cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20142
Views
87
Helpful
107
Replies

Ask the Expert: Implementing and Troubleshooting Cisco Identity Services Engine (ISE)

Monica Lluis
Level 9
Level 9

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions about Cisco Identity Service Engine (ISE) to  Artem Tkachov and Wojciech Cecot. 

Join the Discussion : Cisco Ask the Expert

Ask questions from Monday December 14 to Wednesday December 23rd , 2015

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources. 

This session will help customers with troubleshooting, configuring and implementing ISE solutions in their networks.

 

Artem and Wojciech will be helping you with all your queries on all of the above.

 

Artem Tkachov is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC for past 3 years and has 8 years of industry experience working with enterprise deployment and troubleshooting. His areas of expertise currently includes Firewalls, VPNs, AAA, 802.1X (MacSec/TrustSec), ISE (BYOD, HotSpot, etc.), ACS, as well as knowledge and in Routing and Switching, Service Provider, Data Center technologies. Artem holds CCIE certifications (# 39668) in Routing and Switching, Service Provider, Wireless, as well as CCNP in Security, JNCIS-SP, RHCSA, and ITIL certification.

 

 

 

Wojciech Cecot is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC since May 2014 and has 3 years of industry experience working with enterprise deployment and troubleshooting. His area of expertise covers ISE, TrustSec, BYOD, ACS 5.x, 802.1x. Prior to joining Cisco, he worked as a junior system engineer at Comarch. He is graduated with a Bachelor's and Master's degrees in Electronics and Telecommunications from AGH University of Science and Technology.

 

Find other  https://supportforums.cisco.com/expert-corner/events.

Because of the volume expected during this event, Artem and Wojciech might not be able to answer every question. 

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

Join the Discussion : Cisco Ask the Expert

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
107 Replies 107

Sounds like the "bug" there is when using device tracking and the switch and windows 7, this can be fixed with this command on the switch : "ip device tracking probe delay 5" also if that's not the case, you might have some luck with : "ip device tracking probe use-svi" http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html

Hello Sergio,

Thank you for your question.

In your case I would advise to start solving this issue from IP address assignment. I think you would agree that  log message "DHCP-DECLINE-CONFLICT" shouldn't  appear  on a router under  normal circumstances. Not sure about your router/switch configuration, however "ip dhcp ping" is highly recommended in such situations.   For troubleshooting purposes, you can check the conflict list of ip addresses with "show ip dhcp conflict" command and/or to remove specific (or all)  ip address(es) from the list with "clear ip dhcp conflict <address>" command.

More on this here:

1. http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfdhcp.html

2. http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-mt/dhcp-15-mt-book/config-dhcp-server.html

Once  issue with IP address assignments would be solved (you won't see any log messages about dhcp decline conflict) and ISE still misbehaves, I would encourage  you to open a case with Cisco TAC.

Thanks

/Artem

jlinkowsky
Level 4
Level 4

Good afternoon,

I'm looking for an easy way to migrate my "old fashioned" way of MAC filtering into my ISE environment.  We have several SSIDs in our network, in which some of them are using MAC filtering for secure access.  This consists of updating a spreadsheet, and importing it to the controllers (via Prime).

I would really like to retire the spreadsheet, and move to ISE for these SSIDs.  It would be much better then using the spreadsheet.

Thanks in advance,

John L.

Hello John,

Thank you for your question.If I understand your question correctly you would like to import all mac addresses from your endpoints to the ISE. If so, indeed, there is such option on ISE side. If you go to Administration --> Identities, you will see import/export options. Please click on import and download a template for import. Adjust this file with information about your endpoints and import it to the ISE back. Mac address Information will stored on ISE locally.Feel free to ask a question if I have misunderstood your question.Thanks/Artem

Artem,

You understood correctly!  Thank you for the information on how to easily do this.  The follow up question I have is, how do I then tell my controllers to use ISE for "MAC filtering" vs. using their local (imported) copy of the spreadsheet?

Basically, once I import the list (as you mention), I want to make sure that the controllers are looking at ISE now to validate the clients against the MAC filter, and not using their own locally stored copy.  (Hope this was clear).

Thanks,

John L.

Hello John,

You would need to have your server(s) configured in Security --> AAA --> Radius menu.

Then in Wlans -->Wlans menu, choose your SSID. You would need to adjust Security Tab there, to be more precise,  "Layer 2" tab with "Mac Filtering" check box and "AAA Servers" tab with your Radius Server ip address.

More on this here:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Thanks

/Artem

Artem,

Thank you VERY MUCH for your reply.  That's exactly what I needed.  I will take your advice, and move forward.

Thanks again!!

John L.

jiyoung Kim
Level 1
Level 1

Hi, I have been deploying ISE 3 years, but still has a log questions.

which is better to use authentication order / priority ?

