Hi Wojciech & Artem, - Page 6

Monica Lluis · ‎12-03-2015

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions about Cisco Identity Service Engine (ISE) to Artem Tkachov and Wojciech Cecot.

Ask questions from Monday December 14 to Wednesday December 23rd , 2015

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources.

This session will help customers with troubleshooting, configuring and implementing ISE solutions in their networks.

Artem and Wojciech will be helping you with all your queries on all of the above.

Artem Tkachov is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC for past 3 years and has 8 years of industry experience working with enterprise deployment and troubleshooting. His areas of expertise currently includes Firewalls, VPNs, AAA, 802.1X (MacSec/TrustSec), ISE (BYOD, HotSpot, etc.), ACS, as well as knowledge and in Routing and Switching, Service Provider, Data Center technologies. Artem holds CCIE certifications (# 39668) in Routing and Switching, Service Provider, Wireless, as well as CCNP in Security, JNCIS-SP, RHCSA, and ITIL certification.

Wojciech Cecot is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC since May 2014 and has 3 years of industry experience working with enterprise deployment and troubleshooting. His area of expertise covers ISE, TrustSec, BYOD, ACS 5.x, 802.1x. Prior to joining Cisco, he worked as a junior system engineer at Comarch. He is graduated with a Bachelor's and Master's degrees in Electronics and Telecommunications from AGH University of Science and Technology.

Find other https://supportforums.cisco.com/expert-corner/events.

Because of the volume expected during this event, Artem and Wojciech might not be able to answer every question.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Wojciech Cecot · ‎12-18-2015

Hey Rafa,

Thank you for that question. Indeed we cannot generate CSR with exactly the same fields that are part of the Subject (subject is the concatenation of several fields, for example, CN, O, OU, etc.). We have following options:

1. Renew certificate with the same key, however that applies for Microsoft CA:
https://technet.microsoft.com/en-us/library/cc730605.aspx
2. Generate CSR with some different fields in subject: O, OU,
3. Generate CSR out of ISE, including a private key and then replace certificate when importing,

Hope that helps,
Thank you,
Wojciech

Marvin Rhoads · ‎12-18-2015

Hi Wojciech & Artem,

This has been an excellent event so far - great work guys!

I have a bit of an unusual request for an implementation I am working on. The organization would like to have a single SSID and then differentiate the authorization profile based on information that the end user provides (or selects) in the ISE-hosted Central Web Authentication Self-registration portal.

I was thinking perhaps I can use a custom field in Guest Account creation process and base my AuthZ profile on that field value using a user dictionary element and compound condition based on it. However that is dependent on the user entering a value exactly right. It is also not documented as a valid approach in any of the resources I have seen (Product configuration guide, how-to guides, Cisco Live presentations or the SISAS book) so I have doubt from that fact alone.

Ideally they would choose a desired profile from a dropdown list but I am not sure I can do that without coding a completely custom portal in HTML outside of the ISE product and then importing the code.

I looked into the ISE Portal Builder tool and it does not have any such options.

Can you suggest a better approach?

Artem Tkachov · ‎12-20-2015

Hi Marvin,

Thank you for this question.

I have read it carefully and frankly speaking you can use this approach, but as you said it's highly reliable on information customer would put in the customer field you will create.

In meantime, I have tried to replicate it in my lab, however at this moment it's impossible to do (at least in customer available way). In my lab I was trying to create a custom field and match this particular field in authorization rules. However, I didn't find this field in condition menu, hence I filled in a new bug # CSCux62277.

About "completely custom portal in HTML outside ".

You can do this (you can even write java code to insert specific field(s) in the portal), but the problem is to match it in authorization rules after.

My advice would be to wait when this new bug would be fixed.

Thanks

/Artem

Marvin Rhoads · ‎12-20-2015

Artem,

Thank you very much for your thorough investigation of my question. I will indeed watch that bugID for resolution. Thanks also for making it customer visible.

Meanwhile, I will advise my stakeholders of alternative methods to the requirement - probably via simply using separate SSIDs to afford more fine-grained differentiation of services for different categories of self-registered guests.

Szczęśliwych wakacji!

Artem Tkachov · ‎12-20-2015

Hello Marvin,

Second (separate) SSID would definitely be a solution in your scenario at least until bug would be fixed.

Happy holidays ;-) !

/Artem

Artem Tkachov · ‎12-21-2015

Hello Marvin,

I have found another bug for the same issue --> bug # CSCuv42389. Please subscribe to this one as well as solution/information about the fix should be shared on one of those bugs only.

Thanks

/Artem

Marvin Rhoads · ‎12-21-2015

Thanks Artem,

I've added that second bugID to my subscription.

Monica Lluis · ‎12-18-2015

Thank you all for your great questions and Artem and Wojciech for the very prompt and great responses. I agree with Marvin that this is a great event. Keep the questions coming. Please acknowledge the answers provided by rating them.

