Task Number-1 : Authentication Issue
David from Acme Inc has opened a service request with Cisco TAC. He describes the problem as :
I am trying to authentication a Windows 7 laptop using 802.1x against a Cisco ISE server, The laptop is connected to a Cisco 3560-X. The user resides in Active Directory. All authentication attempts are tailing with a “RADIUS request dropped” error, we verified that the password is being correctly typed.
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.
With all the information available to you, what is the cause of the authentication failure? UDP port 1812 is blocked between the switch and ISE Wrong EAP type is being used Incompatible Switch code Crypto Map not applied for Site-1 on GM3 Encryption error between ISE and Active Directory RADIUS shared key is incorrect Shared secret between Windows and Switch is incorrect.
Task Number-2 : Redirection Issue
David from Acme Inc has opened a service request with Cisco TAC. He describes the problem as :
“We are trying to implement Guest access on our switches using ISE and Central Web Authentication. We have Configured ISE and the Switches according to Cisco’s guides, but when the end user opens a browser, they do not get redirection to the ISE guest portal. We need help in troubleshooting this.”
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.
With all the information available to you, what is the cause of this problem? The URL redirect ACL does not allow access to cisco.com URL redirect only works when the original request is an intranet site The machine is authorized in the wrong domain Incompatible Switch Code The downloadable ACL does not allow traffic to UDP port 53 ISE is configured on the wrong port for the portal.
Task Number- 3 :Authentication Issue
David from Acme Inc has opened a service request with Cisco TAC. He describes the problem as :
“I am trying to authenticate a Windows 7 laptop using 802.1x against a Cisco ISE Server. The laptop is connected to a Cisco 3560-X. The authentication attempts keeping failing with error 5400.
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.”
With all the information available to you, what is the cause of this problem? Enable EAP-TLS on the “Default Network Access” allowed protocol object. Self signed certificate cannot be used for EAP authentication The Self signed certificate needs to be trusted on the end point Dot1.x priority is incorrect in switch interface configuration Client is rejecting the EAP protocol proposed by the ISE server.
Task Number-4 : Network Accessibility Issue
David from Acme Inc has opened a service request with Cisco TAC. He describes the problem as :
“We are trying to implement Guest access on our switches using ISE and Central Web Authentication. We have Configured ISE and the Switches according to Cisco’s guides, but even after a successful authentication the guest user is redirect back again and again to the guest portal page. They do not get access to the network.”
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.
With all the information available to you, what is the cause of this problem? Switch is not able to accept new policies due to a defect. The switch is not configured to accept RADIUS CoA messages from ISE Wrong authorization result is applied to guest authorization policy. Guest credentials are incorrect The guest account is set to activate at a later date and time.
Task Number-5: Profiling Issue
David from Acme Inc has opened a service request with Cisco TAC. He describes the problem as:
“We are trying to implement profiling so as to use its results as a mean to authorize devices. For testing, we are using a Windows 7 laptop and ISE is not able to profile it as such. The device shows up as an Intel-device instead of a Windows 7 Workstation.”
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.
With all the information available to you, what is the cause of this problem? User needs to be redirected to guest portal to profile correctly. Not enough probes have been enabled to profile a Windows machine ISE’s IP address is missing under VLAN1 as an ip helper-address Feed service has corrupted the profiling policies Device sensor configuration is incomplete.
Task Number-6: Command Authorization Issue
David from Acme Inc has opened a service request with Cisco TAC. He describes the problem as:
“We are trying to implement TACACS+ authentication and command authorization on our Cisco switches with Cisco ISE as the server. We have configured ISE and the switch as per the user guide, but we have problem with command authorization. All authorized users should be able to use any show command, but they are not able to”
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.
With all the information available to you, what is the cause of this problem?
The user is authorized at privilege level 5 where show command not available The implicit deny in the default authorization rule is causing command authorization failure “Permit any command that is not listed below” should be enabled on the command set Command set has wrong argument for the show command “Auto Command” should be “show” in the TACACS profile.
Task Number-7: Performance Issue
Johnny X from CustomerNet Inc has open a service request with Cisco TAC. He describes the problem as“intermittent performance issue when users trying to access the Internet through WSA”
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.
With all the information available to you, what is the cause of this problem? Too many requests per second (overloaded appliance) Network issues and disabled PMTU discovery Chrome browser usage influences the performance, change the browser and test again Destination server is responding slower than usual L4 traffic monitoring feature is on and causing the performance issues One of the DNS servers might be root cause of the issue.
Task number-8: Access Issue
Johnny X from CustomerNet Inc has open a service request with Cisco TAC. He describes the problem as “intermittent issue with access to specific HTTPS site access”
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.
With all the information available to you, What should be the next step suggested to customer in order to resolve the issue? Configure decryption policy pass-through affected sites Test and check if server name extension is enable on WSA Make sure to export WSA’s ROOT CA certificate and import in to test PCs Trusted Root Certificate Authorities store Test using openssl tool from other client, issue might be because site uses SSLv3 protocol only, and client tries to negotiate using TLS v2 One of the DNS Server might be root cause of the issue Disable upstream proxy and try if the site works again Test with another browser and collect the logs again Configure default access policy pass-through affected sites.
Task Number- 9: WSA TLS Decryption Issue
Johnny X from CustomerNet Inc has open a service request with Cisco TAC. He describes the problem as “Unable to access a website”
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.
With all the information available to you. What is most likely to be the root cause the client not being able to access the requested website.
When establishing the connection, the “SEED-SHA” cipher needs to be enabled on the appliance Destination server requires a client certificate TLS 1.2 is not supported on the server and needs to be disable so we can Fallback to TLS 1.0 The intermediate candidate is not send by the server and needs to me imported it seems to the browser error as this Cipher is not supported in the browser of the client. Try another browser.
Task Number- 10: ESA Rejecting Emails
Johnny X from CustomerNet Inc has open a service request with Cisco TAC. He describes the problem as “External senders are no able to send emails”
Network diagram and email exchange between the TAC engineer and customer are provided for the analysis.
With all the information available to you, what is most likely to be the root cause of the ESA rejecting many senders? The Default parameter for concurrent connections is very low with a Value of “10”. Increase this Value to “100”
Senderbase was never contacted and therefore, the Reputation Filtering is causing issues. The email contains Malware and The Outbreak is putting it in Quarantine. The email contains a malicious URL and is blocked by a Content filter named “CFDefandMaliciousUrls” The Sender needs to be resolvable via DNS and this is not the case “Check your DNS server” The sbrs score of “none” is included in the “BLACKLIST”. Remove this setting and add the sbrs score of “none” to the “SUSPECLIST”.
|
