This page provides important alerts from Cisco TAC regarding ISE (Identity Services Engine) To automatically be notified of updates, log in and click "Receive email notifications" on the upper right.
Date entered: 11-November-2013
ISE web GUI stops working correctly after upgrading Firefox to version 25. You get error message:
There was an error while parsing and rendering the content. (node.getAttribute is not a function)
Error code WAP00008.
This is documented in bug CSCuj61976 and is going to be fixed in 1.2 patch 5 and 1.1.3 patch 9.
|CSCuj61976||Admin UI fails to display certain UI pages when using Firefox 25This fix addresses an issue where ISE admin UI pages with a tree view were not displayed correctly in Firefox 25.|
Date entered: 19-November-2013
After installing Patch 3 on ISE 1.2 the sponsor timezone defaults to ECT which is a non-recognized Timezone, the guest account will fail to login. Error message on ISE will be "86019 guest user restricted"
This is bug CSCuj91050 and will be fixed in Patch 4 for ISE 1.2
If you roll back to Patch 2 the problem will disappear.
|CSCuj91050||Creating Guest users shows incorrect timezone 'GMT+2 ECT'This fix addresses an issue where Guest user would fail to login with the following error due to an incorrect time zone being assigned to the account: "An internal error occurred. Contact your system administrator for assistance. Contact your system administrator."|
After installing Patch 7 on ISE 1.2 Guest users created with Sponsor logging in via AD are no longer able to login. This is documented in BUG ID: CSCuo16503 and below are more information about this and the workaround:
Date entered: 8-April-2014
|Symptom||s of Patch 7 on ISE 1.2, not seen prior to Patch 7, Guest users created with Sponsor holding their credentials on AD cannot login.|
|Conditions||The below need to match:1- Sponsors logging in via AD to create guest users2- Guest users being put into guest groups and "Awaiting initial Login"|
|Workaround||One of the following:1- Create the guest users with internal ISE configured Sponsor account2- Use AD Sponsor Account but place the guest users to the "Activated Guest Group|
In case you applied patch 8 on ISE 1.2 and you happen to have only a base license without advanced license or advanced license has expired, then Guest portal will display "no valid system license exists" error message when Guests land on the login page.
This is documented in bug CSCuo76078. Workarounds:
1) In case you really need to run Patch 8 due to an affecting bug, then you will need to contact TAC and get a temporary advanced license.
2) Roll back and apply patch 7 and wait for a fix for above bug.
Let me give you this example. Say I have the following confgured:
CONFIGURED SWITCH INTERFACE ACL (PACL) ip access-list standard ACL-ALLOW permit ip any any CONFIGURED SWITCH REDIRECT ACL (RACL) ip access-list extended ACL-WEBAUTH-REDIRECT permit tcp any any eq www 443 CONFIGURED ISE DOWNLOADABLE ACL (DACL) permit tcp any host <psn01> eq 8443 permit udp any host <dns01> eq 53 deny ip any any
Then the process would look like this:
1. During dot1x negotiation the acl that is used is this:
permit ip any any <<<<<PACL
2. Once CWA is in effect then the acl looks like this:
redirect tcp host <host ip> any eq www 443 <<<<<<RACL permit tcp host <host ip> host <psn01 ip> eq 8443 <<<<<<DACL permit udp host <host ip> host <dns01 ip> eq 53 <<<<<<DACL deny ip any any <<<<<<DACL permit ip any any <<<<<<PACL
The traffic must first be allowed in dACL or Port ACL (if dACL is not configured as dACL is optional, configured only if you want to restrict access on switch port based user authenticating the network.i.e per-user based) then only it will hit redirect ACL.
This clears the confusion on which ACL got hit first.In fact, dACL will replace the pre-authentication ACL/PACL you have configured on the switchport. Traffic must be first allowed via dACL then it will hit redirect ACL.
As per my understanding, once the port get authenticated, the order of ACL is 1. dACL 2. Redirect ACL 3. Port ACl.
Secondly why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl
When redirect acl is applied to the port, any HTTP or HTTPS traffic that the client sends triggers a web redirection. Deny statement in redirect ACL at first place denies the ISE IP address so traffic to the ISE goes to the ISE and does not redirect in a loop. (In this scenario, deny does not block the traffic; it just does not redirect the traffic)