Re: Tamas,

Report Inappropriate Content · ‎05-16-2017

Hi,

I have a problem with my very new Cisco ISE 2.2 install.

In the summary network device chart is not working "no data available" but all switch send the radius and aaa messages. Dot1x, MAB authentication working. Somebody has any idea what is the solution for this "problem"?

regards,

Tamas

Arne Bier · ‎05-16-2017

Have you used the Network Device Group feature to assign a Type/Location to your NAD's? If your NAD's are using the default then I don't think you'll see anything in the pie chart, because there is no classification. Enable some Location/Type for your NAD's and then the pie chart should start populating.

Report Inappropriate Content · ‎05-17-2017

Yes, I used 2 location and some type of my NAD, any idea? But doesnt work...

thanks,

Tamas

Arne Bier · ‎05-17-2017

Strange - I am running ISE 2.2 patch 1 and the only other suggestion I have is to check whether your PSN is enabled for Profiling. But it doesn't seem related to Profiling. Perhaps someone more qualified can give a better answer. It should just work 'out the box' as far as I can tell.

Report Inappropriate Content · ‎05-17-2017

yep, very strange.

ISE VM is in standalone mode, so the profiling function is already in.

I was install a new ISE virtual machine yesterday and it was same issue and I don't know why.

the install source: Cisco ISE Software Version 2.2.0 full installation(no IPN functionality).This ISO file can be used for installing ISE on ISE-34x5 Appliances, SNS-35x5 Servers as well as a VM installation on VMWare ESX/ESXi 5.x/6.0 /KVM/Hyper-V.

regards,

Tamas

Arne Bier · ‎05-17-2017

When you say 'standalone' do you mean the node has all three personas, or you haven't promoted the node's Role from 'STANDALONE' to 'Primary' yet?

Other question: have you had any (or many) requests coming from different NAD's that are in different Locations or of different Type?

Report Inappropriate Content · ‎05-18-2017

Hi,

I tried the change (standalone to primary and vice versa).

I created some location and some groups (of course I extended the policy), but doesnt work.

there is the switch config, could you check that?

(10.0.2.75 - ISE server)

show ver:

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 54 WS-C2960X-48TD-L 15.2(5b)E C2960X-UNIVERSALK9-M
2 54 WS-C2960X-48LPS-L 15.2(5b)E C2960X-UNIVERSALK9-M
3 54 WS-C2960X-48LPS-L 15.2(5b)E C2960X-UNIVERSALK9-M

config:

version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname KONTENER_2960
!
boot-start-marker
boot-end-marker
!
logging monitor informational

aaa new-model
!
!
aaa group server radius ise-group
server name ise
server-private 10.0.2.75 key 7 XXXX
!
aaa authentication login default group tacacs+ local line
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group ise-group
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 7 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group ise-group
aaa authorization network auth-list group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update newinfo periodic 5
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group ise-group
!
!
!
!
!
aaa server radius dynamic-author
client 10.0.2.75 server-key 7 XXXXX
auth-type any
!
aaa session-id common
clock timezone UTC 2 0
switch 1 provision ws-c2960x-48td-l
switch 2 provision ws-c2960x-48lps-l
switch 3 provision ws-c2960x-48lps-l
!
!
!
!
!
device-sensor filter-list lldp list TLV-LLDP
tlv name system-name
tlv name system-description
!
device-sensor filter-list cdp list TLV-CDP
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
!
device-sensor filter-list dhcp list TLV-DHCP
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list TLV-DHCP
device-sensor filter-spec lldp include list TLV-LLDP
device-sensor filter-spec cdp include list TLV-CDP
device-sensor accounting
device-sensor notify all-changes
!
!
no ip domain-lookup
ip domain-name XXXX.local
ip name-server 10.0.10.1
ip device tracking probe auto-source override
ip device tracking probe delay 10
!
!
!
authentication mac-move permit
access-session template monitor
access-session acl default passthrough
epm logging

dot1x system-auth-control
dot1x critical eapol
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!

!
interface GigabitEthernet3/0/10
description ISE_AUTH_DEMO_PC
switchport access vlan 100
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
!

!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 10.0.2.1 255.255.255.0
!
interface Vlan100
no ip address
ip helper-address 10.0.2.75
!
ip default-gateway 10.0.2.254
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
!
ip ssh time-out 60
ip ssh logging events
ip ssh version 2
!
ip access-list extended ISE-REDIRECT
deny udp any eq bootpc any eq bootpc
deny udp any any eq domain
deny udp any host 10.0.2.75 eq 8905
deny tcp any host 10.0.2.75 eq 8905
deny udp any host 10.0.2.75 eq 8909
deny tcp any host 10.0.2.75 eq 8909
deny tcp any host 10.0.2.75 eq 8443
deny ip any host 10.0.0.0
permit ip any any
ip radius source-interface Vlan2
logging origin-id ip
logging source-interface Vlan2
logging host 10.0.2.75 transport udp port 20514
!
snmp-server community public RO
snmp-server trap-source Vlan2
snmp-server source-interface informs Vlan2
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps energywise
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps power-ethernet police
snmp-server enable traps cpu threshold
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps errdisable
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 10.0.2.75 version 2c Cisco123 mac-notification
tacacs server ise1
address ipv4 10.0.2.75
key 7 XXXXX
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 10
!
radius server ise
address ipv4 10.0.2.75 auth-port 1812 acct-port 1813
automate-tester username radius ignore-acct-port idle-time 10
key 7 XXXX
!
!
line con 0
line vty 5 15
transport input ssh
!
!
monitor session 1 destination remote vlan 266
ntp server 10.0.10.1
mac address-table notification mac-move
!
end

Report Inappropriate Content · ‎05-18-2017

Hi,

its working!

when the authentication successful (or not) the NAD devices are showing in chart.

thanks,

Tamas

ncfb-awarsame · ‎07-27-2017

Tamas,

How did you fix the issue? I have it with ISE 2.2 after upgrading it from 2.1 to 2.2.

mannygawadcco · ‎10-09-2017

Hi,

Can you tell me how did it work, i have the same issue.

Thanks,

Manny

mannygawadcco · ‎10-09-2017

Hi,

Can you tell me how did you fix the issue, kindly share it as i have the same issue.

Thanks,

Manny

Marvin Rhoads · ‎10-10-2017

I'd recommend skipping ISE 2.2 altogether and just going with 2.3 instead. There have been a number of issues with 2.2 that are not resolved as of the current patch level. 2.3 has thus far proved to be much more stable even in its initial release.

ajc · ‎10-13-2017

Hi Marvin,

I agree with you. Looks like I would have to create another post called "2.2 ISE Version findings similar to the one I made on 1.3 sometime ago"

thanks

Cisco ISE 2.2 - empty network device chart