cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4883
Views
87
Helpful
107
Replies
Rising star

Sounds like the "bug" there

Sounds like the "bug" there is when using device tracking and the switch and windows 7, this can be fixed with this command on the switch : "ip device tracking probe delay 5" also if that's not the case, you might have some luck with : "ip device tracking probe use-svi" http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html
Beginner

Hello Sergio,

Hello Sergio,

Thank you for your question.

In your case I would advise to start solving this issue from IP address assignment. I think you would agree that  log message "DHCP-DECLINE-CONFLICT" shouldn't  appear  on a router under  normal circumstances. Not sure about your router/switch configuration, however "ip dhcp ping" is highly recommended in such situations.   For troubleshooting purposes, you can check the conflict list of ip addresses with "show ip dhcp conflict" command and/or to remove specific (or all)  ip address(es) from the list with "clear ip dhcp conflict <address>" command.

More on this here:

1. http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfdhcp.html

2. http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-mt/dhcp-15-mt-book/config-dhcp-server.html

Once  issue with IP address assignments would be solved (you won't see any log messages about dhcp decline conflict) and ISE still misbehaves, I would encourage  you to open a case with Cisco TAC.

Thanks

/Artem

Enthusiast

Good afternoon,

Good afternoon,

I'm looking for an easy way to migrate my "old fashioned" way of MAC filtering into my ISE environment.  We have several SSIDs in our network, in which some of them are using MAC filtering for secure access.  This consists of updating a spreadsheet, and importing it to the controllers (via Prime).

I would really like to retire the spreadsheet, and move to ISE for these SSIDs.  It would be much better then using the spreadsheet.

Thanks in advance,

John L.

Beginner

Hello John,

Hello John,

Thank you for your question.If I understand your question correctly you would like to import all mac addresses from your endpoints to the ISE. If so, indeed, there is such option on ISE side. If you go to Administration --> Identities, you will see import/export options. Please click on import and download a template for import. Adjust this file with information about your endpoints and import it to the ISE back. Mac address Information will stored on ISE locally.Feel free to ask a question if I have misunderstood your question.Thanks/Artem

Highlighted
Enthusiast

Artem,

Artem,

You understood correctly!  Thank you for the information on how to easily do this.  The follow up question I have is, how do I then tell my controllers to use ISE for "MAC filtering" vs. using their local (imported) copy of the spreadsheet?

Basically, once I import the list (as you mention), I want to make sure that the controllers are looking at ISE now to validate the clients against the MAC filter, and not using their own locally stored copy.  (Hope this was clear).

Thanks,

John L.

Beginner

Hello John,

Hello John,

You would need to have your server(s) configured in Security --> AAA --> Radius menu.

Then in Wlans -->Wlans menu, choose your SSID. You would need to adjust Security Tab there, to be more precise,  "Layer 2" tab with "Mac Filtering" check box and "AAA Servers" tab with your Radius Server ip address.

More on this here:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Thanks

/Artem

Enthusiast

Artem,

Artem,

Thank you VERY MUCH for your reply.  That's exactly what I needed.  I will take your advice, and move forward.

Thanks again!!

John L.

Beginner

Hi, I have been deploying ISE

Hi, I have been deploying ISE 3 years, but still has a log questions.

which is better to use authentication order / priority ?

Mab ? Dot1x ?

if Mab is first, when we re-authenticate user, dot1x will not trigger,

if dot1x is first, non-dot1x devices will have to wail until dot1x is timed out whenever they are re-authenticated

What is the better way ?

Beginner

Hello Sir,

Hello Sir,

Thank you for your question.

Well, it depends on a project needs. In general, Mab method is not really secure (mac address might be spoofed), but there might be devices which don't support dot1x authentication and you have to have mab authentication then. Concept of "Dot1x" authentication for sure much more secure and recommended for user/machine authentication, however again, you need to keep in mind devices which do not support dot1x authentication or/and you have specific scenarios like PXE boot, where you most likely will be using MAB authentication.

Regarding "order / priority".

