Thanks for testing Jeff ! I've updated the internal version of the doc. Before pushing the change to cisco.com, i haven't noticed any difference in the CLI you mention here and the one in the doc, so I suppose nothing changed in the commands between openssl 0.9.8 and 1.1 ? ... View more

Hi, The 1728 seems like a poor choice for 12 meters high ceilings. It is omnidirection from a horizontal perspective but on the vertical level, it particularly radiates at 90 degrees. That means coverage 12 meters under the antenna will be poor. The other antenna you mention has slightly lower gain but that is because it radiates a bit more under it. http://www.cisco.com/c/en/us/td/docs/wireless/antenna/installation/guide/ant1728.html   About if you can use MIMO antenna with 1242, to be honest I don't know what the exact effects will be as I'm not enough into the design phase of wireless to answer that. In the lab, for sure it works, but maybe it has poorer performance than a regular diversity antenna, I don't know. You can find both yes and no answers to this on the internet so hard to say. ... View more

That can be many different things. However, legitimate scenarios are if the client hits another ISE portal than the ISE he authenticated with. Typically people would configure their CWA authorization result with a static ip/hostname instead of the default automatic setting and then you cannot be sure that the portal the client is redirected to is the ISE the client authenticated with. By having the automatic redirection URL pointing to the FQDN of the ISE the client authenticated with, this problem does not happen. The same can then also occur in case of load balancers.   Another case is if you force the discovery host of the nac agent, then the same problem will happen for posture. Posture will only work if it automatically discovers the ISE that authenticated its radius session.   Weirder cases can happen if there is some radius mess. For example, if you have a central webauth scenario with a foreign-anchor WLC scenario and both controllers are configured for accounting, then they will both send a different session id in their accounting packets and the client session might be terminated as soon as it started. Workaround there is to only enable accounting on one WLC or to turn it off completely.   those are common gotchas. Like I said, it can be more complex and less legitimate, but that would need severe TAC troubleshooting to pinpoint further ... View more

Hi.   1) It is not "ISE loses the credentials and asks for web portal again". Once a user is authenticated, it is authenticated as long as it stays connected. Possibilities are : -You are returning a session timeout (attribute radius 27) in the authz profile of the user. Therefore user has to reauthenticate after X seconds. But you would see a pattern, then. -Over wireless, many clients are not capable of doing fast roaming (smartphones is the biggest example) and will therefore reauthenticate with dot1x everytime they roam. A small coverage hole would be enough for the cached credentials to disappear and web portal to show up again -Over wired, this cannot really occur but the idea is that it's probably the switch resetting the connection and contacting ISE again. The idea to troubleshoot this is to monitor the access device (WLC/switch) and check if the port goes up/down, if the MAB session gets reset or something and why.   2) The captive bypass issue is that Apple devices will probe apple.com website to check if there is internet connectivity. If they can reach it, then fine, if they sense that they are redirected, they open a small window pop up with the login portal. The problem (and I still cannot understand why) is that this is not Safari, it's some nameless feature-less browser that doesn't work properly. By enabling the captive bypass feature, the WLC intercepts the requests to the Apple testpage and replies with HTTP OK. The apple device then thinks "ok I have internet connectivity" and it's up to the user to bring up a real browser to login to the portal page. It therefore does not affect non-Apple device to have the feature enabled. The problem is that in IOS 7.x, Apple decided to not just use Apple.com anymore but a whole list of testpages on different websites.   3) "whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary" => This is disturbing because EAP-TLS is a certificate authentication method. But ISE message seems to imply that the user is hitting an authnetication rule that only provides PEAP or EAP-FAST with mschap or something similar ... If you have the windows default supplicant you have close to no control on what the client will submit. I can imagine that moving from wired to wireless, the laptop would sometimes try to send password instead of certificate and/or vice-versa. Anyconnect with fixed network profiles would solve the problem elegantly. I cannot comment on your auth policies as I do not know them :-)   Regards, Nicolas ... View more

The best way is still the control at the source. Having Anyconnect deployed on domain laptops with a profile configured so that they can only join certain SSIDs.   Otherwise, you can also use profiling. Relying on mac address to prevent attackers is not secure. But if it's to prevent employee to simply pick a wrong SSID, it works. However, the trick is to create a profiling rule that will identify correctly your domain laptops. The safest way would be to add mac addresses manually to a group. Automatic ways can use the hostname of the PC sent in DHCP request to categorize it as part of the domain. You need only to play with profiling in case you have other mac addresses in the ISE db too. In a simpler setup, you can simply say that if the mac is known by ISE, it's an employee and he can connect to employee SSID only, but if mac is unknown (or known but belongs to "Registered Device" group, which means it went through BYOD), it goes to BYOD SSID only. ... View more

I think that with EAP-TLS it requires certificate binary comparison to be enabled in order for ISE to write the client mac address in the MAR cache. ... View more

Your first statement seemed to imply that the "wasmachineauthenticated" attribute would not be set to true in case of EAP-TLS machine authentication. I actually could not find clues supporting that theory nor could I find clues saying it would work. I am not sure if that attribute relies on the presence of "host/" in the username or not. That is worth testing In any case, EAP-chaining with anyconnect is much more noble ... View more

