Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17249
Views
87
Helpful
107
Replies

Ask the Expert: Implementing and Troubleshooting Cisco Identity Services Engine (ISE)

Monica Lluis
Level 9
Level 9

‎12-03-2015 02:37 PM - edited ‎03-10-2019 11:17 PM

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions about Cisco Identity Service Engine (ISE) to  Artem Tkachov and Wojciech Cecot. 

Join the Discussion : Cisco Ask the Expert

Ask questions from Monday December 14 to Wednesday December 23rd , 2015

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources. 

This session will help customers with troubleshooting, configuring and implementing ISE solutions in their networks.

 

Artem and Wojciech will be helping you with all your queries on all of the above.

 

Artem Tkachov is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC for past 3 years and has 8 years of industry experience working with enterprise deployment and troubleshooting. His areas of expertise currently includes Firewalls, VPNs, AAA, 802.1X (MacSec/TrustSec), ISE (BYOD, HotSpot, etc.), ACS, as well as knowledge and in Routing and Switching, Service Provider, Data Center technologies. Artem holds CCIE certifications (# 39668) in Routing and Switching, Service Provider, Wireless, as well as CCNP in Security, JNCIS-SP, RHCSA, and ITIL certification.

 

 

 

Wojciech Cecot is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC since May 2014 and has 3 years of industry experience working with enterprise deployment and troubleshooting. His area of expertise covers ISE, TrustSec, BYOD, ACS 5.x, 802.1x. Prior to joining Cisco, he worked as a junior system engineer at Comarch. He is graduated with a Bachelor's and Master's degrees in Electronics and Telecommunications from AGH University of Science and Technology.

 

Find other  https://supportforums.cisco.com/expert-corner/events.

Because of the volume expected during this event, Artem and Wojciech might not be able to answer every question. 

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

Join the Discussion : Cisco Ask the Expert

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
6 people had this problem
Labels:
0 Helpful
107 Replies 107

Viktor Bohdal
Level 1
Level 1

‎12-17-2015 12:54 AM

Hello guys,

What is the best practice about certificates for web portals (Sponsor, Guest, MyDevices, MDM,...). Is it better to have one certificate with multiple SANs and deploy it on all nodes or to have multiple certificates for each portal (one certificate for sponsor, another for mydevices, etc.)?

Using virtual appliances and distributed deployment, we wanted to run guest portals on GigE1 to separate guest traffic to guest VLAN, but then we faced some issues with deployment. The nodes use all interface to inter-node communication?

Thank you in advance.

Best regards

0 Helpful

Wojciech Cecot
Cisco Employee
Cisco Employee
In response to Viktor Bohdal

‎12-17-2015 02:58 AM

Hello Viktor,

Well, in general it would be better to have separate certificates for each role, while that would be more secure. Regarding certificates (which is huge topic) I could suggest to watch great presentation (video) of Aaron Woland from Ciscolive, please take look: ("BRKSEC-3697 - Advanced ISE Services, Tips and Tricks (2014 San Francisco)")

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78700&backBtn=true

Regarding question about different interfaces usage in ISE, please refer to the guide below:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/installation_guide/b_ise_InstallationGuide14/b_ise_InstallationGuide14_appendix_01010.html

Gig0 must be available for Administration and Replication purposes, however for the Guest/Profiling/Posture it can run on rest of the interfaces.

Thank you

Best Regards

Wojciech

0 Helpful

Silverbeat
Level 1
Level 1

‎12-17-2015 02:05 AM

Hi Experts,

I have problem with the provisioning portal. My client is connected via anyconnect VPN to the ASA 5506x, the RADIUS auth is successful with the ISE and I get the redirect url correctly, but I can not open the page. I can see the forward packages toward the ISE but no backward answer. If I try to open the page from the inside network I get an access forbidden page. I checked the portal test url in the ISE portal settings and it's run.

Do you have any idea what could be the problem?

Thanks,

Adam

0 Helpful

Artem Tkachov
Level 1
Level 1
In response to Silverbeat

‎12-17-2015 02:54 AM

Hello Adam,

In your case I would check  configuration in "group-policy" for VPN access, for example , check "split-tunnel-policy", maybe for a test, set "tunnelall" if you have different settings,  DNS configuration in group-policy, as well as I would allow pings towards ISE and check basic connectivity.

If you have basic pings are going back and forth, next step is to check DNS resolution, whether you can resolve ISE FQDN.

Thanks

/Artem

0 Helpful

Silverbeat
Level 1
Level 1
In response to Artem Tkachov

‎12-17-2015 06:02 AM

Hello,

It was routing problem on the ISE...so now it's working well.

Thanks for the tip :)

Adam

0 Helpful

Artem Tkachov
Level 1
Level 1
In response to Silverbeat

‎12-17-2015 06:18 AM

Hello Adam,

Good to hear that and you are welcome  ;-)

Thanks

/Artem

0 Helpful

Brett Verney
Level 1
Level 1

‎12-17-2015 03:02 AM

Hi guys,

I have a client who does not support wildcard certs but still wants to import a single certificate for the guest portal. Is there a way to do this without wildcard entries in the SAN via the ISE certificate management? If not will ISE 2.0 allow me to assign the same certificate to both nodes if their FQDNs are in the SAN fields if I generate the CSR using a tool like OpenSSL?

