Restoration of ISE Cisco VM snapshot

Similar Questions

• Restore backup ISE hanging

  I am trying to restore backup ISE using the FTP server, and it hangs at 80%, with the following message:

  performing database ISE synchup... 80% finished

  No problem! Good job on finding the solution and for taking the time to come back and share it with us (+ 5 from me).

  If your problem is resolved you must mark the thread as "answered" :)

  Thank you for evaluating useful messages!

• Question ISE Cisco router certificate

  Hello

  I'm looking to get to the how to guides or examples of configuration on how ISE NHPS can be used as an intermediate CA (certification authority root in Enterprise Microsoft CA). Routers / Firewalls ASA automated certificate request to LSE which can issue the certificate as intermediate CA, purpose of these certificates to routers / firewall can use for configuration of the IPSec VPN.

  Thank you very much

  Rakesh

  Hello

  Here's the Cisco documentation:

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/2-0/admin_guide/b_ise _...

  It's very simple to set as an intermediary ca ise. ISE will use CEP Protocol to distribute certificates. Wait paragraph ISE CA issues certificates user VPN ASA.

  In a few words, after importing CA root and when you enable ise as a ca server, you will generate a csr from ISE. generate Windows intermediate certificate for ISE from this REA. That generated while bound this certificate to CSR in ISE.

  That's all.

  Don't worry, the steps are described very well in the ISE.

  There is a great video, I always recommend to newbies, labminutes; who do an outstanding job: http://www.labminutes.com/sec0187_ise_13_internal_certificate_authority _...

  What you need to know, is that you will not be able to create specific model to the LSE, as you did on Windows.

  PS: If this solves your problem do not forget to note and correct mark them as answer

  Thank you

• The ISE Cisco switch configuration

  Hi experts,

  I got the following network:

  Devices-> switch access-->--> access switch central office switch-> ISE Server

  All switches are capable IOS for the 802. 1 X and configurations of AAA for ISE to manage network devices. However, I read in the guide on the configuration of the switches in preparation for the deployment of the ISE of CIsco, but I wonder what should I configure switches for access and basic switches or only configure the switches for access to EHT?

  Thanks for your time to read!

  If all clients are non-DHCP clients, then no configuration is based or distribution at all.

  But you may need to search different options of profiling, if the customers are not active DHCP. Access switch supports the function of detection IOS? Would be very useful to have such a that it would send important profiling information at ISE. You may need to use the right options for ISE of profiling to determine the details of the endpoint.

  Concerning

  Vivek

• Configs ISE Cisco switch

  I guess Cisco ISE sends a redirect to URL to the switch and switch, it presents to the customer in the case of access comments get a redirect URL with acceptance of the user (guests and not wired) Page.

  My question is, do we need to configure the server http and https on the switches (both pleading and authenticator)?

  I don't know that it will take a confirmation, but just wanted to...

  I checked the configuration for the supplicant and authenticator of ISE switches, and there no where not mentioned this part of the config.

  http://www.Cisco.com/en/us/docs/security/ISE/1.0/user_guide/ise10_troubleshooting.html (a redirect to URL and possible cause problem is mentioned) - make sure that the config is necessary.

  http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html

  (the begging and authenticator switch configuration) - mentioned anywhere in the configuration of http/https for the two switches.

  Yes, his need.  The http/s server in the swtich is used to retrieve the user http traffic and redirect the traffic to the CWA portal, or a registration portal device or even for the portal of integrated Mobile Device Management (MDM).  .

  IP http server

  IP http secure server

  The info below, I caught Cisco ISE for BYOD and book secure access unified.

  "Organization many want if ensure that this referral process to aid internal HTTP Server switch is dissociated from the management of the switch itself, in order to limit the risk of the user interacts with the intervace plan a switch of control and management."  This can be accomplished by connecting the two following commands in global configuration mode:

  active session modules IP http no

  "IP http secure-active-session-modules no".

