cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

12281
Views
87
Helpful
107
Replies
Monica Lluis
Community Manager

Ask the Expert: Implementing and Troubleshooting Cisco Identity Services Engine (ISE)

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions about Cisco Identity Service Engine (ISE) to  Artem Tkachov and Wojciech Cecot. 

Join the Discussion : Cisco Ask the Expert

Ask questions from Monday December 14 to Wednesday December 23rd , 2015

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources. 

This session will help customers with troubleshooting, configuring and implementing ISE solutions in their networks.

 

Artem and Wojciech will be helping you with all your queries on all of the above.

 

Artem Tkachov is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC for past 3 years and has 8 years of industry experience working with enterprise deployment and troubleshooting. His areas of expertise currently includes Firewalls, VPNs, AAA, 802.1X (MacSec/TrustSec), ISE (BYOD, HotSpot, etc.), ACS, as well as knowledge and in Routing and Switching, Service Provider, Data Center technologies. Artem holds CCIE certifications (# 39668) in Routing and Switching, Service Provider, Wireless, as well as CCNP in Security, JNCIS-SP, RHCSA, and ITIL certification.

 

 

 

Wojciech Cecot is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC since May 2014 and has 3 years of industry experience working with enterprise deployment and troubleshooting. His area of expertise covers ISE, TrustSec, BYOD, ACS 5.x, 802.1x. Prior to joining Cisco, he worked as a junior system engineer at Comarch. He is graduated with a Bachelor's and Master's degrees in Electronics and Telecommunications from AGH University of Science and Technology.

 

Find other  https://supportforums.cisco.com/expert-corner/events.

Because of the volume expected during this event, Artem and Wojciech might not be able to answer every question. 

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

Join the Discussion : Cisco Ask the Expert

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
107 REPLIES 107

Hello Malel,

Thanks for your question.

Reducing the time of session-timeout, will reduce time before re-authentication occurs.

Frankly speaking, before knowing your wireless infrastructure as well as the specific client scenario, it's difficult to answer. From the first view, I don't see a direct link between reducing session-timeout and guest portal appearance.

Thanks

/Artem

bomos32768
Beginner

Hi  Artem & Wojciech,

Is it possible to redirect two guest groups(for example weekly guest users and contractors) to two different guest portals?

If so haw it should be done?

I have one authentication policy, one authorization policy that redirects guest users to guest portal.

After authorization two another authorization policy exists that gives the rights for weekely users and contractors.

And it works properly.

But I'd like to create two different guest portals for those two groups, how it should be achieved?

Regards,

Bogdan

Hello Bogdan,

Thank you for your question.

You would need to create 2 different portals  as well as 2 different authorization results/profiles  and link  those portals inside those authorization results/profiles. Once it's done, you  would need to create 2 authorization rules where the identity group would be your guest types and the permissions  would be 2 different authorization results/profiles you have created earlier. Please also, make sure about the final rule(s), that will allow your guest users to have a full/limited network access after the login action to the portal.

To be frank enough, I don't see a reason behind such scenario (unless you would like to present different portals to the guests). Your end customers have already specific account types, based on which you can already assign specific access to the network without extra login action to the portal.

Thanks

/Artem

Hello Artem,

Exactly, such scenario was "invented" by customers management in order to present different portals to different guest users.

But what criterion to use to differentiate the users at the first stage of authorization?

I think its impossible, cause we don't know which guest just logging in at that phase...

Regards,

Bogdan

Hello Bogdan,

Before user logged in, you can do this based on , for example , on WLC ip address/hostname, SSID Id, etc., whatever attribute in Radius packet that might be different for different guests.  Maybe, would be a good idea for you to have separate SSIDs for different type of guests and then match SSID id in authorization rules and present different portals.

Thanks

/Artem

sacha2577
Beginner

Hello guys,

I recently deployed ISE with WLC for Guest user with MAB+ISE Guest Portal.

1/When i'm looking on my ISE dashboard the total number of active endpoint  doesn't refresh as it's on the last polling. Is it a bug or maybe an addition of sessions on last days?

2/I've install 2 ISE to create a redundant architecture but when I try to register the second one I have an error 'unable to authenticate. Please check server and CA certificate'.
What are the prerequisites to register the second one?

Thanks for your help. Sacha

Hi Experts,

I have a new installation of ISE 2.0 for 1100 endpoints (wired). We are in the phase of testing 20-30 users-endpoints before going into the full deployment.

The policies for now are quite simple, Machine and User authentication for domain computers-users using MAR and MAB for endpoints that do not support 802.1x.

Below are a few questions:

1) On many endpoints (Win7-8-10) i receive the error "5440 Endpoint abandoned EAP session and started new ". Any ideas? I have noticed the same error also in a recent Wireless deployment i've done using ISE2.0 and SW3850 acting as Mobility Controller.

2) What is the recommended timer for re-authentication? The default 3600sec or 7200 sec?

3) Under Administration - System - Settings - Protocol , there are some settings for Peap. Is recommended to enable "Session Resume, Session Timeout and Fast Reconnect"?

If so, what is the recommended value for the session timeout and how is this related with the re-authentication timer on switch port?

4) I've configured the " Local Logs Store Period " up to 90 days but in " Radius LiveLog" i can see i only the last 24hours logs.

5) Any tips when PXE is a requirement in a 802.1x environment?