Indeed, my bad. The username in EAP-TLS will typically be the CN field of the certificate but that can be changed by the TLS profile in ISE. However, the logic stays the same. Except that to determine if it's a user or computer authentication, you can check if the user belongs to "domain computers" AD group. If it does, it's a valid machine authentication :-) ... View more

MAR is not exactly that. MAR is a cache on ISE where ISE remembers that a given mac address has machine authenticated before.   What you could do is have an authorization rule that permits access on a machine authentication (i.e. username starting with host/) and gives access to AD servers only. Another rules that says if a user authentication fails, but the computer "wasmachineauthenticated==true", then we still permit access and give access to AD servers only. On a user authentication succeeding, you give full access.   This way you don't really need regular reboots or have timeouts of any sorts. ... View more

Licenses are consumed as soon as a device authenticates. So if your ISE is profiling whole subnets, that will not really matter until those devices actually authenticates. If an unknown device authenticate with 802.1x, it consumes a base license. If a device with profiled information authenticates, then it consumes an advanced (or Plus) license. ... View more

Hi Mike,   1. So the idea would be that if all laptops have a good machine certificate store all the time, you could give some access after machine authentication so that laptops could get their GPOs and then they can do user authentication without any problem. You technically do not need MAR. You simply do machine and user authentication. Machine authentication will be done as soon as laptop booted in "CTRL-ALT-DEL" login page. If successful, it is a domain laptop and you can safely place an ACL on the port that only gives access to AD servers so that users can log in through the domain. Then users can do their user authentication once they log in to windows.   I suggest you take a look at the following : http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html#anc7   In a nutshell, adding MAR to the previous paragraph simply means that when users do their user authentication, you enforece that a machine authentication must have happened in the X hours before (x being configurable but not infinite). This means that everyone will HAVE TO reboot their laptops every day or every second day as machine authentication is only done on boot time or on logging off. A good alternative is EAP-chaining with Anyconnect. I never heard of a MAR problem with EAP-TLS. EAP-TLS machine auth is a classic and MAR is simply ISE keeping a mac address list of machines who authenticated successfully in the last X hours.   2. Indeed, it is present in the radius system dictionnary but not configurable. It makes sense that you cannot use it for auth or AuthZ rules as it is accounting. I personally do not see what use it could have in profiling as it is an attribute having a value usually at the end of the session (or during with interim-updates) and that is probably why developers did not include it in the drop-down list. If you have a good business case to use it, the best is to explain that case to your cisco account team who can push it as a feature in upcoming releases.   3. I do not have such a list and did not particularly face many problems that I can remember with windows 8 clients. ... View more

This is a classic question. I will try to explain all the possibilities... First of all, you can only install 2 different certificates on an ISE node. One for HTTPS and one for EAP (the same cert can be used for both also). This means that it is the same certificate that will be used for sponsor portal, guest portal and admin GUI. That looks like a problem but isn't one.   In the settings for the sponsor portal, you can give it a different URL (something like sponsor.company.domain for example). You do not need a different certificate for that, you can simply add a "SAN" (Subject Alternative Name) in your HTTPS certificate that will contain the Sponsor portal URL. Therefore the same certificate is valid for the admin GUI/URL and also for the Sponsor URL you configured ! Important note : By RFC standard, the CN of the HTTPS certificate must be ISE FQDN, nothing else. ISE FQDN must also appear in one of the SAN fields. But then you can add more SAN fields for Sponsor URL and so on ...   The only concern remaining would be for the guest portal, which you cannot give a different URL. Well, if that is a concern, you could technically issue one kind of certificate on the admin ISE node (issued by your enterprise CA, using your company domain) and then on the PSN, the HTTPS cert is issued by a different CA (in another domain, that guests can see for example) and there ISE FQDN is something the guests can relate to. There is no real admin GUI on a PSN so this is not a problem. As long as the admin node and the PSN node trust each other certificate or issuing CA in their store, they will be able to join each other in a distributed deployment. Note : Playing with certificates should always be done on a node being in standalone mode, BEFORE it joins a deployment. ... View more

That is correct. However, when having a high gain antenna most people "forget" (intentionnaly or not) to lower the transmit power at the AP which means most people are actually way above the maximum EIRP in their country. In that case, the client will not have the power to match up the AP range. If you lower the AP tx power to match the correct EIRP, then yes theoretically it will be fine as gain also works when listening to clients. However, reflections can work differently. The directionnal antenna of the AP might avoid obstacles while the omni of the client will create lots of reflections etc ...   In an outdoor open environment, it will work great. Out of experience, in real life and indoor or in warehouses or so, different antenna type will sometimes (not always) create issues. It's to be tested and evaluated of course ... View more

if you define the base of the directory as search DN then you need your admin user DN to be ultra specific, the admin DN in WLC config needs to specify in which OU the admin is etc ... while if you search dn is more precise, you can afford just stating the admin username as dn ... View more

7.5 is planned for July. There is no precise date because it was postponed due to critical issues ongoing with 7.4, so it will be out when it's ready :-) ISE has exactly the same capabilities as Guest Server (that it kind of replaces) and even more. Guest can create their account but also add mac addresses of their personal devices (laptop,smartphone, etc ...) so that all those are bound to the guest account. Regards, Nicolas ... View more