06-28-2013 04:54 PM - edited 03-10-2019 08:35 PM
with Cisco Expert Bernardo Gaspar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various usage scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.
Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.
Remember to use the rating system to let Bernardo know if you have received an adequate response.
Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.
This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.
07-04-2013 03:56 AM
I would like to know if NIC bonding is on the road map of ISE?
07-04-2013 10:48 PM
Hello Sander,
To the best of my knowledge, it's not on the roadmap yet. I'd advise to get in touch with your local Cisco account/sales team and ask for an enhancement.
Thank you and best regards,
Bernardo
07-04-2013 04:00 AM
My customer is limited in his VM space. Although he would like to have a active/standby for his administration node, he doesn't need this for his logging. Is it recommended to roll this in production. With a limited HDD space, what would be the recommended space (300 GB?)
| administration | monitoring | policy service |
Machine VM | primary | Not enabled | enabled |
Machine HW | secondary | primary | enabled |
07-04-2013 10:55 PM
Hello Sander,
If I understand correctly, you want to run the primary administration node in a VM while having the secondary administration node + primary in an appliance. Your concern is how much disk space to allocate to the primary admin VM as you're limited to 300 GB.
Both servers will run as policy nodes.
Here you can find the recommended values for ISE VM Disk size, depending on their role:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_vmware.html#wp1110217
An admin role should have at least 200 GB, a policy node 100 GB, I'd go for the full 300 GB.
Thank you and best regards,
Bernardo
07-05-2013 03:58 AM
Hello Gaspar,
I have few queries regarding ISE :
- Is ISE supporting virtual environment ?
- For the Virtual Desktop / Server will ISE help for posture assesment and enforcement?
- If new Machine is connected to network without any agent, what functions can ISE provide?
- How long it will take post installation of the Agent? Is it realtime ? is it configurable?
- What type of Notification ISE can provide in the case of no agent installed in the new Machine?
- Asset classification will be based on what? Is it based on which we have configured i.e. role, domain, IP etc ?
- Can ISE detect rougue AP ?
- Will ISE support virtual machines e.g. hypervisor?
- - If new Network device i.e. siwtch installed in network, will it automatically sync and begin working?
- ISE is capable of inteegration with Existing Symentac AV and SCCM product for the compliance?
- If agent installed, can it be possible for self-remediation ?
- No of end points supported by ISE?
- List of Third party end devices supported ?
Regards
07-05-2013 05:26 AM
Hi Bernado
While doing eap-chaining i change vlan, when user is posture compliant, works great...
But i also use roaming-profiles.
So when i log off, the vlan changes back to default immediately, and syncronization off roaming-profile fails, because of the vlan change.
I tryied th set the" vlan detect interva"l in the Nag-agent to 10sec, but it didn´t change anything.
Is it possible to have the switch or Anyconnect NAM client to delay the vlan change ??
Regards Henrik
07-10-2013 09:20 AM
Hello Henrik,
This question is more regarding 802.1x on the switch or AC/NAM. ISE isn't involved in this process, all it does is pass the vlan id to the switch after the client authenticates ;-)
When the user logs off, as soon as the switch receives the EAPOL-Logoff it will set the vlan back to the default one. As you say, potentially delaying the logoff from AC/NAM until the roaming profile is saved might work, but I'm not aware of any way of achieving this.
A potential workaround is to allow the needed traffic to save the roaming profiles on the default vlan. But if the client isn't able to renew its IP address it would probably fail as well. Did you try this?
Regardin the vlan detect interval in the NAC Agent, it wouldn't make delay the logoff process because:
1. NAC Agent doesn't participate in the 802.1x process, only in posture (vlan assignment, eap chaining - not part of the posture process)
2. This is a timer to set how often the NAC Agent searches for a network change, so it communicates with ISE using the correct IP address.
Thank you and best regards,
Bernardo
07-07-2013 03:08 PM
Hi Bernado, I hope you're very well.
So, I'd like to know if I can achieve any level of BYOD using Cisco ISE 3315 with Basic License.
Thank you!
07-10-2013 09:30 AM
Hi Milton,
If by BYOD you mean automatically enrolling and provisioning different kinds of devices, then no. With a base license you wouldn't be able to profile the clients nor automatically provision them.
If you mean bringing a personal device to the corporate environment, manually configuring it to access the network and using ISE as an authentication server, then the base license would be enough.
From the ordering guide:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html
---snip---
Advanced license features include device onboarding and provisioning, device profiling, posture services
---snip---
Thank you and best regards,
Bernardo
07-08-2013 05:51 AM
Hi Bernado,
We are having CVP4.0(2) for our VOIP Communications, which Cisco has announced End of Life.
We are having CCM version 7.1 and Unity VM 4.0.
Now we need to upgrade our CVP to latest version , Please advice what will be the best solution to upgrade and renew our contract.
Thanks
07-10-2013 09:32 AM
Hello Syed,
This thread is for questions regarding ISE, which is a AAA server. I'd suggest either trying the voice tech forums or contacting your local Cisco partner or Cisco sales team for alternatives.
Thank you and best regards,
Bernardo
07-12-2013 01:48 AM
Hello Bernardo,
I've wondering how we can solve MAR time issue?
If we use machine authentication in authorization policies and client does not shut their computers within the MAR time, it will be a problem.
Only way I know to prevent this is AnyConnect NAM module but if customer does not use this, we can not find any solution.
How we can proceed?
Thank you.
Nurullah Kazar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide