Cisco AAA/Identity/Nac :: 1.1.1 / Unable To Register ISE Inline Posture Node
Oct 19, 2012
i'm stuck at registering inline posture node to primary node. I doing fresh install both ISE appliance using version 1.1.1, patched all 3 available patach version after install. AD and DNS were perfectly configure, ping using hostname able to resolve Everything set, so both PSN and iPEP generate CSR and ready to let CA server to signed. But anyway this is the outcome i get Error message "Unable to authenticate. please check server and CA certificate."
01. - What certificate template to be use primary node and inline posture node? I having problem the CA certsrv won't show computer template for inline posture node. can i use web server template and on the extension include client autthenticaiton andserver authentication on this case?
- What certficate template use for primay node CSR?
02. According to Cisco ISE user guide 1.1.1, it mentioned "Creating certificate trust list in Primary ISE Node"
So first action is importing Root and CA certificate . my rootCA.cer import to certification operation certifcate store, while CSR generated then Bind CA certificate. question, should i check anything like "Tust for client authentication" checkbox or any other option to be check? How about Inline Posture node, should i export the CA certificate and import to primary node's certificate store?
View 3 Replies
ADVERTISEMENT
Oct 17, 2012
I would like to ask, given that i got 2 units of ISE-3315 appliance, one need to be primary node for admin-policy service-monitoring, another unit then become Inline posture node.For the preparation on line posture node, what shoud i do on it?
01. For the unit ready to become inline posture node, so I just boot it, install the OS from sractch (using version 1.1.1), then start the initialize setup etc, like Normal setup?
02. Before i regieter, what is the deployment nodes i should select for inline posture node unit? provided the admin-policy service-monitoring will become primary node, and registration for inline posture node will be next action.
View 10 Replies
View Related
Dec 6, 2011
I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
This System Failure occurred: Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
I have tried with both "ACSAdmin" and "admin" users with their respective passwords.
View 3 Replies
View Related
Jun 11, 2012
Today I ran a failover test between our primary and secondary ACS systems (ran 'acs stop' on the primary) and in the process decided to promote the secondary while I had the primary down. All was fine until I brought the primary back up and tried to re-register the secondary to it. I get the following error message: I went into System Administration >Operations >Distributed System Management on each and it showed the other device as deregestered, tried to promote from there but it failed too, so I deleted them and tried to register the secondary again. After that didn't work I tried rebooting both but that didn't work either. I know the user/pass I'm using is good and I've tried using both the IP address and the hostname.
ACS/admin# sh app version acs
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40.5Internal Build ID : B.839Patches :5-3-0-40-5
View 3 Replies
View Related
Sep 9, 2012
it's possible to enable Posture validation on ACS 5.3. If so, could I have a link or a procedure for implementation ?
View 3 Replies
View Related
Jan 17, 2013
I have an authorization rule which verify that the AV (mcafee 12.x) is installed (NAC agent), time restriction and so, and so....The connection failed with this code :
15039 Rejected per authorization profile.
How can I obtain a some more details on that ?I mean, I'd like to know which condition is not verified and lead to a failed connection.
View 19 Replies
View Related
Jul 17, 2012
Just upgraded Cisco ISE to 1.1.1 in my lab/demo environment and am now having problems with a basic posture implementation. In short I connect to a wireless SSID and check posture based on the presence of a file. The NAC agent is declaring my host as compliant and granting full network access however about 5 seconds later it it checks for requirements again while placing my host in the temporary network access. At this point it states I am compliant again and 5 seconds later scans again. This behaivour does not stop and continues endlessly until I close the wireless connection. I had no problems with this setup on 1.1.All logs indicate successful compliance and no errors in terms of compliance.
View 33 Replies
View Related
Mar 13, 2013
to grant not to show the certificate error adevertise to all clients connecting to guest services (because obviously they don't have the CA root certificate of our company), we have purchased a wildcard certificate from Verisign in order to work with all of our PSN Common Names and friendly url for sponsor and mydevices. But when I try to import it to more than one PSN the following error message is shown " The certificate already exists in the data base".How can I import the same certificate (with the same private key) in every PSN in a node group?