Happy holidays!

Monica Lluis

Global Community Manager

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Tito Enrique Proano Rosero · ‎12-18-2015

Hi Wojciech & Artem,

I will be glad if you can help me with this. I need to configure the ANC Adaptive Network Control on ISE 2.0.

I was working with ANC on ISE 1.4 and in that version we have de UNQUARANTINE option which is not present in the ISE 2.0. Why??

On the other hand, in order to enable the ANC it must be done under Administratation>System>Settings>ANC, but in ISE 2.0 there is no the option to do that. why?

I attach some info.

Thanks.

Artem Tkachov · ‎12-20-2015

Hello Tito,

Thank you for your question.

Unfortunately, this option has been removed from ISE 2.0. There are some internal discussions to have it back, however as for now I don't see it available on ISE 2.0.

As a workaround, I would propose you to use ISE EPS API for UnQuarantine action:

+++
https://<ISE>/ise/eps/UnQuarantineByMAC/[MAC]
https://<ISE>/ise/eps/UnQuarantineByIP/[IP]

+++

Hope that helps.

Thanks,

/Artem

Null Route · ‎12-19-2015

Hi Artem & Wojciech,

First all of thanks for you & Monica for this awesome conversation, and I have some points if you can help me with it, I disabled some of posture polices until I find a solution regarding this points:

First:

If I need to update Host discovery IP/Hostname form the ISE server Policy\Result\Client Provisioning\Resources\Host discovery, I notice that IP still the old one in many endpoints, how to enforce the endpoints to take the new IP\hostname
Since when I check NACAgentCFG.xml I found the old IP

Second:

I have an issue with windows update posture policy, my current configuration as below:

Posture Policy
Rule Name: Windows7_Update_Wired_HQ
OS: Windows 7 (All)
Other Condition: DEVICE:Device Type EQUALS All Device Types#Access Switches HDQ AND AD1:ExternalGroups EQUALS wb.PALTEL.NET/Users/Domain Users
Requirement: Windows-Update-7

Requirement: Windows-Update-7
OS: Windows 7 (All)
Condition: pr_Win7_32_Hotfixes & pr_Win7_64_Hotfixes
Remediation: Windows-Update-Rem (Windows Server Update Services Remediations)

Remediation: Windows-Update-Rem
Remediation Type: Manual
Validate Windows updates using: Severity Level
Windows Updates Severity Level: Critical
Windows Updates Installation Source: Managed Server
Installation Wizard Interface Setting: Show UI

When we push an update from our WSUS-Managed Server, the NAC agent take a lot of time in checking requirement phase and it take more than 30 minutes, but when I interrupt this by restart Windows Update Windows service it's finished this phase , and sometimes if the client did not have full update the NAC agent did not popup at all.

And if you can provide me with brief description about how windows update posture work, how ISE can know about any new update if it did not have any direct connect with WSUS server. I attached a video about this issue.

Cisco Identity Services Engine

Version : 1.3.0.876

Cisco Identity Services Engine Patch

Version : 3

Wojciech Cecot · ‎12-21-2015

Hello Sir,

Thank you for those questions. Lets start with first one. If I understand it correctly (that Host discovery IP address is not propagated properly to endpoint), make sure that you are going though the Client Provisioning portal first, while NACAgentCFG.xml will be not propagated automatically.

Make also sure that clients will be able to communicate to that PSN also. In next steps try with the latest NAC Agent or even Anyconnect. If that will not help I could suggest to check if removal of NAC Agent and going though Client Provisioning one more time is helping with getting proper IP on the end station.

Regarding posture compliance related to Windows updates. Either you need to authenticate one more time with the endpoint (and then you will trigger posture check) or configure reassessments under: Administration > Settings > Posture > Reassessments.

That is up to endpoint to determine that some Windows updates are missing. In more details NAC is using OPSWAT library to determine that client doesn't have latest fixes and we should perform update.

Hope that helps,

Wojciech

malel2015 · ‎12-20-2015

Hi
How can we do location based Autherization and authentication can be done in ise with the integration of mobilty service engine .
Thanks

Artem Tkachov · ‎12-20-2015

Hello Malel,

Thank you for your question.

I'm sharing with you article where this scenario has been described:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200196-Location-based-authorization-with-Mobili.html

Thanks

/Artem

malel2015 · ‎12-20-2015

Hi

User connect to the web authentication SSID on a converged WLC , open web browser and wlc redirect to the guest portal on the ISE in an ideal situation .

In my case most of the users were not able to see the guest portal . After reducing default session-timeout value to 1 /10 (approximately ) in wlan configuration , users were able to see guest portal .

Does it indicate to a problem related WLC or ISE
?
Thank you

Ask the Expert: Implementing and Troubleshooting Cisco Identity Services Engine (ISE)