Hello Bogdan,

Thank you for your question.

You would need to create 2 different portals  as well as 2 different authorization results/profiles  and link  those portals inside those authorization results/profiles. Once it's done, you  would need to create 2 authorization rules where the identity group would be your guest types and the permissions  would be 2 different authorization results/profiles you have created earlier. Please also, make sure about the final rule(s), that will allow your guest users to have a full/limited network access after the login action to the portal.

To be frank enough, I don't see a reason behind such scenario (unless you would like to present different portals to the guests). Your end customers have already specific account types, based on which you can already assign specific access to the network without extra login action to the portal.

Thanks

/Artem

Hello Artem,

Exactly, such scenario was "invented" by customers management in order to present different portals to different guest users.

But what criterion to use to differentiate the users at the first stage of authorization?

I think its impossible, cause we don't know which guest just logging in at that phase...

Regards,

Bogdan

Hello Bogdan,

Before user logged in, you can do this based on , for example , on WLC ip address/hostname, SSID Id, etc., whatever attribute in Radius packet that might be different for different guests.  Maybe, would be a good idea for you to have separate SSIDs for different type of guests and then match SSID id in authorization rules and present different portals.

Thanks

/Artem

Hi Experts,

I have a new installation of ISE 2.0 for 1100 endpoints (wired). We are in the phase of testing 20-30 users-endpoints before going into the full deployment.

The policies for now are quite simple, Machine and User authentication for domain computers-users using MAR and MAB for endpoints that do not support 802.1x.

Below are a few questions:

1) On many endpoints (Win7-8-10) i receive the error "5440 Endpoint abandoned EAP session and started new ". Any ideas? I have noticed the same error also in a recent Wireless deployment i've done using ISE2.0 and SW3850 acting as Mobility Controller.

2) What is the recommended timer for re-authentication? The default 3600sec or 7200 sec?

3) Under Administration - System - Settings - Protocol , there are some settings for Peap. Is recommended to enable "Session Resume, Session Timeout and Fast Reconnect"?

If so, what is the recommended value for the session timeout and how is this related with the re-authentication timer on switch port?

4) I've configured the " Local Logs Store Period " up to 90 days but in " Radius LiveLog" i can see i only the last 24hours logs.

5) Any tips when PXE is a requirement in a 802.1x environment?

Best regards,

Christos

Hello Christos,

Thank you for those questions.

ad.1 That is quite generic error message, I could suggest to look into details of the authentication report and on the right you should see list of the steps and understand what could be the reason for that (could be that Endpoint is not responding at some time properly, like client is sending certificate and packets with big MTU are not passing the network correctly). Sometimes it could be related to timers configuration on the NAS device or network itself, however that can be verified in the ISE report.

ad.2 That fully depends on the particular deployment. Set it to whatever the security policy states, but preferably 7200+ seconds. Longer is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view.

ad.3 Well, that also depends on your security policy, however I would suggest to leave it as it is. Meaning, you might increase performance with those options on ISE server, however with security cost. If you don't have any problems with load/performance then leave it with defaults.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_011011.html#reference_FD4958B3B23245AE8C990058F5D05117

ad.4 Please check the ISE reports, one that you might be interested in: "Operations > Reports > ISE Reports > Endpoints and Users > Radius Authentications"

ad.5 Please refer to the guide below (Low-Impact Mode section):

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_24_low_impact_mode.pdf

Thank you

Wojciech

Hi Wojciech,

Thank you for your answers.

Please find attached the error log from the ISE. The final step is:

I've performed several tests with different devices and i didn't noticed high latency between the client and ISE.

Any thoughts?

I'd like to propose one small enhancement for the next releases.

After manually adding a device on "Endpoints List" (let's say an IP Phone) and put a description, would be very helpful if on "Endpoint Identity Groups" could add a column with the description of the device.

Thanks

Hello Christos,

Well, based on the provided logs we can see that ISE returned Radius-Challenge message and Access-Request was not received. Either NAS device didn't send it or supplicant stopped responding.

It could be problem on WLC or Windows itself. Next step would be to perform packet capture on ISE and client + "debug client 11:22:33:44:55:66" on WLC, however that already applies for a TAC case.

Thanks

Wojciech

Hello Sacha,

Thank you for your question.

1.  Actually this information is being taken from MnT node, also you need to keep in mind that Active Endpoints metric meter shows data representing the endpoints connected to the network. This parameter controlled by Accounting information received from NAD.  So, maybe you don't have devices or/and accounting information not being received from NAD, or communication to MnT has been failed. There are some bugs on dashboard numbers, however it's difficult to determine without the debugs from your deployment.

2. In a distributed deployment, at the time of registering a secondary node to the primary node, the secondary node should present a valid certificate. Usually, the secondary node will present its local HTTPS certificate. To provide authentication for deployment operations that require direct contact with the secondary node, the Certificate Trust List (CTL) hierarchy of the primary node should be populated with the appropriate trust certificates, which can be used to validate the HTTPS certificate of the secondary node. Before you register a secondary node in a deployment, you must populate the CTL of the primary node. If you do not populate the CTL of the primary node, node registration fails. Node registration also fails if certificate validation fails for some reason.

If you have CA infrastructure, you would need to have  trusted CA certificates on both nodes in trusted store as well as identity certificates on both nodes should be sign by the trusted CA.

Thanks

/Artem

Hello Neno,

Thank you for those questions. Let me try to answer them one by one:

1. No special limitations on TACACS+ nodes in a deployment other than the regular
PSN limits,

2. 30,000 per deployment --- number applies for TACACS+ and RADIUS NADs, however that should be confirmed with sizing guide, which should be released soon,

3. That should be configured on the NAD device itself,

4. In general there are no changes for RTT between nodes (internode communications for replication and management) when TACACS+ is used and it is < 200ms

5. Following features are missing in ISE 2.0 comparing to ACS 5.x: IPv6 connectivity, customizable port for TACACS (there are already plans to implement that to ISE), max session per node (again, it will be available in the future),

6. Let me share with you articles wrote by TAC engineer and videos where you could find some examples:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200207-ISE-2-0-ASA-CLI-TACACS-Authentication.html

https://www.youtube.com/watch?v=qbnvjzr_zi4

https://www.youtube.com/watch?v=bL8X9yJ3G7E

https://www.youtube.com/watch?v=6JNfCmMkjYc

https://www.youtube.com/watch?v=GN8xUhg_5TI

Thank you,

Wojciech

Hello Chris,

Thank you for that question. You could separate it using network device or tunnel group. More specific rule, more secure it will be. For example:

Network Access:Device IP Address EQUALS 10.10.10.11

CVPN3000/ASA/PIX7x-Tunnel-Group-Name STARTS WITH SSL-ANYCONNECT

You can always look at the detailed authentication report and check what attributes are sent from ASA/Switch/Router when authenticating and then distinguish rules based on those values.

Thank you

Wojciech