLC.
Other possibilities/action:
1) test it on another version WLC. Will have to wait for approval of the failure to upgrade the WLC software.
(2) incompatibility between Cisco ISE and AD running on Microsoft Windows Server 2012
Did he experienced something similar to have ideas on why what is happening?
Thank you.
Update:
(1) built an another Cisco ISE 1.1.3 sever in another data center that uses the same domain but other domain controller. Thai domain controller running Windows Server 2008. This work and successful authentication.
(2) my colleague tested in a lab environment Cisco ISE 1.1.2 with Windows Server 2012. He has had the same problem as described.
This leads me to think that there is a compatibility issue of Cisco ISE with Windows Server 2012.
Yes, it seems that 1.1.3 doesn't support Server 2012 as of yet.
External identity Source OS/Version
Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit
Active Directory Microsoft Windows 2008 32-bit and 64-bit
Microsoft Windows Active Directory 2008 R2 64-bit only
Microsoft Windows Active Directory 2003 32-bit only
http://www.Cisco.com/en/us/docs/security/ISE/1.1/compatibility/ise_sdt.PDF
-
Comment of the NAC with WLC Server
Dear all,
I just need to confirm that it is possible that we add same WLC to AC (wireless users), as well as NAC comments Server (wireless guest users) or do I have to WLC plus one for the comment of the NAC server.
Kind regards
Hello Nameair
You don't need separate WLC... NAC comments servers are perfectly normal RADIUS servers, used for authentication. You can integrate your existing WLC, in addition to IB or OOB to your certification authority, with the comment server. I enclose a doc who gives information on the configuration of wlc and host servers.
I hope this helps... all the best... happy new year to you. the rate of responses if deemed useful...
REDA
-
Hi people,
I was wondering if anyone knows the reason why a Cisco ISE is not synchronized with the NTP server. I am able to ping from ISE servers and wireless controller is properly synchronized.
Is there something more in addition to time zone and Setup "ntp server"?
synchronized to a stratum 11 LAN
correct time less than 11 ms
vote server each 1024 srefid distance st t when poll reach delay offset jitter
==============================================================================
* 127.127.1.0. LIUX. 10 l 33 64 377 0.000 0.000 0.001
x.x.x.x 200.160.7.193 2 7 1024 186 0,671 u 2545847 56.067
x.x.x.x 200.160.0.8 3 202 1024 7 0.630 u 2545853 55.940* Current time + candidate source
ATTENTION: Output results can conflict in change of the synchronization periods.
'
Hi Flavio,
It happens with ISE and ACS, they synchronize correctly or loses the synchorinization, you can either make no ntp server and ntp again server or you can restart the NTP service. even that sometimes helps
Bravo!
Bellefroid
Maybe you are looking for
-
No sound on the Satellite X 200 - 21r on Windows XP
Hi there, a new laptop here. Windows Vista had sound but I installed Windows XP SP without any problem. So, all good, but no sound. I installed the drivers from the toshiba site (version 1.69) but no luck. Also tried the drivers Realtek (version 1.81
-
How can I open an additional Firefox browser in Windows 7?
I would like to be able to open an additional (more than one browser open at a time) Firefox browser in Windows 7.
-
Help improve llb of Labview 5.1 to 7.1
Hello guys and girls, I have a serial.llb works very well with labview 5.1, and I've updated my version of labview 7.1, when I open the Serial.llb using labview 7.1 to upgrade, open, but the removal of the program many features making it the screw wo
-
Hello Wondering if you could help me with my problem. I am developing an application for data logging. The user will look at the actual data are read from a card thermocouple CDAQ and when it is happy that the temperature conditions are set, press a
-
My program Version free MBAM told me that I have 13 days of use left. There is an extended period of registry key or I have to re-download everything after the expiry of this one?