We have ISE 1.1.2
View 4 Replies
View Related
Jun 1, 2013
I'm constantly seeing that the sync and replication status for my secondary admin/monitor node in the primary node as node not reachable. The secondary still thinks it is in standalone mode. When I run the ISE diag tool connectivity tests I am able successfully ping the devices from each other using both hostname and ip and the nslookup also works fine between both nodes. Ping and nslookups also work from different networks within the environment. The two nodes are in the same vlan on a 6500 vss pair but on different switches of the pair.
View 6 Replies
View Related
Mar 12, 2013
I am facing the following problem. SmartPhone is connected WiFi hotspot. Suppose SmartPhone ip is 10.0.2.2 and hotspot ip is 10.140.13.12. I am able to send data from smartphone to a server(over internet) which has static ip and sender details in server are hotspot ip. Problem is sending data from server back to smartphone. Tried sending to 10.0.2.2(smartphone) from server but packets are not received.
View 3 Replies
View Related
Dec 26, 2012
I am able to ping the node but when i try to access the systm using backslash i am uable to access it and an error of host inaccessible.
View 1 Replies
View Related
Dec 26, 2012
I am using PC to mobile dialer. It was working fine but now I am unable to login to my wowcall account due to error - Unable to register to SIP server.
View 1 Replies
View Related
Jan 31, 2011
I have to sites connected togather using 4 MBps Link over the tunnel terminated on asa 5510,the call manager in site 1 and the other users on the site 2 unable to register with call mamager on site while i have a suceesull ping goes from site 2 to site 1 (call manager ip) so why this phone its not registered ,so in term of network no problems coz the ping gets through and am rely on ping to confirm that no network problem
----is there any udp traffic problem that prevent the phone registration
View 20 Replies
View Related
Oct 10, 2008
I am having problems with my RV042.I have a Intervoip(url...) account for VOIP.
When I try to register the intervoip account to the internet I don't get any kind of reply. My VOIP server just keeps requesting to register the SIP account, but gets no reply.
When I connect an other router to my ISP modem, the register just goes fine. However the RV042 blocks something I don't really know what the cause could be.I installed wireshark to monitor my network traffic.
When I monitor registering with intervoip with the RV042, I see requests but no replies from intervoip, the VOIP server keeps requesting, but doesn't get any reply.
When I monitor registering with intervoip with an other router, I see requests from the VOIP server, and replies from intervoip initiating my intervoip account and everything goes well and registers. The following I tried:
- Forwarding port 5060 to private ip
- Putting private ip in DMZ
- Disabled the firewall
All without result. (Also tried them all at once)
View 8 Replies
View Related
Sep 20, 2012
Our ESP traffic is passing through multiple nodes and we can not establish the tunnel. and I want to know which node blocked ESP traffic. How to trace which node blocked ESP traffic ?
View 5 Replies
View Related
Jul 15, 2012
In previous versions of LMS, I navigated to RME - Devices - Inline Edit to increase the snmp timeout. I haven't been able to locate the same process in LMS 4.2. Where I can locate this feature?
View 1 Replies
View Related
Jul 11, 2012
I have 3 WRV200 that I want to install in 3 cities.I want each router to have its own Internet connection from the local ISP.I then want each router to connect to the other 2 routers and create a 3 node WAN using VPN connections.
View 1 Replies
View Related
Oct 25, 2012
I have several locations with time clocks (a Kronos application) on a small home network with outgoing traffic wide open.I have a server in my office behind an ASA5505 router/firewall, also with outging traffic wide open. I have tried taking the device off of the remote network and giving the it a public, static ip address so it is actually on the internet, yet the server cannot see the device, but it can ping it. I was advised to put the device on the remote private network and set up a virtual server using port 8080 at the remote location. The server is still unable to see the device. I also set up a virtual server for VNC. When I am on my server on my work network behind the ASA5505, I can start my VNC viewer and attach to the device at the remote site using the IP of the router (apparently the device has a build in VNC server).
I have also tried to NAT my server to a public IP, I have set up incoming and outgoing rules on the firewalls at both ends.this should be a fairly straight forward connection.
View 7 Replies
View Related
Feb 4, 2013
i have a ip-cam that is connect with power inline on my cisco router, i want to scheduler a reboot daily, of this ip-cam is there a posibility to use a daily time (time-range) to shutdown the interface and back up, or shutdown de inline power on this interface and back up ? i have ios version 12.4
View 4 Replies
View Related
Apr 8, 2012
I have a new deployment I am working on. I am unclear on the Inline setup. One location is configured as a trunk between the router and the switch, with voice and data traffic going through it. We will be installing a 294 inline at this site.What impact will it have on voice traffic? We are using G0/0 for management, not the Inline interfaces. Is that any additional configuraiton needed to inline if done this way? I didn't get prompted for vlan ID, or anything like that during the setup as an accelerator.Are these setup with default optimizations out of the box, or is there additional programming needed once they are online? I found where to build custom applications, but wonder if there is anything needed to be done once they are online for default traffic.
View 1 Replies
View Related
Mar 31, 2013
I have a PIX 515e running version 7.2(4).I have 2 interfaces - DMZ3 (sec lvl 50) and LAB (sec lvl 100) behind the pix. There is also the OUTSIDE interface (sec lvl 0) which connects to the internet.In DMZ3 I have a webserver - x.x.124.217/24 (host is NATed via static command to public IP)In LAB I have a server - x.x.1.203/24 (entire range is NATed via NAT/Global statements to public IP)The server in LAB needs to access a webserver in DMZ3. From the internet both of these hosts have public addresses that are NATed into the inside addresses. I can reach the webserver from the internet, but not from the LAB interface.I think I have to add a static command so that the LAB host can access the DMZ3 host without accessing the internet.
View 3 Replies
View Related
Jan 18, 2012
I wish to purchase Cisco Prime LMS 4.1, particularly Cisco part # R-LMS-4.1-500-K9 which support 500 Cisco nodes.We have about 360 Cisco switches/routers/ASA/FWs/WLCs so the 500 nodes license would seem to suffice for now & for future growth.We also have about 200 lightweight APs that are managed & monitored by our WLC/WCS/Navigator environment.According to the device support documentation for LMS, it supports and I assume will auto-discover these APs.Does that mean these APs will use up node licenses on LMS even though management of the APs is done by WLC/WCS? If so is there an easy way to suppress discovery of APs by LMS so we don’t have to purchase extra node licenses for LMS? Or, does LMS offer additional support features for wireless APs not already offered by WLC/WCS/Navigator?Just trying to understand how many network node licenses for LMS I have to purchase.
View 3 Replies
View Related
Jul 17, 2011
I am having issues getting my (now former) routers to have internet access. They also kept seeming to become unresponsive when trying to change the settings and continual resets were necessary. 2 of them have now lost a battle with a sledgehammer and before I acquire a new one I want to know if my laptop is somehow infecting these routers, because 3 of them had similar symptoms before they met their fate with a 12 lb sledgehammer.This is in an apartment complex. Next to the cable modem, there is a Netgear router. This router has 4 outputs with ethernet cable going to 3 different apartments, one of them is mine which is in a separate building 200 hundred feet away. Rather than run an ethernet cable this distance, I made a reflective enclosure installed it under a carport and broadcast a signal to my apartment, and this worked great for 3 years. When the router next to the cable modem failed and was replaced, my personal router would no longer transmit the internet to my apartment.
View 11 Replies
View Related
Apr 3, 2012
I have 2 basic questions I am having doubts about it and would love to have some clarifications:
1) I configure in one ACE4710 (running 4.2.2) context a bridged interface and in another context the same interface, like here below : [code] Then I move to the Juniper context and I try to create an interface (either L-2 or L-3) but it doesn’t work: [code] So if I configure an interface as bridged in one Context, I cannot configure it in another context??
2) If I want to migrate in context Microsoft from One-armed to inline (L-2 bridged), can I migrate one service at the time ( I.e. the config i showed above for context Microsoft, would it work also for one-armed based???)
View 1 Replies
View Related
Jul 25, 2012
we operate an active/passive cluster with 2 ASA5510 in Routed Mode. Is it possible to add another node, so that we have one active and two standby nodes in the cluster? Unfortunately, I have found no documentation on this .... The data sheet say only up to 10 nodes can be mentioned as a VPN load balancing cluster.
View 1 Replies
View Related
Oct 24, 2010
We have just purchased and installed a 4506-E chassis. It contains a supervisor, two POE blades and 3 non-poe blades. Version is 12.2(53)SG1. Anyhoo, one of the ports isn't providing power to an IP phone. We can plug the phone into any of the other POE ports and it works fine. Is there a way to test an idividual port for POE problems? What could the problem be? The port works for normal data but will not provide power.
View 12 Replies
View Related
Feb 26, 2012
Essentially, not all ports on our brand new SG300-28P switches provide Inline Power to our older 7900 series phones. I can connect the phone a couple ports down and it usually powers up, but not always. Often I can also connect an 802.3af device to one of the troublesome ports and it will received power, however I am noticing there are some ports that now refuse to supply PoE at all?
This is equipment that has been running perfectly fine for several years now, on C3524 PWR XL switches. I can also tell you that this is not isolated to one switch, but all 5 of our SG300 access switches. And, yes, the firmware has been updated to 1.1.2.0.
View 5 Replies
View Related
Jan 27, 2013
I am running a 15.1 or so version of the IOS on a 1921 router. I have plugged in the external PoE injector into the router, and the PoE light on the front of the case is lit green. I have no options in the IOS to enable power on the EHWIC ports. I have most licenses enabled, including data and security.
View 6 Replies
View Related
May 3, 2010
I have a LAP-1142 connected to one of our PoE blade in our 4506 switch, it used to work fine with the following power consumption:
Interface Admin Oper Power(Watts) Device Class From PS To Device --------- ------ ---------- ---------- ---------- ------------------- -----
Gi4/3 auto on 21.5 20.0 AIR-AP1252AG-A-K9 3
However, we had power issue on Apr 28, so it failed and we saw from the log below:
Apr 28 13:57:38.990: %C4K_ETHPORTMAN-3-INLINEPOWEROVERDRAWN: Inline powered device connected on port Gi4/3 exceeded its hardware protection threshold.Apr 28 13:57:39.694: %PM-4-ERR_DISABLE: inline-power error detected on Gi4/3, putting Gi4/3 in err-disable state After the power restored later, the other LAP connecting with the same blade restored without any problem, except this one:
Interface Admin Oper Power(Watts) Device Class From PS To Device --------- ------ ---------- ---------- ---------- ------------------- -----
Gi4/3 auto on 16.6 15.4 Ieee PD 3
View 13 Replies
View Related
Feb 12, 2012
Cisco IP phones attached to a Moduke in one of my Cat6500 access Switches suddenly went down. Upon closer inspection of the Switch Sys log, I observed the following Sys log error messages: [Module 9 is experiencing the following error: Inline Power Module - PS Voltage bad. ]A sh Mod output indicates the PoE daughter card and Main Module are "ok" - see attached output. It appears issue is related to the the actual Power Supply module and not the blade module and installed PoE Daughter card. I am inclined to open a TAC case for a PS replacement, but wanted to see if this can be resolved without a hardware replacement. At this time all 48 IP phones attached to this module are out of Service.
View 2 Replies
View Related
Jul 22, 2012
I have a switch 3560v2 with an IOS 12.2(50) SE1.All the lights ON and console error message below:POST: inline power post failed for port 0 up to port 15.Then, the system hanged and all lights (indicator) ON.
View 5 Replies
View Related
Sep 6, 2011
I have 3 ACS servers placed throughout N. America. I it set up so that ACS01 is primary and ACS02 and ACS03 are secondary. When i look at the logs for passed/failed authentications in radius or tacacs I cannot see anything from ACS03 logging. This is weird because just a few weeks ago it worked perfectly. In fact, ACS03 is the most active server since this site is using it for wireless phones and tacacs and the other 2 are just using ACS for wireless networking. I went through the log settings and every server is set up the same as the others (except the primary) so it should be logging ACS03 the exact same as 01 and 02.Anyway it seems like a small problem but i need the logs to work correctly to properly administrate security.
View 1 Replies
View Related
Nov 11, 2012
I'm currently running ACS 5.3 Patch 7 in a VM on VMware ESXi. I download the application upgrade bundle, and placed it in my SFTP repository, and ran "application upgrade filename repository name". It throws an error that the manifest file is not found in the bundle.
I tried putting the ACS.gz file in an FTP repository, and even in an ISO file to attach to the VM. In all cases I receive this same error.I did verify the md5sum on the file to make sure it wasn't corrupted..
View 6 Replies
View Related
