This document describes 3 scenarios of ISE troubleshooting.
WLC HA (Code 18.104.22.168)
Scenario 1: ISE - WiFi Access only to Authorized Devices rest BYOD blocked
User have a WLC HA (Code 22.214.171.124) setup with an ISE pair (version 1.2) , and all that works fine.
Currently ISE is configured to authenticate users from AD. Our corporate SSID is setup with WPA2+AES with 802.1x PEAP authentication, so users can connect Wifi from their devices after they put in their AD credentials.We would now want to Restrict our Internal network Access through WiFi only to Authorized Devices like company issued Laptops/Tablets etc. For all the other devices like Personal Smartphones/Tablets/Laptops users can only have Internet Access only if they are Authenticated/Authorized to do so.
For the Rest of the devices like Printers, Apple TV's etc we already have a separate SSID running on which we are doing Mac Filtering through WLC, so none of the browser less devices would be connecting to the Corporate SSID. Assuming We have the Mac Addresses of all the company issued devices Laptops/Tablets (Most of which are Apple Devices), what is the best approach to go about this utilizing ISE.
What is MDM? Mobile device management (MDM) is a security software which is used by an IT department to monitor, manage and secure employees' mobile devices that are deployed across multiple mobile service providers and across multiple mobile operating systems being used in the organization. Mobile device management software is often combined with additional security services and tools to create a complete mobile device and security Enterprise Mobility Management solution.The widespread proliferation of consumerisation of IT means more personal consumer computing devices — such as smartphones, laptops and tablets — are brought to the workplace by employees for use and connectivity on the corporate network. The phrase BYOD (bring your own device) has become widely adopted to refer to these employees. Today's category of mobile device management software is one way that an organization can deliver secure mobile solutions to its BYOD workforce.
You can import all of the mac addresses in ISE and perform mac filtering along with a PEAP-User based authentication. However, keep in mind that using this method is not the most secure one since a mac address can be very easily be spoofed and it is send in clear text. With that being said, a better solution would be to get an MDM (MobileIron, Airwatch, etc), integrate it with ISE and on-board all of the corporate owned devices.
Scenario 2: File transfer problem during ISE 1.3 upgrade
User have problem running the upgrade command:
iseadm01/admin# application upgrade cleanupApplication upgrade preparation directory cleanup successful
iseadm01/admin# application upgrade prepare ise-upgradebundle-1.2.x-to-126.96.36.1996.x86_64.tar.gz FTPGetting bundle to local machine...
% File transfer error
iseadm01/admin#The sniffertrace shows that the ISE 1.2 is sending TCP RST after about 30MB file transfer. If we run the command serveral times, it stops exactly after the same amount of transferred bytes.The disk utilazation looks OK:iseadm01/admin# dirDirectory of disk:/ 16384 Sep 18 2014 15:55:48 lost+found/ Usage for disk: filesystem
172761088 bytes total used
14275047424 bytes free
15234142208 bytes available
iseadm01/admin# dirDirectory of disk:/ 16384 Sep 18 2014 15:55:48 lost+found/ Usage for disk: filesystem
172761088 bytes total used
14275047424 bytes free
15234142208 bytes available
User have Another ISE (monitor node) and the problem is exact the same on that node.
You can use FileZila for transfering the file.On FileZila click on the User Accounts Icon. The dialog box will show you defined users. By default only anonymous is created.So you need to create a local ftp username and passowrd. Then assign it a home directory under shared folders. This will be the dfault location a remote clietn will look for files and where you would find the ISE upgrade package, for example.
See following screenshot
You can upgrade two deployments now - one on VMs and another on ISE 3400 series appliances. Both transferred the images OK. I found it easier to transfer the files separately via FTP. I then created a repository pointing at the disk and referenced that in the upgrade command. I have seen reports of ftp servers on Windows (with WS-FTP and/or IIS) limiting transfers to 30 MB. I used the Filezilla ftp server on windows laptop and it worked very nicely.
Scenario 3: Cisco ISE 1.3 internal CA
User is deploying the 1.3 version of ISE(new), he have a distribute environment, with two machines for admin/log personas and two machines for psn's. The problem that he need to solve is about the internal CA, he installed one ISE 1.1 one year ago and used an external CA certificate based to do the authentication via eap and gui admin console with no problems, on this new instalation he would like to use the internal CA, but the documentation is very poor and he don't found how he can initiate this setup using the internal CA. He know that the CA is the admin primary machine, but he don't know what he need to do(using the gui) to generate the certs of the other machines and register the nodes using the certificates generated by this internal CA.
The internal ca is positioned as a ca for byod device on-boarding and not an enterprise ca replacement (for example getting certs onto customer servers or for managed assets such as corporate pcs) again this is for byod use case For the other ISE Nodes, create a self-signed cert on that node (this must be done prior to registering it to the Primary Admin Node or it fails) and export the cert. Import the node Self-Signed Cert into the Trusted Certificates store on the Admin Node. You can then register the node.
Do this for all node types. The IPN is vastly different, and the ISE 1.2 Installation guide details those steps. (ISE 1.3 uses the ISE 1.2 IPN). You bind the CSR from your Admin node to the External Root CA. Once the other nodes are registered, the bound cert is copied down to that other node. The bound cert is normally a wildcard cert.
Notice that I have three nodes in this deployment with a single wildcard cert to the nodes that are in my Trusted Certificates store. The wildcard cert is transferred automatically.
Hello and thanks in advance.I am getting the following two errors in Cisco AnyConnect Secure Mobility Client V. 4.7.04056 (the version and installer were provided by my employer). The errors popup after aproving the connection in my mobile app.ERROR 1:The...
we had both TAC and MS assist us in getting our ISE 2.6 enviroment connected to MS intune for MDM for mobile devices. it was a difficult process as we already had an MDM in place (MaaS360) and had to figure out the correct order of operations. it was work...
Hi everyone,I got a VPN question, I'm looking at the next configuration:group-policy "nomfa-Support, ou=VPNUsers" internalgroup-policy "nomfa-Support, ou=VPNUsers" attributesbanner aaaabbbbccccddddeeeeffffdns-server value 10.132.4.186 10.134.27.11vpn...
I have a firepower 4100 series setup as an HA pair that I just inherited. I am not familiar with this device. I noticed today that I can SSH into the primary FTD, but not the secondary. Is this normal? I just want to make sure there isn't anything wrong. ...
All,Trying to figure how to prevent the webvpn service on an ASAv (used for presenting Anyconnect VPN client software to logged in users) to present the login portal when accessing:https://10.0.0.2/instead, i would like the ASAv to present the login porta...