User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - gvoden

Pages: [1] 2
Security / Re: Cisco ISE 1.4 SNMP traps support?
« on: January 09, 2017, 05:47:13 AM »
Yes, we are sending alerts to Syslog... email alerts is the other option. Trap support seems quite limited even in ISE 2.1. Couldn't find any official statement on Cisco's support sites.

Security / Cisco ISE 1.4 SNMP traps support?
« on: January 06, 2017, 01:09:36 PM »
Hi all,

it appears that SNMP traps are not supported on ISE 1.4, I cannot configure that using CLI. Is this a limitation of this version? ISE 2.1 does support the "snmp-server trap" command but only for disk space.

We want to send SNMP traps to our monitoring tools (in addition to email alerts).

Thank you.

Security / Re: ISE 1.4 EAP TLS failing - multiple accounts found for user
« on: January 06, 2017, 01:07:37 PM »
It appears the authentication started working after we restarted services on the PAN node, it does not make sense to me why but I am following up with TAC. We also updated the server side certificates for PAN/PSN. I don't see how this would have helped... will post the solution if TAC can find out the root cause.

Security / Re: ISE 1.4 EAP TLS failing - multiple accounts found for user
« on: November 28, 2016, 08:06:50 PM »
Yes, been trying multiple things over the past few weeks to no avail. We strip the username from the CN field in the cert and look for a match in AD, however as it returns multiple matches the authentication is rejected. Tried using the SAN field and UPN but no luck yet, working with Cisco on this. We had deployed scopes to avoid searching in the AD domain that has a duplicate account but that is failing as well. Will post any success here.

Security / ISE 1.4 EAP TLS failing - multiple accounts found for user
« on: November 24, 2016, 11:16:47 AM »
Hi all,

I've got a problem authenticating certain users via wired EAP TLS as they have AD accounts in multiple active directory domains - ISE complains about multiple matches found.
The problem is the username is taken from the certificate CN and is exactly the same in two separate AD domains. Is there a way to make ISE distinguish between the two, we have tried playing with Scope, etc but no luck so far.

Hi all,

we have a distributed Cisco ISE deployment with 4 PSN's. We have configured logging to external syslog (Splunk) which works fine. The question is, does each PSN send syslog individually, it seems to be the case. And is there a way to configure PSNs in a primary Data Center to log to a local collector and PSNs in recovery Data Center to log to their local collector?
There is no option in the CLI or the GUI, this is ISE 1.4.

Security / Cisco ISE high memory on all nodes
« on: April 23, 2016, 11:26:26 AM »
Hi everyone,

another issue I have noticed with my ISE deployment is that almost all nodes are constantly running at 80-85% memory utilization ( I have 32GB per node, 3495's).
This makes no sense as some of my PSN are not authenticating any users yet.
psn3/admin# sh memory
total memory:   32880364 kB
free memory:      689036 kB
cached:          4661596 kB
swap-cached:           0 kB

output of free command:
             total       used       free     shared    buffers     cached
Mem:      32880364   32191328     689036          0     197960    4661596
-/+ buffers/cache:   27331772    5548592
Swap:      8185112          0    8185112

psn3/admin# sh ver

Cisco Application Deployment Engine OS Release: 2.2
ADE-OS Build Version:
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2014 by Cisco Systems, Inc.
All rights reserved.
Hostname: psn3

Version information of installed applications

Cisco Identity Services Engine
Version      :
Build Date   : Tue Jun 16 03:29:53 2015
Install Date : Fri Oct  9 11:47:06 2015

Cisco Identity Services Engine Patch
Version      : 4
Install Date : Mon Nov 16 11:39:43 2015

Security / Re: Cisco ISE stale wired authentication sessions
« on: April 23, 2016, 08:59:15 AM »
Correct, open authentication. Cisco states this is the bug ID You are not allowed to view links. Register or Login

As a workaround we changed the default deny rule to "allow", this allows the Windows machines that don't have the supplicant to still be allowed on and then the switches can process the session properly. I think this behaviour won't demonstrate itself in closed mode....