• ISE Cisco 3395 NIC Teaming/redundancy

  Is it possible to implement the consolidation of NETWORK cards on a 3395, I see that it is available on the SNS 3400 series? However, I was unable to locate any information about NIC grouping for purposes of redundancy on of the 3395. This feature is taken in charge, and if so, how I would approach him allowing of correctly? Thank you very much for the help in advance.

  Hello. For now, ISE does not support the NIC teaming/pipe of any kind. It asked that several times so I hope that Cisco will implement in a future version.

  Thank you for evaluating useful messages!

• Upgrading ise Cisco and licenses

  I nedd upgrade of version 1.1.2 patch 4 to 1.1.3

  the deployment is distributed so that the shared deployment technique should be used:

  http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/upgrade_guide/upg_dis_dep.html#wp1052969

  the guide is quite difficult to follow as there are has some missing licenses information that can potentially cause downs of service:

  in particular my questions reguarding the guide are:

  -OUR license is registered on the primary node of PAN only-

  (1) main node of PSN deregistration "D": that it will use the license? the inherited (10000 points of termination) or if he loses the license completely and lock the network authentication?

  (2) when the node "B" will be struck out and will become autonomous what happens to its licence? It will be lost? and what will happen to the "D" node when added to node "B"?

  (3) when I move back node "A" (after the upgrade and the record to the node "B") to the previous state of primary PAN, it is said that the license must be reloaded in it was lost when adding it to the node "B"... and in the meantime? No node will not authenticate because the primary node is unlicensed?

  TY

  Giuliano,

  De-registered node will always use its own license, that is, it becomes autonomous box without knowledge or information about anything around her. Assessment or any license you provided with.

  Of license is made by admin active cluster node, depending on its license.

  Take a look on:

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCug04405

  I do not think that license needs to be recharged, but maybe it's just my memory doesn't serve me. I'll check that one again.

  M.

• ISE Cisco authorization with device OS

  Hello

  We want to allow access only to devices with Windows operating system. I tried to an allow rule with the condition "Session: Windows operating system device is equal to ' but it does not work. If I try to connect with a Windows 7 client, access is denied and the log shows "15039 rejected by authorization profile. What could be the problem?

  We use the ISE with Version 1.1.3

  Thank you

  Marc

  There is no problem with version 1.1.3 ISE, you are is later. Maybe the probes are not configured correctly.

  Please check the help below link

  http://www.Cisco.com/en/us/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_30_ise_profiling.PDF

• Restoration of a Cisco ACS Windows 3.3 to a problem of acs 3.3 applicance

  Hello

  I have now built an ACS appliance and trying to restore the current configuration and the database on the windows machine. When I run the restoration on the GBA unit, it says it restores but does it again an hour later. Then when I reboot the box, I get a connection message invalid admin and need to reset it using the cd.

  Everyone comes through this?

  How to solve it?

  See you soon

  KeV

  Kevin,

  Has he any security set to windows backup, that is to say 'allow all IP addresses' to connect to the Admin user?

  If you try from another computer you same message?

  ~ JG

• GuestEndpoints ISE Cisco and licensing

  Small question. If a device is placed in the Group GuestEndpoint automatically through the Hotspot portal in 2.0 of ISE. If we do strategies based on group identity GuestEndpoint should I use a license?

  I know this license is used if we pass through the registration of the unit, but do not know if this is true, if it is done automatically by the Hotspot or GuestPortal.

  It should not. He would consume only a basic license.

  Thank you for evaluating useful messages!

• Redirect ISE Cisco - CWA

  Why are the ISE nodes should be set to redirect acl web authentication configured locally on the switch?

  All of the documentation I found suggests. I install my old ISE environment 2 years in this way and was informed at the beginning to do. But after thinking, the whole authentication process through and then test my theories, I don't understand why the ISE nodes must be defined in switch redirect acl. I am testing now with a simple acl "redirect www & 443", and it does not work as expected.

  The client connects to the network, and for our environment, it is asked to dot1x until it expires and then she moves to mab. How, I don't have an authz rules defined for my test machine and so is my Tote authz rule of CWA that sends a DACL CWA. The switch sets the ACLs on the interface in the following order: 1. 2 redirect. DACL 3. PACL. In my list DACL, I have access to the ISE nodes allowed (just to be sure) and the redirect still works because my test machine doesn't send any traffic www/443 to lymph ISE I know (CWA is 8443).

