cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

dCloud ISE Demos - Code Versions & Known Caveats

1869
Views
2
Helpful
0
Comments

The following issues are related to ISE demos in Cisco dCloud

http://cs.co/selling-ise-demos

 

Here is a list of known issues when using the demos

ISE 2.6 Sandbox

ROADMAP - replace the dCloud ISE secure access wizard demo (currently running 2.3) and ISE 2.6 sandbox v1 with 2.6 patch 2, the new demo should be called ISE 2.6 Sandbox v1.2 - Nov 2019?

 

CSCvp54579(CSC.policy-mgmt,upd,jakunst)ise 2.6 hotspot flow with apple ios CNA ends with 400 error after success page. The flow still works but user will see 400 error instead of success page. They still have connectivity as a guest. This will apply to all guest flows using apple captive network assistant.

ISE 2.3 Mobility Deep Dive

ROADMAP - we will be perhaps updating AireOS wireless code in future to keep relevant until we decommission likely July 2020

When first connecting a client to the network using the hotspot or guest network (straight MAB), the device will be denied access. When you connect a second time (now the mac address is in the database) it will be successful.

 

Why do we have different WLC versions depending on the ISE demo?

We try to stay with the same WLC version across demos so that you aren't required to wait 20 min or so when switching between the code. We are also restricted to using public versions of the code as well. An AP can store 2 images of code. This is useful as we have 3 different code versions. AireOS 8.3, 8.5 and C9800-CL running 16.11 (soon to be 16.12)

 

We are looking in November to consolidate AireOS code into 8.5.x for both the ISE Sandbox and Mobility Deep Dive

 

What are some of the reasons why we cannot keep the versions the same:

  • Secure Access Wizard demo is running 8.3.133.0 code because WLC 8.5.105.0 code is not working with the wizard.
    • ISE - CSCvg65262, WLC - CSCvg80402
    • hoping to have a fix in 2.6 patch 3 ETA Nov 2019? This will be consolidated into the ISE 2.6 Sandbox v1.1
  • Captive Network Assistant - 8.3 code doesn't work with per WLAN captive portal bypass, this feature is needed on the Mobility demo to showcase that we support the Apple CNA (Captive Network Assistant) mini-browser that auto-pops up when connecting to a WLAN with a guest portal - new ISE Enterprise & Security demo with C9800-CL works correctly
  • 8.5 has new GUI options to enable easy setup with ISE
    • SECURITY > AAA > RADIUS > Authentication Servers > Apply Cisco ISE Default Settings.
      • Checking this box will enable COA, set the port to 1812 and create duplicate settings for a RADIUS accounting server
    • WLAN > Security > AAA Servers > Apply Cisco ISE Default Settings
      • Checking this box will enable Allow AAA Override, NAC State – ISE NAC, and Radius Client Profiling for DHCP/HTTP Profiling

The following versions of code are used in our demos

ISE Enterprise & Security Demo

  • ISE 2.4 & C9800-CL IOS-XE 16.11 (upgrading to 16.12 Nov 2019?)

ISE Mobility Deep Dive 

  • this demo will continue on for TACACS device admin use case and to keep AireOS code available to showcase with ISE
  • ISE 2.3 &  WLC 8.5.105.0
  • future might move to 8.9.111 (dec 2019?)

ISE Secure Access Wizard (merging into ISE 2.6 sandbox)

Nov 2019 TBD -  replacing current ISE Sandbox and Secure Access Wizard

ISE 2.6 Sandbox v1 (decommissioning November 2019 as merged with above demo)

  • ISE 2.6 & WLC 8.3.133.0

AP issues

Check https://cs.co/selling-ise-demos we have more details on AP setup and support articles

 

 

APs that are built into the router will not work with the following (Use an external AP compatible with WLC 8.5 code)

  • URL based ACLs (used in the SAW demo).
  • Device Sensor profiling (if you're accessing the network without the endpoint opening an ISE portal (guest for example) then your device will not be able to be profiled utilizing the DHCP/HTTP probes running on the WLC.

 

BYOD Issues

Please see ISE BYOD endpoint issues