cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10816
Views
10
Helpful
32
Replies

Ask the Expert : Identity Services Engine (ISE) - Guest and Posture Troubleshooting

Vidhi Mujumdar
Cisco Employee
Cisco Employee
 
Join the Discussion : Cisco Ask the Expert

Cisco ISE manages role-based security policy. It simplifies network-access delivery across wired, wireless, and VPN connections. ISE then integrates, consolidates, and automates the sharing of user and device data with other Cisco security and technology partners. This dynamic network access control improves IT operations as well as stopping and containing threats. As the modern network expands, the complexity of marshaling resources, managing disparate security solutions, and controlling risk grows as well. The potential impact of failing to identify and remediate security threats becomes very large indeed.  A different approach is required for both the management and the security of the evolving mobile enterprise. With superior user and device visibility, Cisco ISE delivers simplified mobility experiences to enterprises. It also shares vital contextual data with integrated technology partner solutions. The identification, containment, and remediation of threats are all accelerated through the integration, consolidation, and automation that Cisco ISE provides.  This session provides an overview of: Guest and Posture Flow Troubleshooting We’re expecting a basic knowledge being the initial configuration for ISE redirect flows for Guest and Posture. If you want to review these setups, we recommend checking out these links. Centralized Web Authentication Flow | Posture configuration

Ask questions from Tuesday August 30 to September 9, 2016

Featured Experts

Sam Hertica has been a Customer Support Engineer in the Technical Assistance Center AAA team in RTP since 3.5 years. He initially started out of college as an Intern on the RTP-AAA team supporting the latest ACS 5.3 and 5.4. Since then, he’s grown to support full ISE deployments, as well as creating tools and resources for his team to troubleshoot complex deployments. Sam graduated from Rochester Institute of Technology with a BS in Applied Networking and Systems Administration in 2012.

Maciej Podolski is a member of Technical Assistance Center AAA team in Krakow Poland. He enables customer everyday by resolving complex ISE / dot1x / ACS issues. Maciej graduated from the Warsaw University of Technology with a BS in Electrical and Computer Systems engineering, with major in Telecommunications. He has been passionate about the cyber security since his university years, his final thesis was about steganography in cloud storage. He is also involved in developing tools for the AAA TAC engineers. His favorite hobby is skiing.

  

Find other  https://supportforums.cisco.com/expert-corner/events.

** Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

https://supportforums.cisco.com/expert-corner/events ">https://supportforums.cisco.com/expert-corner/events.

We look forward to your participation. This event is open to all, including partners. Please Share this event in your social channels. Have a technical question? Get answers here before opening a TAC case by visiting the Cisco Support Community.

     

Join the Discussion : Cisco Ask the Expert 

1 Accepted Solution

Accepted Solutions

sameer.dy09
Level 1
Level 1

Hi Sam/Maceij ,

Please let me know the commands/log via CLI and GUI to check number of guest users logged in , if there is a way to filter out the complete list of Guest users based on old connections

In case ,we need to upgrade the ISE 1.3 to 1.4/2.0 , do we need to take some backup for guest/sponsor accounts , what is the command to check total number of current users in internal database of ISE

View solution in original post

32 Replies 32

sameer.dy09
Level 1
Level 1

Hi Sam/Maceij ,

Please let me know the commands/log via CLI and GUI to check number of guest users logged in , if there is a way to filter out the complete list of Guest users based on old connections

In case ,we need to upgrade the ISE 1.3 to 1.4/2.0 , do we need to take some backup for guest/sponsor accounts , what is the command to check total number of current users in internal database of ISE

Nowadays due to security requirement , can we limit user for access to websites like blocking torrent /porno , special categories mentioned in CX/Firepower

Any sort of integration we can do or ISE can standalone take care of it  ?

Regards,

Sameer

From a standalone ISE perspective, there's not much we can do as far as blocking torrent/porno or other categories. While ISE is able to dynamically apply ACLs or SGTs to endpoints for classification in your environment, this would rely on pre-defined ACLs to block traffic to specific hosts. CX/Firepower is much more suited to handle this kind of enforcement. 

That being said, Firepower and ISE can communicate via pxGrid, a Cisco Platform Exchange Grid. Another TAC engineer has already created a document covering how to configure and troubleshoot it if you want to pursue this option. 

Hi Sam ,

Thanks for your help ,

I need to clarify for such scenario as below :

"We are facing issue with Sponsor portal, when we open a sponsor portal page on our laptop it always prompt for client certificate authentication and clicking on ok or cancel it will redirect us to sponsor portal. We would like to disable that certificate authentication so that users can smoothly open page with out any pop up."

ISE version 1.3(876) , is it a BUG or something else , I have found a similar issue in BUG CSCuq89147 but it is not the same

++Can you confirm how many portals we have as you explained in webinar , 10 ? is there any document ..if it depends on version we are using

Regards,

Sameer

Hello, we have successfully tested 802.1x authentication with Dell Wyse thinclients, a Catalyst 2960, and ISE 1.2. We used successfully  EAP-TLS and PEAP(Mschapv2).

We have also tested with EAP-FAST.  Dell Wyse claims it support EAP-FAST only with automatic PAC provisioning. The negotiation progresses until the PAC provisioning and then ISE 1.2 complains with the following log " 12152 Rejected PAC provisioning request because supplicant failed to adhere to protocol" I attach the complete log.

I have the following questions

1) There are two versions of EAP-FAST, the last one called EAP-FASTv2. Are both Cisco proprietary? do other vendors support EAP-FASTv1 and EAP-FASTv2?

2) In ISE 1.2 can we disable manual PAC provisioning and enable automatic provisioning only?

Hi Eduardo,

While Cisco did develop EAP-FAST originally, since it exists as an IETF Informational Draft for both versions, any vendor should be able to use and support it in their supplicant. 

Unfortunately, you can't disable manual PAC provisioning from the administrative portal. The only way to prevent administrators from manually generating PACs would be to utilize the Administration Access Menu Access to prevent unwanted administrators from accessing the Administration -> System -> Settings. 

Sam

Hi,

ISE deployed as primary and secondary .

There are two ssid . Both of them using different portals .
One is using default guest portal , the other one using custom portal.

The problem is sometimes once client connected to the ssid's it is redirecting to the ISE, (we can see the poral url on the client browser) but the page is not loading .After couple of minutes users get session timeout message

2)Whenever the users type www.google.com , users are not getting rediected


Thanks

Hello.

1. Try to put ip address in the url maybe there is something wrong with the DNS

2. check the access list if you have both ip of portals permitted ( seems like the redirect is matching the traffic but there is no connection to ISE

about google.com

if this happens specifically with google.com, maybe there is an issue with the redirection access list, for example if you wanted to open PLAY store for android during BYOD, sometimes it happens that the google.com ip overlaps with the PLAY store, check the ip ranges open, you can run a wire-shark sniff on the pc and check to what ip address its going.

Cheers,

Maciej

Hi,

"if this happens specifically with google.com "

No it happens with all https:// url's . 

"1. Try to put ip address in the url maybe there is something wrong with the DNS"

I am using stattic ip  

"check the access list if you have both ip of portals permitted ( seems like the redirect is matching the traffic but there is no connection to ISE "

Both ip's are permitted

Here is the redirect acl (wlc 5760)

Extended IP access list acl_redir
10 deny udp any any eq bootps
20 deny udp any any eq bootpc
30 deny udp any any eq domain
40 deny ip any host 192.168.10.100
50 deny ip any host 192.168.10.101
60 permit tcp any any eq www (70368049 matches)
70 permit tcp any any eq 443 (125037468 matches)

I have an acl on the  vlan interface of  the core switch , there also ise ip address permitted . 

Another thing this does not happen always  and second thing I can reach from the client  to port 8443 during this time .

Still the same 

Thanks

 

1.sometime the clients get the session timeout. - do you have a load balancer ? do you see the SW flop between the ise nodes when this happens?

check the ise log after the issues happen, filter with mac address of the endpoint and check if all events happen on the same node.

2. no redirection at all - please check the ip http server and ip http secure-server

Hi,

Thank you for the reply  . Actually this is what happening .User connect to open ssid , type url on the browser , 

.On the client broswer  can see  its going to the ise login page http://192.168.10.100:8443sessionid.......................

user expecting a login page will appear......waiting .user see a spinning wheel and never finish loading login page

.and finally user getting "session timeout please contact administrator ".

ip http server and ip http secure-server enabled on the wlc .

I don't have a load balancer . All the request are going to the same node .

What are the logs should be  checked 

Thanks

I have seen this kind of loop when the AUTHZ policies for CWA are not properly configured assuming that your DNS entry for the ISE FQDN is correct. Another option is the URL Redirect in the WLC pointing to the wrong PSN. What version are you running?

Hi, 

Can we join the discussion (not just reply an answer...)?

Well, 

Try from here to ask a question ;)

So posture.

Our customer have SEP (Symantec Endpoint Protection). Somewhere in this forum I read about it: for remediation in SEP we need administrator account in local computer . Is it true?

By the way - are you suggest to set most of reqirements (like SCCM, AV-AS) Mandatory or optional? 

Our experience with AnyConnect (also like with NAC client a few years ago ;) is that setting requirements to Mandatory is a very dangerous thing if business continuity is a bit important ...

Review Cisco Networking for a $25 gift card