Hi Artem/Wojciech, - Page 3

Monica Lluis · ‎12-03-2015

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions about Cisco Identity Service Engine (ISE) to Artem Tkachov and Wojciech Cecot.

Ask questions from Monday December 14 to Wednesday December 23rd , 2015

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources.

This session will help customers with troubleshooting, configuring and implementing ISE solutions in their networks.

Artem and Wojciech will be helping you with all your queries on all of the above.

Artem Tkachov is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC for past 3 years and has 8 years of industry experience working with enterprise deployment and troubleshooting. His areas of expertise currently includes Firewalls, VPNs, AAA, 802.1X (MacSec/TrustSec), ISE (BYOD, HotSpot, etc.), ACS, as well as knowledge and in Routing and Switching, Service Provider, Data Center technologies. Artem holds CCIE certifications (# 39668) in Routing and Switching, Service Provider, Wireless, as well as CCNP in Security, JNCIS-SP, RHCSA, and ITIL certification.

Wojciech Cecot is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC since May 2014 and has 3 years of industry experience working with enterprise deployment and troubleshooting. His area of expertise covers ISE, TrustSec, BYOD, ACS 5.x, 802.1x. Prior to joining Cisco, he worked as a junior system engineer at Comarch. He is graduated with a Bachelor's and Master's degrees in Electronics and Telecommunications from AGH University of Science and Technology.

Find other https://supportforums.cisco.com/expert-corner/events.

Because of the volume expected during this event, Artem and Wojciech might not be able to answer every question.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

tonyp8581 · ‎12-16-2015

Hi guys,

I'm running ISE v1.3 with patch 3. I recently activated Profiling using RADIUS and DHCP probe.

It seems to be working as expected except for the way the profiler is storing the devices. For example, all users which connects to the Guest portal should be placed in Endpoint Identity Groups -> GuestEndpoints. Instead, they are placed in Identities -> Endpoints, which by the way all my devices are located. I have used the Guest Types Profile to configure this behaviour.

Am I missing something ?

Thanks !

Tony

Wojciech Cecot · ‎12-17-2015

Hello Tony,

Thank you for that question. It is difficult to answer that one without looking into details of your deployment, however that could be a bug (https://tools.cisco.com/bugsearch/bug/CSCuw78737/?reffering_site=dumpcr), related to HotSpot portal with the same symptoms as you described. It should be fixed in patch 6 of ISE 1.3, that will be released soon --- however I am not sure if that is your case.

In general if the "Endpoint identity group" is configured to some specific group like GuestEndpoints on the portal that you are going through you should be placed in that group. What I could suggest is to create some other group: like GuestEndpoints2 and check if there is any difference in the behaviour. If the groups are properly configured then it should work fine. Please double check Guest Type and Portal configuration and if still you will have that problem I could suggest to open TAC case.

Best Regards

Wojciech

tonyp8581 · ‎12-17-2015

Hi Wojciech, thanks for your response !

I tried your suggestion. I created a new group. Unfortunately, the device still gets stored in the main database, Identities -> Endpoints.

I'm not sure if the bug relates to mine. I might have to open a TAC case.

One more thing, in the main database, I have over 11000 devices. If I delete all, what negative effect (if any) will it have on devices that are logged in. Any rule of thumb on how long the device should remain before being purged.

Thanks again !

Tony

Wojciech Cecot · ‎12-21-2015

Hello Tony,

If possible I would suggest to open a TAC case, while it is difficult to help, without looking at details of that deployment.

Well, in general, that should not have any impact, expect that all group assignments, profiles will be lost. However there are purge settings, under: Administration > Identity Management > Settings > Endpoint Purge and you can specify rules based on which endpoints are removed from the DB --- I would suggest that way, rather then removing all endpoints.

Please take a look: http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01101.html#concept_0776B37A2C3542189950F5DFB1961FA2

Thank you,

Wojciech

tonyp8581 · ‎12-23-2015

Hi Wojciech,

I will definitely open a TAC case for my Endpoint assignment.

Thanks for the link. It's what I was looking for.

Tony

tonyp8581 · ‎12-23-2015

Hi Wojciech, I have one more question:

I'm want to identify Corporate devices against BYOD. So, I'm thinking of using condition "WasMachineAuthenticated", Here is my config:

ISE 1.3 Patch 3

Windows 7 Supplicant with Machine and User Auth. Using PEAP.

I have policy for Machine Auth and User Auth.

In External Identity Sources, MAR is enabled with 192 hrs Aging Time.

Lately, I have been reading up on this subject, and I have come across several comments about certain caveats. What are those caveats?

BTW, for me EAP Chaining is not an option.

Thanks !

Tony

malel2015 · ‎12-16-2015

Hi

If ISE node to registered a domain 'mycompany.local' and we have certificate from the external CA or internal CA for mycompany.com ,

can i use the certificate from the external CA or internal CA for mycompany.com
so that i can use mycompany.com in url redirection and in dot1x authentication .

Thank you

Malel

Artem Tkachov · ‎12-16-2015

Hello Malel,

Thank you for your question.