Most common use-case is to have configuration on interface level like below:

 authentication order mab dot1x
 authentication priority dot1x mab

With this configuration every device in the network will still be subject to MAB, but devices that pass MAB can subsequently go through "dot1x" authentication.

Please note, that this is not a template for all scenarios and configuration on interface should be adjusted based on project needs or/and device connected to the switch port.

Thanks

/Artem

Beginner

Hi, I have been deploying ISE

Hi, I have been deploying ISE 3 years, but still has a log questions.

which is better to use authentication order / priority ?

Mab ? Dot1x ?

if Mab is first, when we re-authenticate user, dot1x will not trigger,

if dot1x is first, non-dot1x devices will have to wail until dot1x is timed out whenever they are re-authenticated

Beginner

Hi There,

Hi There,

We are currently having an issue with our ISE deployment,  We are trying to use certificate based authentication to allow corporate machine's to join the Wi-Fi Network.  Once connected the machines then use a separate ECS certificate to initiate a Microsoft DA Tunnel back to the main corporate network.  If just the RSA Wi-Fi Cert is installed the machine connects to the SSID fine, if just the DA cert is installed the machine can join other Wi-Fi networks and the DA tunnel is formed correctly, if both certs are present neither functions correctly.

Any help greatly appreciated.

Cisco Employee

Hello Wes Neary,

Hello Wes Neary,

Thank you for that question. We are not really sure about that, while that seems to be problem related to Microsoft. I am not sure how the certificate is chosen when building that Microsoft DA Tunnel, however regarding Native Supplicant on Windows: you can check whether "simple certificate selection" is chosen (by default) --- then first certificate with private key is taken or uncheck that option and you should have option to select certificate when doing authentication on SSID (Configured under "Manage Wireless Networks" right click a wireless connection -> properties >  "Security" tab > "Settings" > "Configure") Once authentication will be successful, there is a chance Microsoft DA Tunnel will work as well.

If that will not help I could suggest to perform packet captures to understand which certificate is used for authentication and which for Tunnel.

Hope that helps,

Wojciech

Hello to all,

Hello to all,

I recently deployed ISE with vWLC in a client. The WLC serves 3 WLANs, one with MAB+ISE Guest Portal, one with dot1x+MS Active Directory and one with dot1x+External RADIUS server.

The first and second WLANs work just fine.

My problem is with the 3rd one. The dot1x auth reaches the ISE but the ISE reports timeout from the Ext RADIUS server. The Ext RADIUS is an Eduroam server and needs to get the authentication packets unchanged in order to forward them to another RADIUS server down the line.

I have setup another machine with Radius test tools using the same IP, ACL and NAT as the ISE, that can successfully connect to the RADIUS, so there is no actual timeout or network connectivity problem.

The Ext RADIUS admins gets the error that there is no EAP-message in the request, which means that he gets RADIUS packets but ISE reports just a timeout and is not forwarding the authentication to the Ext RADIUS properly.

Thank you for your time!

Cisco Employee

Hello Panagiotis Georgiou,

Hello Panagiotis Georgiou,

Thank you for that question. That is quite specific problem, applicable for TAC case. The best way to troubleshoot that is to take packet capture (for example on ISE in Diagnostic Tools) in order to understand on which side you are having problem. Looking into packet captures we can clearly say if the RADIUS packets are correct and whether indeed ISE is the side causing the issue. Please also double check if pre-shared key is correct between.

After doing some research I have found following bug, please take a look and try workaround if that applies to your deployment:

https://tools.cisco.com/bugsearch/bug/CSCup45594/?reffering_site=dumpcr

Thank you

Wojciech

Enthusiast

Hi Wojciech & Artem,

Hi Wojciech & Artem,

Currently I am on ISE 1.4. I am looking fro best practise regarding renewal of the expired Certificates. 

Last time when I tried to create the CSR I got error:

internal error-multiple certificates with matching subject were found in the database. please delete duplicates

I could not used the same FQDN as in current certificate. I found work around, but would like to avoid any issue like that in future. 

Thank yuu for an advice.

Regards,

Rafa