05-16-2017 02:51 PM - last edited on 03-11-2019 12:43 AM by NikolaIvanov
Hi,
I have a problem with my very new Cisco ISE 2.2 install.
In the summary network device chart is not working "no data available" but all switch send the radius and aaa messages. Dot1x, MAB authentication working. Somebody has any idea what is the solution for this "problem"?
regards,
Tamas
05-16-2017 07:05 PM
Have you used the Network Device Group feature to assign a Type/Location to your NAD's? If your NAD's are using the default then I don't think you'll see anything in the pie chart, because there is no classification. Enable some Location/Type for your NAD's and then the pie chart should start populating.
05-17-2017 12:48 AM
Yes, I used 2 location and some type of my NAD, any idea? But doesnt work...
thanks,
Tamas
05-17-2017 04:07 AM
Strange - I am running ISE 2.2 patch 1 and the only other suggestion I have is to check whether your PSN is enabled for Profiling. But it doesn't seem related to Profiling. Perhaps someone more qualified can give a better answer. It should just work 'out the box' as far as I can tell.
05-17-2017 04:20 AM
yep, very strange.
ISE VM is in standalone mode, so the profiling function is already in.
I was install a new ISE virtual machine yesterday and it was same issue and I don't know why.
the install source: Cisco ISE Software Version 2.2.0 full installation(no IPN functionality).This ISO file can be used for installing ISE on ISE-34x5 Appliances, SNS-35x5 Servers as well as a VM installation on VMWare ESX/ESXi 5.x/6.0 /KVM/Hyper-V.
regards,
Tamas
05-17-2017 04:49 PM
When you say 'standalone' do you mean the node has all three personas, or you haven't promoted the node's Role from 'STANDALONE' to 'Primary' yet?
Other question: have you had any (or many) requests coming from different NAD's that are in different Locations or of different Type?
05-18-2017 12:26 AM
Hi,
I tried the change (standalone to primary and vice versa).
I created some location and some groups (of course I extended the policy), but doesnt work.
there is the switch config, could you check that?
(10.0.2.75 - ISE server)
show ver:
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 54 WS-C2960X-48TD-L 15.2(5b)E C2960X-UNIVERSALK9-M
2 54 WS-C2960X-48LPS-L 15.2(5b)E C2960X-UNIVERSALK9-M
3 54 WS-C2960X-48LPS-L 15.2(5b)E C2960X-UNIVERSALK9-M
config:
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname KONTENER_2960
!
boot-start-marker
boot-end-marker
!
logging monitor informational
aaa new-model
!
!
aaa group server radius ise-group
server name ise
server-private 10.0.2.75 key 7 XXXX
!
aaa authentication login default group tacacs+ local line
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group ise-group
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 7 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group ise-group
aaa authorization network auth-list group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update newinfo periodic 5
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group ise-group
!
!
!
!
!
aaa server radius dynamic-author
client 10.0.2.75 server-key 7 XXXXX
auth-type any
!
aaa session-id common
clock timezone UTC 2 0
switch 1 provision ws-c2960x-48td-l
switch 2 provision ws-c2960x-48lps-l
switch 3 provision ws-c2960x-48lps-l
!
!
!
!
!
device-sensor filter-list lldp list TLV-LLDP
tlv name system-name
tlv name system-description
!
device-sensor filter-list cdp list TLV-CDP
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
!
device-sensor filter-list dhcp list TLV-DHCP
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list TLV-DHCP
device-sensor filter-spec lldp include list TLV-LLDP
device-sensor filter-spec cdp include list TLV-CDP
device-sensor accounting
device-sensor notify all-changes
!
!
no ip domain-lookup
ip domain-name XXXX.local
ip name-server 10.0.10.1
ip device tracking probe auto-source override
ip device tracking probe delay 10
!
!
!
authentication mac-move permit
access-session template monitor
access-session acl default passthrough
epm logging
dot1x system-auth-control
dot1x critical eapol
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
interface GigabitEthernet3/0/10
description ISE_AUTH_DEMO_PC
switchport access vlan 100
switchport mode access
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 10.0.2.1 255.255.255.0
!
interface Vlan100
no ip address
ip helper-address 10.0.2.75
!
ip default-gateway 10.0.2.254
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
!
ip ssh time-out 60
ip ssh logging events
ip ssh version 2
!
ip access-list extended ISE-REDIRECT
deny udp any eq bootpc any eq bootpc
deny udp any any eq domain
deny udp any host 10.0.2.75 eq 8905
deny tcp any host 10.0.2.75 eq 8905
deny udp any host 10.0.2.75 eq 8909
deny tcp any host 10.0.2.75 eq 8909
deny tcp any host 10.0.2.75 eq 8443
deny ip any host 10.0.0.0
permit ip any any
ip radius source-interface Vlan2
logging origin-id ip
logging source-interface Vlan2
logging host 10.0.2.75 transport udp port 20514
!
snmp-server community public RO
snmp-server trap-source Vlan2
snmp-server source-interface informs Vlan2
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps energywise
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps power-ethernet police
snmp-server enable traps cpu threshold
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps errdisable
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host 10.0.2.75 version 2c Cisco123 mac-notification
tacacs server ise1
address ipv4 10.0.2.75
key 7 XXXXX
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 10
!
radius server ise
address ipv4 10.0.2.75 auth-port 1812 acct-port 1813
automate-tester username radius ignore-acct-port idle-time 10
key 7 XXXX
!
!
line con 0
line vty 5 15
transport input ssh
!
!
monitor session 1 destination remote vlan 266
ntp server 10.0.10.1
mac address-table notification mac-move
!
end
05-18-2017 01:47 AM
Hi,
its working!
when the authentication successful (or not) the NAD devices are showing in chart.
thanks,
Tamas
07-27-2017 05:11 AM
Tamas,
How did you fix the issue? I have it with ISE 2.2 after upgrading it from 2.1 to 2.2.
10-09-2017 04:38 AM
Hi,
Can you tell me how did it work, i have the same issue.
Thanks,
Manny
10-09-2017 04:38 AM
Hi,
Can you tell me how did you fix the issue, kindly share it as i have the same issue.
Thanks,
Manny
10-10-2017 01:25 AM
I'd recommend skipping ISE 2.2 altogether and just going with 2.3 instead. There have been a number of issues with 2.2 that are not resolved as of the current patch level. 2.3 has thus far proved to be much more stable even in its initial release.
10-13-2017 01:04 PM - edited 10-13-2017 01:17 PM
Hi Marvin,
I agree with you. Looks like I would have to create another post called "2.2 ISE Version findings similar to the one I made on 1.3 sometime ago"
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide