Hello Team, We would like to seek your assistance in identifying if ACS connectivity to public ip is legit. We monitored that it was connecting to the said IP using port 25. How can we block from acs using port 25.
This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Forum Posts
Hi team, I am trying to figure out if we can initiate a port bounce to a Meraki MS from the ISE Live Sessions logs. In the Network Device Profiles, the Cisco and Meraki capabilities seem to be the same: But in live with a C3850 and a Meraki M...
Hi all, If the CRL Distribution URL isn't available, it's possible to tell ISE to retain the current CRL in a cached state. This doesn't persist between reboots. Is there any time limit on how long the CRL is cached and used for subsequent authentica...
Resolved! ISE & Load Balancers
Hi, We have a question on the use of SNAT for load balancing - according to the documentation at the following link: https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759#toc-hId-1865742776, it appears that the load bal...
Hi,I was wondering whether there was a way to dynamically block a vty session (telnet/ssh etc) for a period of time after x amount of failed login attempts using Cisco IOS? I don't believe there is, but I wanted a way to provide Internet connectivit...
Hello Experts, Based on the information provided in the following guide : https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01000.html Required Permissions when AD User not in Domain Admin Group F...
Resolved! ISE CIMC Virtual KVM session timeout
Hello Team, I'm currently working on installing ISE using CIMC. After trying to launch the Virtual KVM, the launcher downloads and when I try to open it, i looks like is going to open, but then I get "Login failed or timed out. Please try again." ...
Resolved! ISE update URL's
Hello All, I would like to confirm, what are the IP addresses expected to be resolved when using the URL for posture updates https://www.cisco.com/web/secure/pmbu/posture-update.xml ? Recently, that URL is resolving to these IP addresess: o ...
When users add their own devices via the my devices portal, the device always shows "pending" as a status. While the device does operate properly, this is confusing to the users. Is there a way to disable the pending status? Hide it?
Hi I am testing Windows 10 native supplicant for EAP-FAST. I have two policies, one for computer auth and another for user. I am presently testing the computer auth however it keeps failing.I am not using certificates for this.OverviewEvent5400 Aut...
Resolved! dot1x session persistent on switches?
I seem to recall that if a switch looses connection to all PSN nodes, the authentication session will remain active for a during of time? Is this correct or I'm remembering it wrongly?
Resolved! DACL not shown for a NAD
Hello there, I created a NAD profile for Pica8 switch, now when I create an authorization profile I see the ACL and VLAN fields under the common tasks section but there is no DACL field shown. What should I do in my NAD profile to display the DACL fi...
Resolved! test AAA tacacs legacy and new-code
Hi, For RADIUS, if we test with legacy (test aaa group radius username password legacy) old port numbers(1645/146) are verified. Whereas if replace legacy with new-code(test aaa group radius username password new-code), it tests newly assigned port ...
Hi everyone,We've been struggling in this situation for a few days.We have the following scenario for our ISE deployment:User and Machine Authentication with EAP Chaining, using Certificates for both, Supplicant is Anyconnect NAM. We are in PoC stage...
Resolved! NAS_IP Starts With in Policy Sets
In 2.3, you could create a Policy Set that had a "Starts with" condition for matching a NAS_IP. However, in 2.4, we are only seeing equals/not-equals as a condition. Is this a bug or did something change in 2.4 that removed the "starts with" conditio...
