Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
0
Helpful
3
Replies

ISE 2.3 Issues

neil.j.bishop
Level 1
Level 1

‎04-30-2018 06:23 AM - edited ‎02-21-2020 10:54 AM

Hi, I have a couple of questions regarding the setup of the ISE 2.3 which have been picked up by a recent security tests;

1st; Why does ISE Cache login's to the web GUI and how do i switch it off as it is a security vulnerability on my networks?

2nd; When I use SSH to login to the CIMC or the ISE CLI it allows 10 failed password attempts before it kicks you out, My Company have strict Security rules and I want to change this to only allow 3 password attempts before kicking the user out of the SSH session, How do I do this?

3rd; Why do I always have to Restart the ISE server when I make a Configuration change to one of my RADIUS or TACACS+ configs in order for the server to see it and start using the new config!???

 

Kind Regards

 

Neil Bishop

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎04-30-2018 01:36 PM

Hi,

1 - I would imagine that is the web browser you are using storing the ISE credentials

2 - You can configure a password policy for the CLI, here is the ISE 2.3 user guide, you can enter the command password-lock-enabled which will lock an account after several failures.

3 - You do not need to restart the ISE server when you make a configuration change. What other symptoms do you have? Perhaps you have a bug, do you have the latest patch installed? In the Web GUI > deployment section, are all nodes confirmed as in sync?

 

HTH

0 Helpful

RichardAtkin
Level 3
Level 3

‎05-01-2018 12:37 AM

Q. Why does ISE Cache login's to the web GUI and how do i switch it off as it is a security vulnerability on my networks?

A. It will be your browser doing it. Not quite the same, but you can also reduce how long an authenticated session is allowed to sit idle for before ISE logs it out.

 

Q. When I use SSH to login to the CIMC or the ISE CLI it allows 10 failed password attempts before it kicks you out, My Company have strict Security rules and I want to change this to only allow 3 password attempts before kicking the user out of the SSH session, How do I do this?

A. You can set this in the Administrative Password settings section: Administration > System > Admin Access

 

Q. Why do I always have to Restart the ISE server when I make a Configuration change to one of my RADIUS or TACACS+ configs in order for the server to see it and start using the new config!???

A. You shouldn't have to do this.  Can you be more specific about the change you're making?  Some changes need a stop/start of the services, but 99% can be done on the fly.

 

Ensure you're on the latest patch - currently 2.3 patch 3

0 Helpful

neil.j.bishop
Level 1
Level 1
In response to RichardAtkin

‎05-04-2018 06:18 AM

I had created a new device Profile and add devices to it but then when creating the Policy set to point the correct user group to the profile I couldn't find the profile I had created until I had Restarted the ISE, Stopping and starting the ISE application didn't work it had to be a full server reboot!!

 

I do have another issue that has appeared on TACACS authorisation for Juniper Routers... I have set up my TACACS on ISE 2.3 patch 3 and all was working fine but I have just found after further security tests that if I Change the sharedsecret on the router ISE still lets me log in to the router which should never happen as it is supposed to reject all users if the sharedsecret is wrong. Is this a Bug in ISE 2.3 patch 3 or a setting I am missing? I have tested it against my old ACS and that does reject logins if the sharedsecret is wrong so it is definitely an ISE issue....

 

Regards

 

Neil

0 Helpful
Customers Also Viewed These Support Documents