Network Access Control

Hi Team,    I am facing subjected error. this is new requirement to establish certificate based authentication wi-fi access. Kindly suggest on this.  Access Service DOTIX_WIFI Authentication Method EAP-TLS   11001 Received RADIUS Access-Request11017 ...

Hello,   Can someone help me understand how RADIUS/TACACS determine the primary AAA-Server is unreachable before fallback to secondary AAA-Server, is this based on a RADIUS or TACACS session or IP-reachability. If based on IP, how exatcly does that w...

I am in the process of upgrading my Cisco ISE distributed deployment. I have 2 PAN and 3 PSN in the deployment. I was reviewing the upgrade guide. I noticed that the upgrade guide states if your PSN is part of a group cluster, you must deregister the...

Hello, not sure if this is the right place to ask this question. I'm trying to implement MAB authentication using Meraki Wireless and Cisco ISE. The Meraki AP isn't sending the "Call-check" field in the radius attributes therefore can't match MAB aut...

Looking to move from LWA to CWA for wireless guest access. Have a separate DNS appliance with a subdomain it’s authoritative for: guest.example.com On the certificate side, we have a CN=ise.example.com and SAN=ise.example.com and *.example.com used c...

Hi All, I have a customer that need to authenticate and authorize endpoints using some advanced certificate fields like extended key usage, organization unit and much more without going to any other external identity source like AD , just from the ce...

Dear cisco team,My company is implementing CDA in the environment and I wanted to ask if CDA has its own logs that can be forwarded to a monitoring server like IBM QRadar. I know it can gather logs from other devices and forward them but does it has ...

Hi,   We have ISE 2.2 patch 10.We use PAP mschapv2 dot1x user authentication. When clients try login to their new laptop coming from IT departmant they get the following error; We can't sign you in with this credential because your domain isn't avail...

Hi Team, I have catalyst 3650-24p-pdm with dot1x enable for multiauth, after reloading the switch, all IPPHONE failed to dot1x authentication and go to mab, even if the priority is set to dot1x and even after increasing the timeout/retries. if I shut...

Hi   I am trying to upload offline as well online the latest ISE Profiler Feed update to an ISE 2.4 Patch2 deployment. Both methods are failing and currently investigating the root cause with TAC. While troubleshooting we've observed that the Profile...

How is the rescan configuration on the AD profiler supposed to work?  I have the following shown under an endpoint:   AD-Fetch-Host-NameMININT-2JIERJF$   MININT hostname is used during WinPE phase of an SCCM build process.  So ISE learned that name d...

Hello, Can someone please explain why an IP-phone shows as data instead of VOICE   Device#sho authentication sessionsInterface MAC Address Method Domain Status Fg Session ID-----------------------------------------------------------------------------...

Hi All,   Hope you all are doing good.   I am new on ISE and facing many challenges first and most important for me is to get the proper switch configuration.   I have below devices in my LAB ( This LAB is Only for Testing & Learning purpose )    2 N...

Hello,we're currently migrating from ACS 5.8 to ISE 2.2 in a pure MS Windows environment with MS Active Directory and MS Windows Server PKI for internal purposes. Every domain joined endpoint gets provisioned with a client-certificate over group poli...

My project takes a .csv file with at least one column of MAC addresses, and adds those MACs/endpoints to a specified Identity Group. I have a working solution for a single MAC on this thread, but the latency is fairly large for a single API call.  Ho...