Mab ? Dot1x ?

if Mab is first, when we re-authenticate user, dot1x will not trigger,

if dot1x is first, non-dot1x devices will have to wail until dot1x is timed out whenever they are re-authenticated

What is the better way ?

Hello Sir,

Thank you for your question.

Well, it depends on a project needs. In general, Mab method is not really secure (mac address might be spoofed), but there might be devices which don't support dot1x authentication and you have to have mab authentication then. Concept of "Dot1x" authentication for sure much more secure and recommended for user/machine authentication, however again, you need to keep in mind devices which do not support dot1x authentication or/and you have specific scenarios like PXE boot, where you most likely will be using MAB authentication.

Regarding "order / priority".

Most common use-case is to have configuration on interface level like below:

 authentication order mab dot1x
 authentication priority dot1x mab

With this configuration every device in the network will still be subject to MAB, but devices that pass MAB can subsequently go through "dot1x" authentication.

Please note, that this is not a template for all scenarios and configuration on interface should be adjusted based on project needs or/and device connected to the switch port.

Thanks

/Artem

jiyoung Kim
Level 1
Level 1

Hi, I have been deploying ISE 3 years, but still has a log questions.

which is better to use authentication order / priority ?

Mab ? Dot1x ?

if Mab is first, when we re-authenticate user, dot1x will not trigger,

if dot1x is first, non-dot1x devices will have to wail until dot1x is timed out whenever they are re-authenticated

Wes Neary
Level 1
Level 1

Hi There,

We are currently having an issue with our ISE deployment,  We are trying to use certificate based authentication to allow corporate machine's to join the Wi-Fi Network.  Once connected the machines then use a separate ECS certificate to initiate a Microsoft DA Tunnel back to the main corporate network.  If just the RSA Wi-Fi Cert is installed the machine connects to the SSID fine, if just the DA cert is installed the machine can join other Wi-Fi networks and the DA tunnel is formed correctly, if both certs are present neither functions correctly.

Any help greatly appreciated.

Hello Wes Neary,

Thank you for that question. We are not really sure about that, while that seems to be problem related to Microsoft. I am not sure how the certificate is chosen when building that Microsoft DA Tunnel, however regarding Native Supplicant on Windows: you can check whether "simple certificate selection" is chosen (by default) --- then first certificate with private key is taken or uncheck that option and you should have option to select certificate when doing authentication on SSID (Configured under "Manage Wireless Networks" right click a wireless connection -> properties >  "Security" tab > "Settings" > "Configure") Once authentication will be successful, there is a chance Microsoft DA Tunnel will work as well.

If that will not help I could suggest to perform packet captures to understand which certificate is used for authentication and which for Tunnel.

Hope that helps,

Wojciech

Hello to all,

I recently deployed ISE with vWLC in a client. The WLC serves 3 WLANs, one with MAB+ISE Guest Portal, one with dot1x+MS Active Directory and one with dot1x+External RADIUS server.

The first and second WLANs work just fine.

My problem is with the 3rd one. The dot1x auth reaches the ISE but the ISE reports timeout from the Ext RADIUS server. The Ext RADIUS is an Eduroam server and needs to get the authentication packets unchanged in order to forward them to another RADIUS server down the line.

I have setup another machine with Radius test tools using the same IP, ACL and NAT as the ISE, that can successfully connect to the RADIUS, so there is no actual timeout or network connectivity problem.

The Ext RADIUS admins gets the error that there is no EAP-message in the request, which means that he gets RADIUS packets but ISE reports just a timeout and is not forwarding the authentication to the Ext RADIUS properly.

Thank you for your time!

Hello Panagiotis Georgiou,

Thank you for that question. That is quite specific problem, applicable for TAC case. The best way to troubleshoot that is to take packet capture (for example on ISE in Diagnostic Tools) in order to understand on which side you are having problem. Looking into packet captures we can clearly say if the RADIUS packets are correct and whether indeed ISE is the side causing the issue. Please also double check if pre-shared key is correct between.

After doing some research I have found following bug, please take a look and try workaround if that applies to your deployment:

https://tools.cisco.com/bugsearch/bug/CSCup45594/?reffering_site=dumpcr

Thank you

Wojciech

EU UC Support
Level 4
Level 4

Hi Wojciech & Artem,

Currently I am on ISE 1.4. I am looking fro best practise regarding renewal of the expired Certificates. 

Last time when I tried to create the CSR I got error:

internal error-multiple certificates with matching subject were found in the database. please delete duplicates

I could not used the same FQDN as in current certificate. I found work around, but would like to avoid any issue like that in future. 

Thank yuu for an advice.

Regards,

Rafa