Security / Re: Cisco ISE stale wired authentication sessions
« on: April 21, 2016, 07:40:13 PM »
This appears to be an issue in "open mode". As clients who do not match an authorization rule are "denied" access, the switch holds onto the sessions and does not expire them. Waiting to hear back on the code revisions and will post the outcome.

Security / Re: Cisco ISE stale wired authentication sessions
« on: April 14, 2016, 07:24:34 AM »
We upgraded to the Cisco recommended versions for ISE 1.4 (as per their published official versions):

SUP7L-E -> IOS-XE 3.6.3E with ROMMON 15.0(1r)SG10
SUP6L-E -> IOS 15.2(2)E3 with ROMMON 12.2(44r)SG10

Now they are saying there is a bug in this code although it was not pointed out originally. Starting to lose faith in this solution.

Security / Re: SFR monitor only on ASA 5585-X
« on: April 08, 2016, 05:37:38 AM »
Just sent SPAN traffic to the 5585-X and it works fine - FirePOWER can identify the app traffic without issues.

Security / Re: Cisco ISE stale wired authentication sessions
« on: April 08, 2016, 05:36:39 AM »
Yes we've got ip device tracking turned on. If the computer is using dot1x and disconnects from the network, the authentication session immediately disappears from the switch (due to the proxy logoff feature that we enabled on the Avaya phones). Plugging in and unplugging a non-dot1x enabled laptop results in stale sessions on the Cisco siwtch. Doing this multiple times results in more "stuck" sessions.

taa02ca1#show auth sessions in fa7/33

Interface    MAC Address    Method  Domain  Status Fg Session ID
Fa7/33       68f7.2800.0005 N/A     UNKNOWN Unauth    0000000000003FF117E9B360
Fa7/33       68f7.2800.0004 N/A     UNKNOWN Unauth    0000000000003FF017E909E8
Fa7/33       68f7.2800.0001 N/A     UNKNOWN Unauth    0000000000003FED17E6CA90
Fa7/33       2cf4.c5ef.1b00 mab     VOICE   Auth      0000000000003FE017810824
Fa7/33       68f7.2800.0003 N/A     UNKNOWN Unauth    0000000000003FEF17E879C8
Fa7/33       68f7.2800.0002 N/A     UNKNOWN Unauth    0000000000003FEE17E7E1E8

Cisco just told us this is a switch bug (CSCtg15739), I am surprised as we just upgraded to their recommended code level. We are using Catalyst 4507's with SUP6L-E and SUP7L-E.

Security / Cisco ISE stale wired authentication sessions
« on: April 06, 2016, 05:51:15 PM »
Hi all,

we are in the middle of rolling out ISE 1.4 on a Cisco 4507 switch access network (NAD's)
We are using the native Windows 7 supplicants on our endpoints for 802.1x. Windows computers are plugged in behind Avaya IP phones. Avaya phones are configured with EAP proxy logoff so that they will notify ISE of any workstation disconnect provided the workstations are setup for 802.1x. The issue is with computers not setup for 802.1x yet, they seem to generate stale authentication sessions that get stuck in "UNKNOWN" domain instead of voice or data. Please advise if you have seen this behavior.

Security / Re: Difference between WSA and ASA_firepower?
« on: April 01, 2016, 02:26:55 PM »
As far as I know WSA is a traditional Web proxy (like Bluecoat or even the ISA/TMG proxy that Microsoft used to have). What this means is, no advanced routing capabilities, and most likely no ability to intercept a lot of non HTTP/S traffic. I would say the WSA can be used in environments where it's replacing an existing Web proxy. Otherwise I would do the URL filtering and threat inspection on a NGFW.

Security / Re: ASA FirePOWER TCP state bypass
« on: April 01, 2016, 02:23:52 PM »
Thanks for pointing that out. It came up in our discussions with Cisco. Not sure if management will be willing to swallow the monthly cost for 2 x 10Gig dark fiber circuits or associated OTV routers (currently our DCI link is Layer 3, may be a hard sell unless we can get separate layer 2 just for this cluster). Do you know if QinQ tunneling is supported in the ASA cluster?

thank you

Pages: [1] 2
SimplePortal 2.3.5 © 2008-2012, SimplePortal