I recently switched the authentication type from password based to client certificate based. I setup the Certificate Authentication Profile, Identity Source and imported the active directory groups I was attempting to use. Once I restarted the application I can no longer access the web ui.
When I attempt to access the web ui I'm prompted for my certificate which I supply and then I get an authentication failure message. I was reading online and someone suggested using the CLI and issuing the following command: application start ise safe
This command restarted the application but when I attempted to login afterwards the page prompted me for certificates again but didn't display anything.
Is there anything I can do to remedy this issue or do I need to start over.
I ended up just starting from scratch as I was completely unable to access the admin ui after having improperly set the certificate authentication. Ultimately I'll have to attempt to enable this feature again.
There has to be a way to allow both certificate based authentication and local user admin access. It would also be surprising if you're unable to reset the admin ui after a misconfiguration.
If anyone has any advice it would be much appreciated.
I've had a couple TAC cases open on this and still haven't figured out the issue. I'm unable to regain access to the admin gui even though a safe start is supposed to work. Apparently their is an open bug:
Solutions: In our deployment we have domain controllers that are internal to our network and then we have DC's that reside outside of the firewall. I incorrectly assumed that ISE would work in conjunction with sites and services. ISE instead chooses which DC it's going to authenticate off by doing a simple DNS lookup, in our case ISE would attempt to communicate to DC's that were external which would then be filtered by the firewall. I'm still working with TAC to solve this issue which may include modifying the hosts file.
Problem #2: Unable to recover from failed CAC enable
Solution: You're supposed to be able to access the CLI and issue a safe start to recover from this issue. It currently doesn't work and is a known bug:
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...