Webcast: Identity Services Engine (ISE) - Guest and Posture Troubleshooting

Vidhi Mujumdar · ‎08-11-2016

Identity Services Engine (ISE) - Guest and Posture Troubleshooting
(Live Webcast Tuesday August 30th, 2016 at 10 am Pacific/ 1 pm Eastern)

Cisco ISE manages role-based security policy. It simplifies network-access delivery across wired, wireless, and VPN connections. ISE then integrates, consolidates, and automates the sharing of user and device data with other Cisco security and technology partners. This dynamic network access control improves IT operations as well as stopping and containing threats. As the modern network expands, the complexity of marshaling resources, managing disparate security solutions, and controlling risk grows as well. The potential impact of failing to identify and remediate security threats becomes very large indeed.
A different approach is required for both the management and the security of the evolving mobile enterprise. With superior user and device visibility, Cisco ISE delivers simplified mobility experiences to enterprises. It also shares vital contextual data with integrated technology partner solutions. The identification, containment, and remediation of threats are all accelerated through the integration, consolidation, and automation that Cisco ISE provides.

This session provides an overview of: Guest and Posture Flow Troubleshooting We’re expecting a basic knowledge being the initial configuration for ISE redirect flows for Guest and Posture. If you want to review these setups, we recommend checking out these links.

Centralized Web Authentication Flow | Posture configuration

Agenda:

Overview
Troubleshooting Common Scenarios with Guest
Troubleshooting Common Scenarios with Posture
Best Practices
QnA

Featured Speakers

Sam Hertica has been a Customer Support Engineer in the Technical Assistance Center AAA team in RTP since 3.5 years. He initially started out of college as an Intern on the RTP-AAA team supporting the latest ACS 5.3 and 5.4. Since then, he’s grown to support full ISE deployments, as well as creating tools and resources for his team to troubleshoot complex deployments. Sam graduated from Rochester Institute of Technology with a BS in Applied Networking and Systems Administration in 2012.

Maciej Podolski is a member of Technical Assistance Center AAA team in Krakow Poland. He enables customer everyday by resolving complex ISE / dot1x / ACS issues. Maciej graduated from the Warsaw University of Technology with a BS in Electrical and Computer Systems engineering, with major in Telecommunications. He has been passionate about the cyber security since his university years, his final thesis was about steganography in cloud storage. He is also involved in developing tools for the AAA TAC engineers. His favorite hobby is skiing.

Do you have more questions? Our experts are available for the next two weeks to answer your questions. Join the Ask the Expert discussion at https://supportforums.cisco.com/expert-corner/events ">https://supportforums.cisco.com/expert-corner/events.

We look forward to your participation. This event is open to all, including partners. Please Share this event in your social channels. You have a chance to win a prize by filling out the survey after attending the live event.

Have a technical question? Get answers before opening a TAC case by visiting the Cisco Support Community.

markusgalbierz · ‎08-23-2016

hi, what time is correct? On the top there is the Time

(Live Webcast Tuesday August 30th, 2016 at 10 am Pacific/ 1 pm Eastern)

an at the end where i can add the Webcast to my calandar there is a different time

Tuesday, August 30th, 2016 1:00 PM PDT to Tuesday, August 30th, 2016 2:30 PM PDT

so what time is correct? 10am Pacific or 1:00 PM PDT ? is an huge different..

thanks

Vidhi Mujumdar · ‎08-23-2016

Hello Mark,

The correct time is Tuesday August 30th, 2016 at 10 am Pacific/ 1 pm Eastern. I have made changes to reflect the correct time.

Thanks,

Vidhi

Chansit Watthanaphothidit · ‎08-24-2016

I'm in Thailand (GMT+7). I'm not sure about the time.

Is this event at early morning 04.00AM in Thailand on August 30, 2016, right ?

Hilda Arteaga · ‎08-29-2016

Hi Chansit Watthan...

I think this information may be useful for you:

San Jose (USA - California) martes, 30 de agosto de 2016, 10:00:00   PDT UTC-7 hours 
Bangkok (Thailand)          miércoles, 31 de agosto de 2016, 0:00:00 ICT UTC+7 hours 
UTC (Time Zone)             martes, 30 de agosto de 2016, 17:00:00   UTC UTC

herbert.lopez1 · ‎09-01-2016

Hi Guys,

We are implementing BYOD with ISE. We all know the android phones need to download cisco network assistant to playstore for it to work. And during native supplicant provisioning, wlc should only allow access to playstore. We have DNS ACL allowing access to play.google.com and is working fine. But when actually downloading the app(cisco network assistant) it is being blocked. Checking in websense, playstore uses another url to download the app(websense sees as https://x.x.x.x). Websense is unable to get the url since it is https. Do you know what url playstore uses to download the app?

Thanks

Monica Lluis · ‎09-02-2016

Hello Herbert,

Please ask your question in the Ask the Expert event. Sam and Maciej will be able to answer your question there.

Best regards,

Monica

ivan.martin · ‎09-07-2016

Hi my name is Ivan, I have a question

Is possible the Cisco ISE works like a dhcp server in a vpn conection, and reservate its ip address?

How can I do it

Thanks

Regards.

mpodolsk · ‎09-09-2016

it can vary per android version as far as i know.

do a packet capture inside you will see:

1. "server name indicator extension" in the ssl client hello message

2. check in the capture for the DNS queries form the endpoint.

mpodolsk · ‎09-09-2016

In ISE 2.1 the DHCP and DNS server capability was added, the reason behind it is to integrate with third part products that are not able to perform redirection by themselves.

I would not recommend using this design for any other purpose and i do not think this will work as we relay in this flow on vlan change which is not the case on the VPN connection.

fsilvacamargo · ‎09-13-2016

Hi my name is Fernando, I have a question:

I have a Cisco (C3750E-universalk9-M), which supports a solution of a client and for 4 days I have this error% SSH-3-BAD_PACK_LEN: Bad packet length. Can you help me solve this issue?

Many thanks!

dsserubi · ‎10-05-2016

Hi Herbert,

Do you have a chance to look at this URL: https://communities.cisco.com/docs/DOC-69430. It has the most common domain names used

herbert.lopez1 · ‎10-05-2016

Hi,

these are the urls that works in my region.

To get the urls playstore is calling, you will have to add "." (without qoutation) on the allowed url in WLC, it will make wlc dns snoop all urls being called. Then debug the client, then on the client download the application. On WLC console, it will show on the url being called.

Below is the url for network setup assistant in my region.

Herbert

elemzy · ‎10-18-2016

Hi Vidhi,

I had an issue of mac spoofing logged with tac sometime ago and I was referred to this link

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur48184 which shows this is a known bug.

Has this issue been addressed in any of latest ISE releases?