https://community.cisco.com/t5/network-security/security-group-tag-and-sgfw/m-p/2325672#M344990 <HTML><HEAD></HEAD><BODY><P>I wouldn't expect too much help from cisco on this.</P><P>Poorly documented...</P></BODY></HTML> Mon, 23 Sep 2013 13:47:04 GMT ThibaultMean 2013-09-23T13:47:04Z https://community.cisco.com/t5/network-security/security-group-tag-and-sgfw/m-p/2325671#M344989 <P>Hi, I'm trying to configure SGFW with ASA 5585-20,</P><P></P><P>I registered in ISE, and imported pac, matched all shared secret, password. peering with WLC via SXP.</P><P></P><P>so I got the USER IP and TAG, However, ASA cannot download the environment-data from ISE.</P><P></P><P>When I enable debug cts all in asa, it says error recieved from ISE.</P><P></P><P>and on live Authentications on ISE,</P><P></P><TABLE width="100%"><TBODY><TR><TD><H3>Overview</H3><TABLE border="0"><TBODY><TR><TD width="31%">Event</TD><TD style="color: red;" width="69%">5405 RADIUS Request dropped</TD></TR><TR><TD width="31%">Username</TD><TD width="69%"></TD></TR><TR><TD width="31%">Endpoint Id</TD><TD width="69%"></TD></TR><TR><TD width="31%">Endpoint Profile</TD><TD width="69%"></TD></TR><TR><TD width="31%">Authorization Profile</TD><TD width="69%"></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><P></P><TABLE width="100%"><TBODY><TR><TD><H3>Authentication Details</H3><TABLE border="0"><TBODY><TR><TD width="31%">Source Timestamp</TD><TD width="69%">2013-08-08 10:24:06.691</TD></TR><TR><TD width="31%">Received Timestamp</TD><TD width="69%">2013-08-08 10:24:06.691</TD></TR><TR><TD width="31%">Policy Server</TD><TD width="69%">ise</TD></TR><TR><TD width="31%">Event</TD><TD style="color: red;" width="69%">5405 RADIUS Request dropped</TD></TR><TR><TD width="31%">Failure Reason</TD><TD style="color: red;" width="69%">11303 Could not parse the cts-pac-opaque attribute</TD></TR><TR><TD width="31%">Resolution</TD><TD width="69%">Refer to the documentation for the client's supplicant to perform a new PAC-provisioning operation.</TD></TR><TR><TD width="31%">Root cause</TD><TD width="69%">The cts-pac-opaque cisco-av-pair attribute contained in the Secure RADIUS request did not parse.</TD></TR><TR><TD width="31%">Username</TD><TD width="69%"></TD></TR><TR><TD width="31%">User Type</TD><TD width="69%"></TD></TR><TR><TD width="31%">Endpoint Id</TD><TD width="69%"></TD></TR><TR><TD width="31%">Endpoint Profile</TD><TD width="69%"></TD></TR><TR><TD width="31%">IP Address</TD><TD width="69%"></TD></TR><TR><TD width="31%">Identity Store</TD><TD width="69%"></TD></TR><TR><TD width="31%">Identity Group</TD><TD width="69%"></TD></TR><TR><TD width="31%">Audit Session Id</TD><TD width="69%"></TD></TR><TR><TD width="31%">Authentication Method</TD><TD width="69%"></TD></TR><TR><TD width="31%">Authentication Protocol</TD><TD width="69%"></TD></TR><TR><TD width="31%">Service Type</TD><TD width="69%"></TD></TR><TR><TD width="31%">Network Device</TD><TD width="69%">ASA5585X</TD></TR><TR><TD width="31%">Device Type</TD><TD width="69%">Firewall#ASA5585X</TD></TR><TR><TD width="31%">Location</TD><TD width="69%">DJ</TD></TR><TR><TD width="31%">NAS IP Address</TD><TD width="69%">172.30.0.1</TD></TR><TR><TD width="31%">NAS Port Id</TD><TD width="69%"></TD></TR><TR><TD width="31%">NAS Port Type</TD><TD width="69%">Virtual</TD></TR><TR><TD width="31%">Authorization Profile</TD><TD width="69%"></TD></TR><TR><TD width="31%">Posture Status</TD><TD width="69%"></TD></TR><TR><TD width="31%">Security Group</TD><TD width="69%"></TD></TR><TR><TD width="31%">Response Time</TD><TD width="69%"></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><P></P><P>and, also 5420 SGA Data Download Failed.</P><P></P><P>does anyone know how to solve this problem ?</P><P></P><P>I'm usning ASA 9.1, ISE 1.2 official release.</P> Tue, 12 Mar 2019 02:23:21 GMT https://community.cisco.com/t5/network-security/security-group-tag-and-sgfw/m-p/2325671#M344989 jiyoung Kim 2019-03-12T02:23:21Z https://community.cisco.com/t5/network-security/security-group-tag-and-sgfw/m-p/2325672#M344990 <HTML><HEAD></HEAD><BODY><P>I wouldn't expect too much help from cisco on this.</P><P>Poorly documented...</P></BODY></HTML> Mon, 23 Sep 2013 13:47:04 GMT https://community.cisco.com/t5/network-security/security-group-tag-and-sgfw/m-p/2325672#M344990 ThibaultMean 2013-09-23T13:47:04Z https://community.cisco.com/t5/network-security/security-group-tag-and-sgfw/m-p/2325673#M344991 <HTML><HEAD></HEAD><BODY><P>Try patching ise with this : <SPAN style="font-size: 10pt;">ise-patchbundle-1.2.0.899-2-85601.x86_64.tar.gz</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">comand: </SPAN><SPAN style="font-size: 10pt;">patch install ise-patchbundle-1.2.0.899-2-85601.x86_64.tar.gz <REPO></REPO></SPAN></P><P></P><P><SPAN style="font-size: 10pt;">It fixed my issue.</SPAN></P></BODY></HTML> Tue, 24 Sep 2013 07:19:36 GMT https://community.cisco.com/t5/network-security/security-group-tag-and-sgfw/m-p/2325673#M344991 ThibaultMean 2013-09-24T07:19:36Z https://community.cisco.com/t5/network-security/security-group-tag-and-sgfw/m-p/2325674#M344992 <P>This fix my issue too... Tks <SPAN class="fullname"><SPAN rel="sioc:has_creator"><A class="username" href="https://supportforums.cisco.com/users/thibaultmean" title="View user profile.">ThibaultMean</A></SPAN></SPAN></P> Fri, 19 Sep 2014 14:21:03 GMT https://community.cisco.com/t5/network-security/security-group-tag-and-sgfw/m-p/2325674#M344992 Oswaldo Torres 2014-09-19T14:21:03Z