- Cisco Employee,
This page provides important alerts from Cisco TAC regarding ISE (Identity Services Engine) To automatically be notified of updates, log in and click "Receive email notifications" on the upper right.
Alerts - Firefox upgrade to version 25 stops working with ISE
Date entered: 11-November-2013
ISE web GUI stops working correctly after upgrading Firefox to version 25. You get error message:
There was an error while parsing and rendering the content. (node.getAttribute is not a function)
Error code WAP00008.
This is documented in bug CSCuj61976 and is going to be fixed in 1.2 patch 5 and 1.1.3 patch 9.
|CSCuj61976||Admin UI fails to display certain UI pages when using Firefox 25This fix addresses an issue where ISE admin UI pages with a tree view were not displayed correctly in Firefox 25.|
Patch 3 on 1.2 causes Guest Users login failures
Date entered: 19-November-2013
After installing Patch 3 on ISE 1.2 the sponsor timezone defaults to ECT which is a non-recognized Timezone, the guest account will fail to login. Error message on ISE will be "86019 guest user restricted"
This is bug CSCuj91050 and will be fixed in Patch 4 for ISE 1.2
If you roll back to Patch 2 the problem will disappear.
|CSCuj91050||Creating Guest users shows incorrect timezone 'GMT+2 ECT'This fix addresses an issue where Guest user would fail to login with the following error due to an incorrect time zone being assigned to the account: "An internal error occurred. Contact your system administrator for assistance. Contact your system administrator."|
Patch 7 on 1.2 causes Guest Users login failures
After installing Patch 7 on ISE 1.2 Guest users created with Sponsor logging in via AD are no longer able to login. This is documented in BUG ID: CSCuo16503 and below are more information about this and the workaround:
Date entered: 8-April-2014
|Symptom||s of Patch 7 on ISE 1.2, not seen prior to Patch 7, Guest users created with Sponsor holding their credentials on AD cannot login.|
|Conditions||The below need to match:1- Sponsors logging in via AD to create guest users2- Guest users being put into guest groups and "Awaiting initial Login"|
|Workaround||One of the following:1- Create the guest users with internal ISE configured Sponsor account2- Use AD Sponsor Account but place the guest users to the "Activated Guest Group|
Patch 8 on 1.2 causes Guest Users login failures with invalid License
In case you applied patch 8 on ISE 1.2 and you happen to have only a base license without advanced license or advanced license has expired, then Guest portal will display "no valid system license exists" error message when Guests land on the login page.
This is documented in bug CSCuo76078. Workarounds:
1) In case you really need to run Patch 8 due to an affecting bug, then you will need to contact TAC and get a temporary advanced license.
2) Roll back and apply patch 7 and wait for a fix for above bug.
I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch.
- A default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
- A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
- The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
- Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
Let me give you this example. Say I have the following confgured:
CONFIGURED SWITCH INTERFACE ACL (PACL) ip access-list standard ACL-ALLOW permit ip any any CONFIGURED SWITCH REDIRECT ACL (RACL) ip access-list extended ACL-WEBAUTH-REDIRECT permit tcp any any eq www 443 CONFIGURED ISE DOWNLOADABLE ACL (DACL) permit tcp any host <psn01> eq 8443 permit udp any host <dns01> eq 53 deny ip any any
Then the process would look like this:
1. During dot1x negotiation the acl that is used is this:
permit ip any any <<<<<PACL
2. Once CWA is in effect then the acl looks like this:
redirect tcp host <host ip> any eq www 443 <<<<<<RACL permit tcp host <host ip> host <psn01 ip> eq 8443 <<<<<<DACL permit udp host <host ip> host <dns01 ip> eq 53 <<<<<<DACL deny ip any any <<<<<<DACL permit ip any any <<<<<<PACL
The traffic must first be allowed in dACL or Port ACL (if dACL is not configured as dACL is optional, configured only if you want to restrict access on switch port based user authenticating the network.i.e per-user based) then only it will hit redirect ACL.
This clears the confusion on which ACL got hit first.In fact, dACL will replace the pre-authentication ACL/PACL you have configured on the switchport. Traffic must be first allowed via dACL then it will hit redirect ACL.
As per my understanding, once the port get authenticated, the order of ACL is 1. dACL 2. Redirect ACL 3. Port ACl.
Secondly why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl
When redirect acl is applied to the port, any HTTP or HTTPS traffic that the client sends triggers a web redirection. Deny statement in redirect ACL at first place denies the ISE IP address so traffic to the ISE goes to the ISE and does not redirect in a loop. (In this scenario, deny does not block the traffic; it just does not redirect the traffic)