cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10817
Views
10
Helpful
32
Replies

Ask the Expert : Identity Services Engine (ISE) - Guest and Posture Troubleshooting

Vidhi Mujumdar
Cisco Employee
Cisco Employee
 
Join the Discussion : Cisco Ask the Expert

Cisco ISE manages role-based security policy. It simplifies network-access delivery across wired, wireless, and VPN connections. ISE then integrates, consolidates, and automates the sharing of user and device data with other Cisco security and technology partners. This dynamic network access control improves IT operations as well as stopping and containing threats. As the modern network expands, the complexity of marshaling resources, managing disparate security solutions, and controlling risk grows as well. The potential impact of failing to identify and remediate security threats becomes very large indeed.  A different approach is required for both the management and the security of the evolving mobile enterprise. With superior user and device visibility, Cisco ISE delivers simplified mobility experiences to enterprises. It also shares vital contextual data with integrated technology partner solutions. The identification, containment, and remediation of threats are all accelerated through the integration, consolidation, and automation that Cisco ISE provides.  This session provides an overview of: Guest and Posture Flow Troubleshooting We’re expecting a basic knowledge being the initial configuration for ISE redirect flows for Guest and Posture. If you want to review these setups, we recommend checking out these links. Centralized Web Authentication Flow | Posture configuration

Ask questions from Tuesday August 30 to September 9, 2016

Featured Experts

Sam Hertica has been a Customer Support Engineer in the Technical Assistance Center AAA team in RTP since 3.5 years. He initially started out of college as an Intern on the RTP-AAA team supporting the latest ACS 5.3 and 5.4. Since then, he’s grown to support full ISE deployments, as well as creating tools and resources for his team to troubleshoot complex deployments. Sam graduated from Rochester Institute of Technology with a BS in Applied Networking and Systems Administration in 2012.

Maciej Podolski is a member of Technical Assistance Center AAA team in Krakow Poland. He enables customer everyday by resolving complex ISE / dot1x / ACS issues. Maciej graduated from the Warsaw University of Technology with a BS in Electrical and Computer Systems engineering, with major in Telecommunications. He has been passionate about the cyber security since his university years, his final thesis was about steganography in cloud storage. He is also involved in developing tools for the AAA TAC engineers. His favorite hobby is skiing.

  

Find other  https://supportforums.cisco.com/expert-corner/events.

** Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

https://supportforums.cisco.com/expert-corner/events ">https://supportforums.cisco.com/expert-corner/events.

We look forward to your participation. This event is open to all, including partners. Please Share this event in your social channels. Have a technical question? Get answers here before opening a TAC case by visiting the Cisco Support Community.

     

Join the Discussion : Cisco Ask the Expert 

32 Replies 32

I am not aware of such limitation, for the remediation/updates we use third party api OPSWAT for all interaction with AV/AS. This should work for any user.

I am aware of a case when a client configured remediation to manual launch process luall.exe, this process belongs to the Symantec LiveUpdate utility which keeps your Symantec products up to date.

Then there were some issues that required admin user.

This is not the way to do the remediation - OPSWAT is the way to go.

Regarding fresh Symantec related defects I saw recently this one for NAC agent:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva50654/?reffering_site=dumpcr

It can be be risky, one can never know when something will go wrong.

On the other hand in case something something happens changing the network policy on the ise is just couple of clicks. Having the ISE as the central point of network polices have these sort of advantages.

Setting the requirements is completely up to how rigorous the company security policy is.

mpodolsk
Cisco Employee
Cisco Employee

This would be my guess as well, but he is using ip address so the DNS and fqdn issues do not apply here. :)

the logs i was referencing were the authentication livelog, just to check f you are going to the same ISE server, as in the presentation slides.

This is very interesting, I believe we are not able to troubleshoot this on forum.

You have eliminated a lot of potential issues with your troubleshooting, the next step would be to open a TAC case as this requires more detailed investigation.

Sameer,

The issue you're describing does sound like that bug, assuming you're on 1.3 or 1.4 currently. The only fix is to upgrade to 2.0 onwards, or wait for ISE 1.4 patch 9 to release (current ETA is Mid-September). This isn't an issue that we'll be able to patch into 1.3 unfortunately. 

