Network Access Control

TCP Port 12001 for ISE node replication

Hello, While registering the secondary admin node to Primary admin node, the node registration is failing after few hours of syncing. We reached TAC and they found that the secondary node is not able to connect to primary node on TCP port 12001 afte...

ISE for Printer Security

Hello, does anyone have any suggested configurations, ACLs, etc for securing printers, especially HP and giving network access to just their essential functions only? All replies rated, Thanks in advance!

Resolved! ISE Deployment - PXGrid and SXP Same Appliance

Hi I have a customer who has a question around deploying PxGrid and SXP personas on the same SNS-3655 appliance, they will have a pair for resiliency. Our original plan was to deploy a dedicated ISE implementation, with 2x PAN (SNS-3655) 2x Mn...

ISE-PIC update ip address on session information when switch network

Helloi'am using ise-pic to provide session information to Firepower management center, i can create policy on firewall for a specific user/groups on AD if the sessions for users are create on DC. But when user switch to wireless network without estab...

Resolved! ISE Authorization Profile Using Machine Certificate

Hi, Is there a way in ISE that I can create an authorisation policy using Machine certificate? I have been trying ways to differentiate a machine cert with a user cert but as of now I have not seen a clear document on how to do so. Thanks in advance...

Resolved! ISE 2.6 patch 2 not logging AAA authentication and AAA accounting log

Just recently migrated from ACS 5.7 to ISE 2.6 patch 2. What I found is that while I can successfully authenticate to Cisco routers and switches via TACACS+ but the ISE log does not show any records of either tacacs authentication or tacacs accountin...

ACS 5.8 two web interfaces

Hi all,if there option for ACS 5.8 to have access on web via two different interface IPs?My ACS 5.8 now have only one IP configured, and that one is used for AAA comunicatuions as well as for mgmt access.It's install on VM machine and I added anothe...

ISE authentication/session logs after implementing Fast roaming

After impingement fast roaming, we only get session logs for client devices after the first authentication, Is it possible to send that to an external Syslog server? I do not see any information related to session under the logging category. We stil...

Microsoft windows profiling

What is the best way of profiling machines running different version of Windows? Nmap sometimes give false positive and the user agent can also be modified.Dhcp probes /device sensor too is not helping that much or maybe am just missing something in ...

Is ISE agent required for PC when configuring monitor mode in switches?

Hi, Do I need to use agent in PC when configuring monitor mode in switches?

Resolved! ISE Multiple deployment (3595 and 3615)

Hello Experts! I'm currently using three 3595 ISEs. I want to add another 3615 here as a PSN. Currently information ISE1 : PAN(Primary) + MNT(Secondary) + PSN ISE2 : PAN(Secondary) + MNT (Primary) + PSN ISE3 : PSN (Health-Check node) Is there p...

ISE 2.4 Authorization Profile setting an attribute in "Advanced Attribute Settings" does not work?

In an effort to avoid some looping MAB authentications, which I need to have do at least two authentications, I have created a custom endpoint boolean attribute that I assign "True" or "False" to and match against in multiple MAB Authorization Polici...

Client Provisioning policy not hitting when AD user group is mentioned in the condition

Hi, I am experiencing a weird problem with Aruba Wireless and Cisco ISE integration that if I write my client provisioning policy as Domain users AND Domain computers AND SSID Name then redirect to the client provisioning portal the client does not ...

Do I still need to be concerned about AnyConnect certificate warning (i.e. CSCut30037)?

Hi, In the past, I encountered a manifestation of the bug in the title, where AnyConnect would display a certificate warning due to the fact that ISE was using the system certificate for HTTPS on port TCP/8905 (part of the ISE posture evaluation). ...

ISE 2.4 How to get passiveID with domain name by API

HelloCould please someone suggest how to get session list with domain names by API?Our ISE is configured for getting passiveID from two DC . When I read session list with the requesthttps://ise/admin/API/mnt/Session/ActiveListI get only usernames and...

Network Access Control

Forum Posts

TCP Port 12001 for ISE node replication

ISE for Printer Security

Resolved! ISE Deployment - PXGrid and SXP Same Appliance

ISE-PIC update ip address on session information when switch network

Resolved! ISE Authorization Profile Using Machine Certificate

Resolved! ISE 2.6 patch 2 not logging AAA authentication and AAA accounting log

ACS 5.8 two web interfaces

ISE authentication/session logs after implementing Fast roaming

Microsoft windows profiling

Is ISE agent required for PC when configuring monitor mode in switches?

Resolved! ISE Multiple deployment (3595 and 3615)

ISE 2.4 Authorization Profile setting an attribute in "Advanced Attribute Settings" does not work?

Client Provisioning policy not hitting when AD user group is mentioned in the condition

Do I still need to be concerned about AnyConnect certificate warning (i.e. CSCut30037)?

ISE 2.4 How to get passiveID with domain name by API

Cisco ISE - hitting wrong NetworkDevice Group

NetFlow Probe Profiling – Missing IP and Port in ISE Context Visibili

Default Route SGT

PX Grid Connector and Service NOW

ISE Posture: secure client stops posture synchronization

ISE Profiling Conflict

Scenario ISE-Pri dead and promote ISE-Sec to Primary

can no longer ssh into the Primary Admin/Secondary MnT node

NTLM Disabled and ISE-PIC

Impact of Resetting ISE Context Visibility on Endpoint Connectivity