  Someone can explain (in detail) why a client machine would send www/443 traffic to the nodes of the ISE and must therefore be defined in the local redirect CWA acl to the switch.

  In fact, the dACL will replace the ACL/PACL preauthentication you configured on the switchport. Traffic should be allowed first via the DACL, then she will hit redirect the ACL.

• POSTURE of ISE Cisco + Client Provisioning - 2.1

  Hello classmates

  I have a situation with an implementation of posture on Ise 2.1.

  When I try to perform a posture, everything works fine when I set up and enable the customer to commissioning.

  When I disable the anyconnect client provisioning policy did not find "server policy" and dnt start posture.

  the Configuration of the customer strategy is required to launch a posture on the client machine?

  Thank you!!!

  Yes, client provisioning is required.

  In the CP strategy, will check for any download of connect module and posture.

  It works in cascade with the rule of the posture.

  Concerning

  Gagan

  PS: rate if this can help!

• Cisco ISE 1.2 & Cisco WLC 5508 v7.6

  Hi all

  We intend to upgrade our WLC to 7.6 to fix a bug with FlexConnect customer ACL but I just saw on the ISE Cisco compatibility table which it recommended only up to the WLC 5508 v7.5...

  Cisco told me to avoid 7.5 as it is in a State of defferred if anyone know or are running in a laboratory or production, ISE1.2 with a WLC v7.6 n 5508?

  I wish I knew rather questions of people know before hand than to have to go through a software update, and then restore.

  Thank you all

  Mario Rosa

  Definitely stay away from 7.5. I've done several deployments with the WLCs 7.6 running. The two main issues that I touched were:

  CSCue68065 - in this bug FlexConnect ACL does not work unless you have a regular (non FlexConnect) ACL created with exactly the same name

  CSCuo39416 - CWA does not not on FlexConnect APs. It would apply to you if you have older models APs

  I hope this helps!

  Thank you for evaluating useful messages!

• Check the ISE for the VPN Cisco posture

  Hello community,

  first of all thank you for taking the time to read my post. I have a deployment in which requires the characteristic posture of controls for machines of VPN Cisco ISE. I know that logically once a machine on the LAN, Cisco ISE can detect and apply controls posture on clients with the Anyconnect agent but what about VPN machines? The VPN will end via a VPN concentrator, which then connects to an ASA5555X that is deployed as an IPS only. Are there clues to this?

  Thank you!

  The Cisco ASA Version 9.2.1 supports the change in RADIUS authorization (CoA) (RFC 5176). This allows for the gesticulations of users against the ISE Cisco VPN without the need of an IPN. Once a VPN user connects, the ASA redirects web traffic to the LSE, where the user is configured with a Network Admission Control (NAC) or Web Agent. The agent performs specific controls on the user's computer to determine its conformity against one together configured posture rules, such as the rules of operating system (OS) patches, AntiVirus, registry, Application, or Service.

  The posture validation results are then sent to the ISE. If the machine is considered the complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After validation of the successful posture and CoA, the user is allowed to access internal resources.

  http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-Appliance-ASA-software/117693-configure-ASA-00.html

• Question of ISE CWA Cisco

  Nice day

  I have 1.2 ISE Cisco with Cisco 2960 n.

  I set up the authorization of the employee successfully, but my problem is with the users of comments that the link is not redirected.

  Please let know us what I put in the default authentication policy rule? deny access?

  And on the switch, I should put the prompt to connect to specific ports or I have to configure the VLAN specific authorization profile?

  Appreciate your support,

  In your authorization policy, you give your guest Wired the same result as Wired-Webauth.

  First time through you don't know he is invited so that it hits Wired-Webauth and gets redirected. Second time you need him in comments feed, so that you know that he is a guest authenticated, it hits Wired-Guest, but you send the same permissions 'Web_Auth '. Create a profile that you want to offer your guests authenticated - Guest_Allowed for example.