cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2834
Views
30
Helpful
9
Replies

ISE Express - Public and Private interfaces

campbech1
Level 1
Level 1

I am rolling out ISE Express for our public guest wifi and so far it's been great. My problem is that I would like our Support Center to be able to connect to a management address to make changes without having to first jump on the guest wifi network.

I have setup two Ethernet interfaces and the necessary routing. When I connect to the Gi0's IP address on the public wifi network I'm presented with the ISE management page. When I connect from my desk to the internal management address on Gi1 I get a message of "Oops. Something went wrong. Access is denied, please contact your administrator."

Any ideas?

9 Replies 9

jan.nielsen
Level 7
Level 7

Admin GUI is only accessible from gig0, not any other interface. you need to move your guest to the other interface, and then use gig0 for your management.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html#ID-1420-00000011

Hello friend, 

 

I´m facing same issue and I confirmed that the interfaces's being accessed is int g0 so it discards your comment. Any precise help will be appreciated. 

 

Sincerely, 

 

Horton

@Horton

 

Can you restate your issue with all the details?

 

Since you got on an old thread it is unclear whether or not your conditions are the same as the original poster.

Thanks for your reply and will to help. I just installed ISE 2.3 in VM
environment. It went off just fine and shows all services running as
should. I can ping it and ssh into it.

The problem I face right now is that GUI does not get up. I simultaneously
get the iE Chrome and Firefox message saying " *Oops. Something went wrong*
*Access is denied , please contact your administrator".*


*The interface I am using is default G0. Nothing else.*

*This is the config on my unit:*


*ISE/admin# sh runGenerating configuration...!hostname ISE!ip
domain-name horton.com <>!ipv6 enable!interface
GigabitEthernet 0 ip address 192.168.200.25 255.255.255.0 ipv6 address
autoconfig ipv6 enable!ip name-server 192.168.200.99!ip default-gateway
192.168.200.1!!clock timezone UTC!ntp server time.nist.gov
<>!max-ssh-sessions 5!service sshd
enable!password-policy lower-case-required upper-case-required
digit-required no-username no-previous-password
password-expiration-enabled password-expiration-days 45
password-expiration-warning 30 min-password-length 4
password-lock-enabled password-lock-timeout 15 password-lock-retry-count
3!logging loglevel 6!conn-limit 5 port 9061conn-limit 10 port 9060!cdp
timer 60cdp holdtime 180cdp run GigabitEthernet 0!icmp echo
on!ISE/admin#Thanks! *

Is this a new installation?

 

Did you change the IP address after running setup the first time? If so, we have seen this sometimes where the default self-signed server certificate needs to be regenerated.

Marvin, thanks for your reply. The IP has been effectively changed with no
success. How to I regenerate the self-signed certificate from CLI, I was
looking on web but no positive.

In the case of a brand new ISE you need to re-initialize the system.

 

application reset-config ise

It will give you the option to reset the certificate. 

@Marvin Rhoads Thank you very much for you instantaneous and impeccable help. That immediately cured my issue. Give you five mate.

You're welcome. I'm glad it worked for you.

 

Thanks for the kind words.

 

p.s Don't forget to change that default 45 days cli password expiration. I've had that one bite me once or twice.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: