cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Troubleshooting Cisco Identity Services Engine (ISE)

980
Views
0
Helpful
9
Comments
Community Manager
thru

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions about Cisco Identity Service Engine (ISE) to  Artem Tkachov and Wojciech Cecot. 

Join the Discussion : Cisco Ask the Expert

Ask questions from Monday December 14 to Wednesday December 23rd , 2015

The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the attack continuum. The market-leading platform for security-policy management, it unifies and automates access control to enforce compliance-driven role-based access to networks and network resources. 

This session will help customers with troubleshooting, configuring and implementing ISE solutions in their networks.

 

Artem and Wojciech will be helping you with all your queries on all of the above.

 

Artem Tkachov is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC for past 3 years and has 8 years of industry experience working with enterprise deployment and troubleshooting. His areas of expertise currently includes Firewalls, VPNs, AAA, 802.1X (MacSec/TrustSec), ISE (BYOD, HotSpot, etc.), ACS, as well as knowledge and in Routing and Switching, Service Provider, Data Center technologies. Artem holds CCIE certifications (# 39668) in Routing and Switching, Service Provider, Wireless, as well as CCNP in Security, JNCIS-SP, RHCSA, and ITIL certification.

 

 

 

Wojciech Cecot is a Customer Support Engineer in Cisco TAC Security team in Poland. He has been working with TAC since May 2014 and has 3 years of industry experience working with enterprise deployment and troubleshooting. His area of expertise covers ISE, TrustSec, BYOD, ACS 5.x, 802.1x. Prior to joining Cisco, he worked as a junior system engineer at Comarch. He is graduated with a Bachelor's and Master's degrees in Electronics and Telecommunications from AGH University of Science and Technology.

 

Find other  https://supportforums.cisco.com/expert-corner/events.

Because of the volume expected during this event, Artem and Wojciech might not be able to answer every question. 

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

Join the Discussion : Cisco Ask the Expert

9 Comments
Beginner

Hi Artem/Wojciech,

We recently configured ISE 2.0 and migrated all users to that system,but we faced with some problems .

1-) We authenticate users like machine and user with dot1x at same time  ,firstly machines need to pass authentication ,after authentication users need to have valid certificate (EAP-TLS) ,they are authenticated ,everything went well ,when users log out and and try to login again with the same device ,first machine authentication is successful ,i observe it in radius logs ,but users get stuck about 1-3 minutes ,why it does last too long for re-authentication again ? it is not constant ,something 1 or 3 minutes.User are not satisfied.

2-) When users authorized with profiles ,dACLs are downloaded for users ,sometimes the ACLs are skipped ,for example if it should not go for 10.0.2.0/24 subnet ,somehow it passes and able to reach that subnet.

3-) We configured guest wired ,it should change the vlan and get another ip address from different pool ,after passing successful web portal authentication ,it seems that is successful, when I check the PCs MAC address form switch ,it shows that new IP address has been given to guest pc ,but actually from computer's perspective it doesnt get ip address ,even re-authenticating the port .

I will wait for your replies ,

Thanks,

Zeynal.

Beginner

Hello Zeynal,

Please paste your question to the discussion using the link below:

https://supportforums.cisco.com/discussion/12720501/ask-expert-implementing-and-troubleshooting-cisco-identity-services-engine-ise

Thank you

/Artem

Hi Experts,

I have a new installation of ISE 2.0 for 1100 endpoints (wired). We are in the phase of testing 20-30 users-endpoints before going into the full deployment.

The policies for now are quite simple, Machine and User authentication for domain computers-users using MAR and MAB for endpoints that do not support 802.1x.

Below are a few questions:

1) On many endpoints (Win7-8-10) i receive the error "5440 Endpoint abandoned EAP session and started new ". Any ideas? I have noticed the same error also in a recent Wireless deployment i've done using ISE2.0 and SW3850 acting as Mobility Controller.

2) What is the recommended timer for re-authentication? The default 3600sec or 7200 sec?

3) Under Administration - System - Settings - Protocol , there are some settings for Peap. Is recommended to enable "Session Resume, Session Timeout and Fast Reconnect"?

If so, what is the recommended value for the session timeout and how is this related with the re-authentication timer on switch port?

4) I've configured the " Local Logs Store Period " up to 90 days but in " Radius LiveLog" i can see i only the last 24hours logs.

5) Any tips when PXE is a requirement in a 802.1x environment?

Best regards,

Christos

Beginner

Hello Christos,

Please paste your question to the discussion using the link below:

https://supportforums.cisco.com/discussion/12720501/ask-expert-implementing-and-troubleshooting-cisco-identity-services-engine-ise

Thank you

/Artem

Hi Artem,

I've pasted the answer, but by mistake i answered to "Sacha2577" question.

I don't see any option to delete my post.

Thanks

Beginner

Hello Christos,

Please paste your question again.

Thank you

/Artem

Hi Artem,

I don't see any option to insert a new question instead of creating a new topic.

Thanks

Beginner

Hello Christos,

You question will be answered in the thread you pasted it in.

/Artem

Community Manager

Hello all,

To ask questions to Artem and Wojciech, plesae go to https://supportforums.cisco.com/discussion/12720501/ask-expert-implementing-and-troubleshooting-cisco-identity-services-engine-ise

Monica Lluis

Global Community Manager