Hello,
After upgrading to Cisco ISE 3.0 and updating some certs we noticed the Radius Live Logs broke:
So to fix, I changed certs and rebooted nodes and basically spent hours trying everything.
I dint get anywhere so I raised a Cisco TAC and they fixed it by doing the following (which took two seconds), they un-checked:
”
Hello,
Upgrading Cisco ISE is pretty straight forward, there’s a pretty GUI that makes sure you back everything up before you start and then you specify a repository and the files get downloaded and bobs your uncle.
FYI – This is good blog on backing up ISE before you start: https://www.letsconfig.com/how-to-backup-cisco-ise-2-7/
My issue is I have a ISE node in a DMZ which cant contact the main repository on the network due to it being ultra secure.
So I had to do it manually via the Cisco ISE CLI on the node in the dmz.
First find a server that can access the DMZ on port 21 – Note, I tried tftp but the transfer would fail every time.
Then download this portable ftp server: https://www.xlightftpd.com/download.htm
Run the ftp server, setup the NIC and create a user with a home directory (a folder on the server)
Download the ISE upgrade file and put it in the home directory: ise-upgradebundle-2.2.x-2.6.x-to-2.7.0.356.SPA.x86_64.tar.gz
Next logon to your ISE node,
Create a repository on the ISE node:
conf t repository dmzf url ftp://172.25.61.42 user FTPAdmin password plain FTPPassword
Now you can pull the upgrade file – Note, this will just download and unpackaged the file, NOT run the update.
application upgrade prepare ise-upgradebundle-2.2.x-2.6.x-to-2.7.0.356.SPA.x86_64.tar.gz dmzf
Wait for that to finish:
Now you’re ready to actually upgrade.
application upgrade proceed
Wait for the reboot and update:
Then you are done!!
Double check
Show Version
Done. Boom
Hello,
I recently setup dynamic vlan assignment using Cisco ISE and a Cisco vWLC but had an issue where on some APs on some sites wouldnt move the devices to the correct DHCP scope.
So just make it clear what dynamic vlan assignment is, its when you have one SSID to rule them all and in the dark bind them.
So I have laptop and hand held scanners and only one SSID, I want my hand held scanner to go onto a different vlan and DHCP scope my laptops. So I use this option in profiles in ISE:
Then setup the scope option and bobs your uncle.
So back to the issue, some sites just wouldnt move scopes i.e. they’d stay on default scope. So first thing I did was debug the client via the CLI on the vWLC:
debug client 94:fb:29:43:74:b9 *apfMsConnTask_1: Jan 30 13:09:53.561: 94:fb:29:43:74:b9 Encryption policy is set to 0x80000004 *apfMsConnTask_1: Jan 30 13:09:53.561: 94:fb:29:43:74:b9 10.51.140.17 8021X_REQD (3) Client already has IP 10.10.1.17, DHCP Not required on AP 70:79:b3:9f:4c:c0 vapId 1 apVapId 1 *apfMsConnTask_1: Jan 30 13:09:53.561: 94:fb:29:43:74:b9 Not Using WMM Compliance code qosCap 00 *apfMsConnTask_1: Jan 30 13:09:53.561: 94:fb:29:43:74:b9 Vlan while overriding the policy = 153 *apfMsConnTask_1: Jan 30 13:09:53.561: 94:fb:29:43:74:b9 sending to spamAddMobile vlanId 153 flex aclName = , flexAclId 65535
So the client knows it should be on vlan 153 but isnt moving…….So after much googling I found that my flex connect groups hadnt been setup properly.
I was missing the vlans from the vlans from AAA VLAN-ACL Mapping. Added them in and everything started working on every site!!!
Very weird how it ever worked but there you go.
© 2023 Tech Blog All Rights Reserved.