Hi all,   I'd be interested to know people's thoughts on what's currently the most stable ISE version. I've seen 2.2 mentioned as it's now on it's 9th patch so a lot of work has gone into stabililty there, does anyone else have an opinion?   thanks ... View more

Hi,   As Anyconnect NAM isn't supported on MACos, what is the best option for doing certificate based 802.1x with Macs and ISE (with meraki wireless)   thanks ... View more

Hi,   Is there a compatability matrix for ISE 2.2 Device Admin Service (TACACs) and IOS versions for client routers, switches and ASA's? Or can I assume all versions on all Cisco IOS devices are supported for TACACs AAA?   thanks ... View more

Can someone please tell me where the Endpoint RA certificates are located on ISE 2.2?   I'm trying to do SCEP via my ASA to ISE, which is the CA and SCEP responder. ISE is sending an RA certificate down to the ASA which the ASA does not recognise: (serial number removed): NON-RESIDENT CERT: serial: [serial number], subject: cn=Certificate Services Endpoint RA - ISEPSN-01 I assume this is because, just like all the other CA certs in ISE, i need to export the RA cert and import it into the ASA's trusted cert store. The problem is, I cannot find any RA certs on ISE.   Where does the ISE 2.2 CA store the Endpoint RA certificates?   thanks ... View more

My 4 node ISE deployment is working fine as a CA for cert based authz with anyconnect + ASA. I cannot get SCEP working however.. whenever I try to configure one of my PSNs in my 'enroll' connection profile, i get an error complaining that there is a  non resident Endpoint RA cert being presented along with the Endpoint sub CA cert (which is resident as i have installed it in the ASA's trusted cert store)   Problem is, i can't install the RA cert in the ASA, because it doesn't exist in ISE's CA cert list.. for any of my nodes. ISE is definately presentig this cert to the ASA as it's cn is for my PSN, and even has a serial number.. this is from the error message on the ASA (serial number removed): NON-RESIDENT CERT: serial: [serial number], subject: cn=Certificate Services Endpoint RA - ISEPSN-01   So ISE has this cert somewhere, but where? I have looked through every cert store for that serial number, or anything that refers to RA - nothing.   thanks ... View more

Hi all,   I'm setting up an Anyconnect VPN lab for certificate based authentication+authorization. Per all the documentation, the ASA should authenticate the cert, and send an authorize only radius message to ISE that will respond with an authorisation response. In order to do this I have to configure the radius server group on the ASA to be 'authorize-only' That command should be present according to all the documentation: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/aaa-radius.html. (config-aaa-server-group)# authorize-only   Problem is that command is missing from my ASA: ciscoasa(config)# aaa-server ISE-PSNs protocol radius ciscoasa(config-aaa-server-group)# ? AAA server configuration commands:   accounting-mode            Enter this keyword to specify accounting mode   ad-agent-mode              Enter this keyword to specify ad-agent mode   exit                       Exit from aaa-server group configuration mode   help                       Help for AAA server configuration commands   interim-accounting-update  Enter this keyword to enable Interim accounting                              update   max-failed-attempts        Specify the maximum number of failures that will                              be allowed for any server in the group before that                              server is deactivated   merge-dacl                 Specify whether a downloadable ACL received from                              RADIUS should be combined with a Cisco AV-Pair ACL   no                         Remove an item from aaa-server group configuration   reactivation-mode          Specify the method by which failed servers are                              reactivated ciscoasa(config-aaa-server-group)# Any ideas?   thanks all!   ... View more