What other information might I require in the SAN field?

-Brett

0 Helpful

Wojciech Cecot
Cisco Employee
Cisco Employee
In response to Brett Verney

‎12-17-2015 05:17 AM

Hey Brett,

Thank you for that question. Yes that is possible. Assuming that you have nodes with following FQDNs: ise1.example.com and ise2.example.com you could create certificate with following fields:

CN = aaa.example.com

SAN      
    DNS.1 = aaa.example.com
    DNS.2 = ise1.example.com
    DNS.3 = ise2.example.com

Then you will be able to import that certificate for those 2 nodes and use for Guest services.

Thank you

Wojciech

0 Helpful

Brett Verney
Level 1
Level 1
In response to Wojciech Cecot

‎12-17-2015 03:47 PM

Thanks Wojciech!

Using your example above, what if the cert only contains a CN = aaa.example.com where 'aaa.example.com' is the redirect URL for the guest portal, and didn't contain any SAN fields. Could the cert still be imported to both nodes for the guest portal only if OpenSSL is used?

Is there any requirement for the FQDNs of each ISE node being present in the SAN for guest use only?

Each SAN entry can get expensive via a pubic CA, so we would like to minimise cost as much as possible.

-Brett

0 Helpful

Wojciech Cecot
Cisco Employee
Cisco Employee
In response to Brett Verney

‎12-21-2015 06:36 AM

Hello Brett,

Yes, that would be possible, however I would strongly not recommend to do that. You can import such certificate to many nodes, however then you would need to send static URL to the guest portal, which is next thing that I would strongly suggest not to do. Imagine scenario when Radius request (authentication) is going to PSN1 and then user is redirected to guest portal on PSN2 (for example aaa.example.com is resolved to ip address of PSN2). In such scenario sessions are not shared between the nodes and you will see error: "500 Internal Error" on end stations, because PSN2 will not have session that is stored on PS1.

Anyway, that is why we have wildcard certificates.

Thank you,

Best Regards,

Wojciech

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Wojciech Cecot

‎12-21-2015 12:02 PM

Hi Wojciech-

Does this example apply to HTTPs based certificates? If yes, when was this functionality introduced to ISE? In the past I recall having issues when trying to implement this as the CN field had to either be a wildcard one or the FQDN of the ISE node. So I was only able to implement such solution for EAP based certificates.

Also, this was clearly outlined in the documentation for ISE 1.2. It is not in the documentation for ISE 1.3, 1.4 and 2.0 so perhaps it is a new feature?

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_cert.html

 If you are going to use the CA-signed certificate for HTTPS, the subject Common Name value specified for the CSR must match the fully qualified domain name (FQDN) of the Cisco ISE node, or must match the wildcard domain name specified in the SAN/CN field of the certificate.
0 Helpful

Wojciech Cecot
Cisco Employee
Cisco Employee
In response to nspasov

‎12-23-2015 01:38 AM

Hello Neno,

In general we can generate such certificates, even for HTTPS, however while that is not documented I would suggest not to use such certificates. I have filled in documentation bug for that issue it should be visible in about 24 hours:

https://tools.cisco.com/bugsearch/bug/CSCux66343/?reffering_site=dumpcr

Thank you

Wojciech

0 Helpful

mohd abdul malik
Level 1
Level 1

‎12-17-2015 06:30 AM

Hi,

Good to see the discussion on ISE.

We have recently deployed ISE in one of the customers HO also they have 1 centralized WLC 5508 for their branches and 3700/2700 AP's at all the branches.

We have integrated  ISE with WLC and the default behaviour is client would connect to free wifi then will be redirected to the ISE page put in his phone number & email address and will receive the username password to browse freely at their stores.

Everything was working fine until they came up with a new branch.

All the Android phones connecting to free wifi are working fine getting redirected filling the details and logging in to the free wifi at this new store. The issue is with the Iphone and Apple devices only on this branch.

Mostly they are not redirected to the ISE page and if they will be redirected it will take a lot of time which is annoying to the customers.

Can we have your expert advise on resolving this issue.

Thanks Abdul Malik.

0 Helpful

Wojciech Cecot
Cisco Employee
Cisco Employee
In response to mohd abdul malik

‎12-17-2015 06:57 AM

Hello Abdul Malik,

Thank you for that question. Well, it is hard to answer it without knowing details of the deployment, however following should be verified:

--- check if captive portal bypass is enabled on WLC, more details below:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01010101.html

If that will not help we could suggest to perform packet capture on end station (on some Mac) or enable debugs on WLC (simple "debug client aa:bb:cc:dd:ee:ff") to check what is the cause of the delays.

Hope that helps,

Best Regards

Wojciech

0 Helpful

Sergio Carrilho
Level 1
Level 1

‎12-17-2015 08:43 AM

Hi Experts,

I have a customer that constantly appear alarms on the router "DHCP-DECLINE-CONFLICT" on some machines (PCs). Alarms refer to the IP assignment rejection, giving the reasons that it is already assigned (the machines themselves). We found that the ISE does not always appear to authenticate the machine in question. ISE-3315-K9 Version 1.3.0.876.

Can clarify what may be causing this problem and how can I solve it?

Best Regards,

Sérgio Carrilho

0 Helpful
Customers Also Viewed These Support Documents