Regardless which certificate you will be using it should be delivered to the end station and stored in Trusted Root folder. There are few certificates from well-knows "CA" vendors which are pre-installed already, for example, on windows7 you have "Go Daddy", "GlobalSign" root certificates in Trusted Root folder. To access Certificate Manager on Windows PC --> click the Start button, type certmgr.msc in the search field, and click the Enter key.

Thanks

/Artem

hacizeynal · ‎12-17-2015

Hi Artem/Wojciech,

We recently configured ISE 2.0 and migrated all users to that system,but we faced with some problems .

1-) We authenticate users like machine and user with dot1x at same time ,firstly machines need to pass authentication ,after authentication users need to have valid certificate (EAP-TLS) ,they are authenticated ,everything went well ,when users log out and and try to login again with the same device ,first machine authentication is successful ,i observe it in radius logs ,but users get stuck about 1-3 minutes ,why it does last too long for re-authentication again ? it is not constant ,something 1 or 3 minutes.User are not satisfied.

2-) When users authorized with profiles ,dACLs are downloaded for users ,sometimes the ACLs are skipped ,for example if it should not go for 10.0.2.0/24 subnet ,somehow it passes and able to reach that subnet.

3-) We configured guest wired ,it should change the vlan and get another ip address from different pool ,after passing successful web portal authentication ,it seems that is successful, when I check the PCs MAC address form switch ,it shows that new IP address has been given to guest pc ,but actually from computer's perspective it doesnt get ip address ,even re-authenticating the port .

I will wait for your replies ,

Thanks,

Zeynal.

Artem Tkachov · ‎12-17-2015

Hello Zeynal,

From the beginning, I'd like to thank you for your questions. And let me try to answer them as much as I can.

1. This question is really requires live troubleshooting and should be investigated via the TAC case. Too many points from where delay might appear.

2. If you have dACL pushed from ISE, but still have access to the networks/IPs which access should be denied to, you would need to make sure the following:

- dACL is applied to the user session

- ACL is applied on interface level (in case of wired access)

- ACL is programmed on TCAM level (in case of wired access)

Useful would be to run debugs for Radius, EPM, dot1x features on NAD (if wired access), and Radius/AAA and client debugs in case of wireless access.

3. ISE can handle this with the help if "Vlan Change" feature, where activeX or a Java applet would be started on PC, which triggers DHCP to release and renew.

More on this here:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118742-configure-ise-00.html#anc21

Thanks

/Artem

Olivier BRASME · ‎12-17-2015

Hi Artem and Wojciech,
I am currently working on deploying ISE 1.4 for a customer with wireless access trough WLC architecture and I would have a few questions on several subjects :
1/ For the BYOD, native supplicant provisionning (Android and iOS), I would like to push a proxy configuration with the Native Supplicant Profile. I find this option in the ISE Admin Guide,
but I couldn't see it in the Native Supplicant Profile configuration (in my ISE). Is this option really exists?

2/ I encounter issues with HTTPS trafic redirection that doesn't work. Is it an error in my configuration or a bug (I am running WLC version 8.0.121)?

3/ About Anyconnect Provisionning, for a client that already has Anyconnect installed, how NAM profile update from ISE is working? Does the client need to match a Client Provisionning Web Portail redirect, to then match a client provisionning policy?
Or does the Anyconnect NAM always checks for profile updates when it connects to ISE ?
And is there any way to have different NAM profiles on ISE for updating different users group (in this case do I provision this profiles through CPP)?

Thanks.

Olivier

Wojciech Cecot · ‎12-17-2015

Hey Olivier,

Thanks for that question.

ad.1 It is available starting from ISE 2.0, please take a look:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html#41322

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010101.html#reference_21024A3B2B27427EAC78495E56962729

ad.2 In Version 8.0 and later, you can enable redirection of HTTPS traffic with the CLI command "config network web-auth https-redirect enable". It was tracked with bug: https://tools.cisco.com/bugsearch/bug/CSCur13703/?reffering_site=dumpcr

ad. 3

a) You need to go though CPP to update the Anyconnect xml profiles. Posture rules could be automatically downloaded when posture is used, however xml profiles are different story.

b) Yes, that is possible by using more specific Client Provisioning rules, like if GROUP_A then anyconnectconfig1, if GROUP_B then anyconnectconfig2.

Hope that helps.

Thank you

Wojciech

Olivier BRASME · ‎12-17-2015

Hello Wojciech

thank you for your answer.

About question 1/, the proxy configuration for the NSP is already present in the admin guide of ISE 1.4 : http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_010110.html#ID1273

Thank you

Olivier

Wojciech Cecot · ‎12-18-2015

Hello Olivier,

Thank you for spotting that! I have filled in documentation bug for that:

https://tools.cisco.com/bugsearch/bug/CSCux59366/?reffering_site=dumpcr

Best Regards

Wojciech

Olivier BRASME · ‎12-18-2015

Hello Wojciech,

thank you for that.

I have tried your 2 others answers (WLC option for HTTPs redirect, and NSP profile provisionning for differents users groups) and both are working !

Have a good weekend

Thanks

Olivier

Ask the Expert: Implementing and Troubleshooting Cisco Identity Services Engine (ISE)