Best regards,

Christos

Hello Christos,

Thank you for those questions.

ad.1 That is quite generic error message, I could suggest to look into details of the authentication report and on the right you should see list of the steps and understand what could be the reason for that (could be that Endpoint is not responding at some time properly, like client is sending certificate and packets with big MTU are not passing the network correctly). Sometimes it could be related to timers configuration on the NAS device or network itself, however that can be verified in the ISE report.

ad.2 That fully depends on the particular deployment. Set it to whatever the security policy states, but preferably 7200+ seconds. Longer is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view.

ad.3 Well, that also depends on your security policy, however I would suggest to leave it as it is. Meaning, you might increase performance with those options on ISE server, however with security cost. If you don't have any problems with load/performance then leave it with defaults.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_011011.html#reference_FD4958B3B23245AE8C990058F5D05117

ad.4 Please check the ISE reports, one that you might be interested in: "Operations > Reports > ISE Reports > Endpoints and Users > Radius Authentications"

ad.5 Please refer to the guide below (Low-Impact Mode section):

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_24_low_impact_mode.pdf

Thank you

Wojciech

Hi Wojciech,

Thank you for your answers.

Please find attached the error log from the ISE. The final step is:

5440

Endpoint abandoned EAP session and started new ( Step latency=95702 ms)

I've performed several tests with different devices and i didn't noticed high latency between the client and ISE.

Any thoughts?

I'd like to propose one small enhancement for the next releases.

After manually adding a device on "Endpoints List" (let's say an IP Phone) and put a description, would be very helpful if on "Endpoint Identity Groups" could add a column with the description of the device.

Thanks

Hello Christos,

Well, based on the provided logs we can see that ISE returned Radius-Challenge message and Access-Request was not received. Either NAS device didn't send it or supplicant stopped responding.

It could be problem on WLC or Windows itself. Next step would be to perform packet capture on ISE and client + "debug client 11:22:33:44:55:66" on WLC, however that already applies for a TAC case.

Thanks

Wojciech

Hello Sacha,

Thank you for your question.

1.  Actually this information is being taken from MnT node, also you need to keep in mind that Active Endpoints metric meter shows data representing the endpoints connected to the network. This parameter controlled by Accounting information received from NAD.  So, maybe you don't have devices or/and accounting information not being received from NAD, or communication to MnT has been failed. There are some bugs on dashboard numbers, however it's difficult to determine without the debugs from your deployment.

2. In a distributed deployment, at the time of registering a secondary node to the primary node, the secondary node should present a valid certificate. Usually, the secondary node will present its local HTTPS certificate. To provide authentication for deployment operations that require direct contact with the secondary node, the Certificate Trust List (CTL) hierarchy of the primary node should be populated with the appropriate trust certificates, which can be used to validate the HTTPS certificate of the secondary node. Before you register a secondary node in a deployment, you must populate the CTL of the primary node. If you do not populate the CTL of the primary node, node registration fails. Node registration also fails if certificate validation fails for some reason.

If you have CA infrastructure, you would need to have  trusted CA certificates on both nodes in trusted store as well as identity certificates on both nodes should be sign by the trusted CA.

Thanks

/Artem

nspasov
Cisco Employee

Hi there, do you have a more detailed documentation around TACACS? The things that I am looking for are:

1. Maximum TACACS+ nodes per deployment

2. Maximum NADs support for TACACS+

3. Maximum round-trip delay for a TACACS+ node to a NAD

4. Maximum round-trip delay for a TACACS+ node to a PAN

5. Feature parity matrix between ISE 2.0 and ACS 5.x

6. Any other best practices around TACACS+ with ISE

Thanks in advance!

Hello Neno,

Thank you for those questions. Let me try to answer them one by one:

1. No special limitations on TACACS+ nodes in a deployment other than the regular
PSN limits,

2. 30,000 per deployment --- number applies for TACACS+ and RADIUS NADs, however that should be confirmed with sizing guide, which should be released soon,

3. That should be configured on the NAD device itself,

4. In general there are no changes for RTT between nodes (internode communications for replication and management) when TACACS+ is used and it is < 200ms

5. Following features are missing in ISE 2.0 comparing to ACS 5.x: IPv6 connectivity, customizable port for TACACS (there are already plans to implement that to ISE), max session per node (again, it will be available in the future),

6. Let me share with you articles wrote by TAC engineer and videos where you could find some examples:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200207-ISE-2-0-ASA-CLI-TACACS-Authentication.html

https://www.youtube.com/watch?v=qbnvjzr_zi4

https://www.youtube.com/watch?v=bL8X9yJ3G7E

https://www.youtube.com/watch?v=6JNfCmMkjYc

https://www.youtube.com/watch?v=GN8xUhg_5TI

Thank you,

Wojciech

cchubb
Beginner

Hi Artem and Wojciech,

I'm assisting a customer with a simple ISE 2.0 deployment, just to get them familiar with the device before anything more complex.

ISE is properly joined to AD for authentication and Radius is being used in the absence of the Device Management license.

AnyConnect VPN sessions are being properly authenticated via Radius between the ASA and ISE and AD.

My problem is that when I add a separate policy for router and switch device management authorization there is an overlap with the VPN auth policy.  Users in the AD:VPN Group are able to log into routers and switches on the LAN which of course we don't want. :-)

How do i separate or distinguish between policies?

I'm going to start watching some of the videos as suggested.  I'm having no luck finding configuration example docs for the scenario i've described.

Thanks

Chris

Hello Chris,

Thank you for that question. You could separate it using network device or tunnel group. More specific rule, more secure it will be. For example:

Network Access:Device IP Address EQUALS 10.10.10.11

CVPN3000/ASA/PIX7x-Tunnel-Group-Name STARTS WITH SSL-ANYCONNECT

You can always look at the detailed authentication report and check what attributes are sent from ASA/Switch/Router when authenticating and then distinguish rules based on those values.

Thank you

Wojciech

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube