Nowadays due to security requirement , can we limit user for access to websites like blocking torrent /porno , special categories mentioned in CX/Firepower

Any sort of integration we can do or ISE can standalone take care of it  ?

Regards,

Sameer

From a standalone ISE perspective, there's not much we can do as far as blocking torrent/porno or other categories. While ISE is able to dynamically apply ACLs or SGTs to endpoints for classification in your environment, this would rely on pre-defined ACLs to block traffic to specific hosts. CX/Firepower is much more suited to handle this kind of enforcement. 

That being said, Firepower and ISE can communicate via pxGrid, a Cisco Platform Exchange Grid. Another TAC engineer has already created a document covering how to configure and troubleshoot it if you want to pursue this option. 

Hi Sam ,

Thanks for your help ,

I need to clarify for such scenario as below :

"We are facing issue with Sponsor portal, when we open a sponsor portal page on our laptop it always prompt for client certificate authentication and clicking on ok or cancel it will redirect us to sponsor portal. We would like to disable that certificate authentication so that users can smoothly open page with out any pop up."

ISE version 1.3(876) , is it a BUG or something else , I have found a similar issue in BUG CSCuq89147 but it is not the same

++Can you confirm how many portals we have as you explained in webinar , 10 ? is there any document ..if it depends on version we are using

Regards,

Sameer

Hello, we have successfully tested 802.1x authentication with Dell Wyse thinclients, a Catalyst 2960, and ISE 1.2. We used successfully  EAP-TLS and PEAP(Mschapv2).

We have also tested with EAP-FAST.  Dell Wyse claims it support EAP-FAST only with automatic PAC provisioning. The negotiation progresses until the PAC provisioning and then ISE 1.2 complains with the following log " 12152 Rejected PAC provisioning request because supplicant failed to adhere to protocol" I attach the complete log.

I have the following questions

1) There are two versions of EAP-FAST, the last one called EAP-FASTv2. Are both Cisco proprietary? do other vendors support EAP-FASTv1 and EAP-FASTv2?

2) In ISE 1.2 can we disable manual PAC provisioning and enable automatic provisioning only?

Hi Eduardo,

While Cisco did develop EAP-FAST originally, since it exists as an IETF Informational Draft for both versions, any vendor should be able to use and support it in their supplicant. 

Unfortunately, you can't disable manual PAC provisioning from the administrative portal. The only way to prevent administrators from manually generating PACs would be to utilize the Administration Access Menu Access to prevent unwanted administrators from accessing the Administration -> System -> Settings. 

Sam

Hi,

ISE deployed as primary and secondary .

There are two ssid . Both of them using different portals .
One is using default guest portal , the other one using custom portal.

The problem is sometimes once client connected to the ssid's it is redirecting to the ISE, (we can see the poral url on the client browser) but the page is not loading .After couple of minutes users get session timeout message

2)Whenever the users type www.google.com , users are not getting rediected

Thanks

Hello.

1. Try to put ip address in the url maybe there is something wrong with the DNS

2. check the access list if you have both ip of portals permitted ( seems like the redirect is matching the traffic but there is no connection to ISE

about google.com

if this happens specifically with google.com, maybe there is an issue with the redirection access list, for example if you wanted to open PLAY store for android during BYOD, sometimes it happens that the google.com ip overlaps with the PLAY store, check the ip ranges open, you can run a wire-shark sniff on the pc and check to what ip address its going.

Cheers,

Maciej

Hi,

"if this happens specifically with google.com "

No it happens with all https:// url's . 

"1. Try to put ip address in the url maybe there is something wrong with the DNS"

I am using stattic ip  

"check the access list if you have both ip of portals permitted ( seems like the redirect is matching the traffic but there is no connection to ISE "

Both ip's are permitted

Here is the redirect acl (wlc 5760)

Extended IP access list acl_redir
10 deny udp any any eq bootps
20 deny udp any any eq bootpc
30 deny udp any any eq domain
40 deny ip any host 192.168.10.100
50 deny ip any host 192.168.10.101
60 permit tcp any any eq www (70368049 matches)
70 permit tcp any any eq 443 (125037468 matches)

I have an acl on the  vlan interface of  the core switch , there also ise ip address permitted . 

Another thing this does not happen always  and second thing I can reach from the client  to port 8443 during this time .

Still the same 

Thanks

1.sometime the clients get the session timeout. - do you have a load balancer ? do you see the SW flop between the ise nodes when this happens?

check the ise log after the issues happen, filter with mac address of the endpoint and check if all events happen on the same node.

2. no redirection at all - please check the ip http server and ip http secure-server

Hi,

Thank you for the reply  . Actually this is what happening .User connect to open ssid , type url on the browser , 

.On the client broswer  can see  its going to the ise login page http://192.168.10.100:8443sessionid.......................

user expecting a login page will appear......waiting .user see a spinning wheel and never finish loading login page

.and finally user getting "session timeout please contact administrator ".

ip http server and ip http secure-server enabled on the wlc .

I don't have a load balancer . All the request are going to the same node .

What are the logs should be  checked 

Thanks

I have seen this kind of loop when the AUTHZ policies for CWA are not properly configured assuming that your DNS entry for the ISE FQDN is correct. Another option is the URL Redirect in the WLC pointing to the wrong PSN. What version are you running?

Hi, 

Can we join the discussion (not just reply an answer...)?

Well, 

Try from here to ask a question ;)

So posture.

Our customer have SEP (Symantec Endpoint Protection). Somewhere in this forum I read about it: for remediation in SEP we need administrator account in local computer . Is it true?

By the way - are you suggest to set most of reqirements (like SCCM, AV-AS) Mandatory or optional? 

Our experience with AnyConnect (also like with NAC client a few years ago ;) is that setting requirements to Mandatory is a very dangerous thing if business continuity is a bit important ...