Hi all,We have a global NAC setup, using ISE3.1 and Cisco 9200/9300 switches, with physical ports configured with a priority of dot1x/mab, but with an order of mab/dot1x. This is due to a set of security audit requirements for granular mab ACLs kicki...
This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Forum Posts
Hi to all, I'd like to modify guest user expiration notification email message in order to include guest username in the message.I tried inserting $ui_user_name$ in the message body editor present in Guest Types -> <GUEST TYPE NAME> but with no luck...
Resolved! 802.1x New IP address after CoA
Hello. I have a problem with supplicant new IP address after CoA.In my scenario, all machines authenticated with valid certificate, will receive a temporary IP address. After the successful login (by configuring EAP chaining using machine cert and us...
I'm trying to get additional profiling data into ISE so things like macbooks don't show up as "Free-BSD". It looks like ISE depends heavily on the "User-Agent" http attribute for the apple related profiles. Access switches are 3650's. ISE 3.1. Dot1x ...
Folks,I needed some suggestion on Policies getting applied when the 802.1x authentication kicks in vs Initial Boot by a system.Our policies say that once the 802.1x authentication succeeds allow the machine to get authorized on the "Employee VLAN". T...
Resolved! ISE - Passive Identity Connector
Context Directory Agent (CDA) only supports Windows 2008 and Windows 2012 and it doesn't support Windows 2016.Our vendor said ISE - PIC (Passive Identity Connector) can be used to replace CDA and ISE -PIC supports Windows 2016Does anybody try to use...
Resolved! CDA Alternative
Hi all I was planning to configure the Cisco Context Directory Agent (CDA) so we can use AD Groups in the ASA Firewall access rules, but our Active Directory servers will be upgraded to 2016 this year and CDA does not support this OS Version. It doe...
Hello All,Recently found there are lots of VPN anyconnect user authenticated last year but halted in ISE live session, and occupied more base license. Actually, the users had dropped on the ASA devices, but still see active live session on ISE.I trie...
I am running ISE 3.0 Patch. I have a SecureX Remote gateway deployed into my environment to be able to facilitate connections from SecureX. I installed the latest Workflows from the My Exchange in SecureX Orchestration, specifically the ISE - Quara...
On a Meraki AP (MR42) running MR.25.11 firmware that has been configured in VPN: Tunnel Mode to send all traffic to an Meraki MX appliance/concentrator which authenticates to ISE 2.3 patch 5. We are seeing after ISE receives an Accounting-Stop (Termi...
is any there information available of how to optimize the search base for LDAP in ISE?
Hi, The switch 9200L, 17.06.04 has 802.1x enabled. I noticed in the logs that sometimes the 802.1x doesn't finish correctly and the log on the ISE says: 5440 Endpoint abandoned EAP session and started new, the switch log is: %DOT1X-5-FAIL: Switch 1 R...
Running ISE 2.7 patch 7. Question: I have a device that was previously connected to a 802.1x SSID and directly assigned to the endpoint group = unknown, later I manually assigned it to an endpoint group = testing. So my question is: If I have device ...
We have a deployment with 7 nodes, 2xAdmin, 2xMnT and 3xPSN and did a CLI patch install from 3.1 patch 3 to patch 5.We were able to successfully install patch 5 on the PAN first and then the 1 MnT, but ran into multiple problems when we tried to it o...
I have a question regarding MAC-spoofing in an 802.1X solution. Let's say I have the following deployment: Authentication server: Cisco ISEAuthenticator: Cisco Catalyst 2960XEAP-method: EAP-TLSSupplicant: Single PC on a wall-outletPeriodic re-authent...