As far as the number of portals, it's in slide 54 of our presentation. It does depend on the version of ISE you're running as well, since some portals (like the Certificate Provisioning Portal) were added as ISE got better and better! 

Sam

Hi,

Why the "Join the discussion " Button not active 

Thanks

Hi Sameer!

Unfortunately we can't really interact with ISE from a CLI perspective, outside of creating customized scripts to pull data via REST/CRUD. 

As far as pulling a list of active guest users, starting with 2.1 with Context Visibility you can configure whatever dashboards you would like to monitor endpoint activity. The default dashboard includes an 'Authenticated Guest' count that you can click and get a more detailed output of the current guest users. 

In earlier versions of ISE, you can rely on the non-customizable home page with the 'Authenticated Guests' metric at the top of the page. 

Additionally, you can always gather more data by running a report for a specific timeframe you're looking for under Operations -> Reports -> Guest and choosing an appropriate report. 

As far as the upgrade goes, I'd recommend to review the Upgrade Considerations and Requirements. To my knowledge the only known issue where guest accounts are gone are a result of an upgrade from 1.1.x to 1.2.1 (CSCup60155). There is a workaround to keep this data, but you have to open a TAC case for an engineer to walk you through it. 

That being said, it's never a bad idea to have a backup of your configuration (which includes guest accounts) and should the worst happen, you have something to fall back to. 

Hi Sam/Maceij,

I am trying to determine a way to report on users (by name) who have registered their devices in My Devices portal.

We have ISE 2.1 and in Context Visibility I can drill down to an individual device and see the end user name. However that user name is not available as a field to display at the summary view nor does it appear in any reports I could find.

I am thinking perhaps API level access might pull the information but I'm not sure about that.

Any suggestions?

Following this question because I am trying to get the same kind of report for automatic device registration. Based on my conversation with someone from the BU they are expecting to add something in the future which it is not available on 2.1

Bump.

Any idea on this one?

ajc
Level 7
Level 7

Question,

When I removed a MAC Address from ISE DB on Primary PAN, is the entire MAC DB replicated to all the PSN's or this is an incremental/decremental process so only that entry is removed from all the PSN's?

I removed a MAC from ISE DB so I could hit the AUTHZ redirect policy for UNKNOWN USER once the AUTHC failed (MAC Not found) after retrying the connection to the same SSID but it did not work.

Therefore, I was wondering if there is any replication issue when I am manipulating that ISE MAC DB during peak connection hours when the size of the DB is over 100K entries.

thanks

mpodolsk
Cisco Employee
Cisco Employee

First of all the sync is incremental, doing whole database upload between the nodes would not be realistic, as there are also profiling attributes and other things there. it would be simply too big.

What could have happened is either some delay in the sync as you said or you have not cleared the session on the WLC and the WLC reused the same attributes.

if you are concerned with this it would require additional, more detailed investigation, the best thing to do would be to open a TAC case.

Cheers,

Maciej

ajc
Level 7
Level 7

Additional questions:

When does the NetworkAccess:AuthenticationStatus EQUALS ProcessError actually apply?

Does the NetworkAccess:AuthenticationStatus EQUALS AuthenticationFailed only apply to Active Directory users being authenticated? Or that condition could be applied as well to MAC addresses not found on ISE DB? 

mpodolsk
Cisco Employee
Cisco Employee

ProcessError should applly when there is some issue with ISE or AD , to be frank i have never see this attribute triggered.

For the MAC not found in the ISE DB the conditions is "Network Access:AuthenticationStatus EQUALS UnknownUser "

the "NetworkAccess:AuthenticationStatus EQUALS AuthenticationFailed" will not work

ajc
Level 7
Level 7

I have been investigating but I am not clear about how I can use the following condition to force a redirect to a reset password page when the password is expired and I am trying to connect using IPAD or Android based devices.

Any ideas about the value that I should use?

AUTHZ Simple Condition

Attribute

Microsoft:MS-CHAP2-CPW EQUALS ?????

mpodolsk
Cisco Employee
Cisco Employee

What type of password, guest password or AD ?

Review Cisco Networking for a $25 gift card