Jeff,
I have run into a bunch of other issues, I would say none are service impacting
like the ones I mentioned earlier. The rumor I heard is the second issue about
ciphers will be resolved in patch 2 and the plan is they will add the old
ciphers back in as they work through a long term plan. Some of the other
issues I have seen are license usage counts are all messed up, it isn’t
acknowledging the accounting stop. Some high load alarms on monitoring nodes
(seems to be fixed with TAC making some changes on the oracle setup on the
boxes), and sometimes the live log screen is slow to load (still working
through this one).
We did get the TACACS license and plan to start working on the migration of
TACACS stuff from our ACS deployment. Working through the issues put TACACS in
the backseat for a little bit.
Nick
On Dec 3, 2015, at 9:12 AM, Jeff Obrizok
mailto:jeff.obri...@marist.edu>> wrote:
Thanks for the intel. I was told to wait for ISE 2.0 Patch 1 (which will now
be patch 2, because of that emergency patch).
Any other issues you are experiencing? Did you get the TACACS license for it?
Thanks,
Jeff Obrizok
Marist College
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
[mailto:The EDUCAUSE Wireless Issues Constituent Group Listserv
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>]
On Behalf Of Ciesinski, Nick mailto:ciesi...@uww.edu>>
Sent: Tuesday, December 1, 2015 10:58 AM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Cisco ISE 2.0 Warning
For those of you who are using the Cisco Identity Service Engine (ISE) product
I wanted to provide some warnings to anyone thinking about moving to the 2.0
release. There are several EAP device connectivity issues that could impact
your site.
First, when ISE 2.0 was released it added support for TLS 1.2 in EAP messages.
Somehow with all the summer news from Google about them adding TLS 1.2 in
Android 6.0 (Marshmallow) Cisco missed testing Android 6.0 before ISE 2.0
release and as such Android 6.0 clients couldn’t connect. To make matters worse
the Windows 10 big November update either added or modified its EAP TLS 1.2
support and machines that upgraded had the same fate as the Android 6.0
clients; not able to connect. The good news is Cisco released a patch last week
for ISE 2.0 to fix the TLS 1.2 problems for these devices, so make sure you
install that patch right away, it is the onl y thing the patch fixes. The Cisco
bug on this issue is CSCuw88770
In addition to the issues with Android 6.0 and Windows 10, ISE 2.0 removed all
legacy RC4 and DES ciphers. This causes issues with any device that does not
support newer more secure ciphers in their EAP messages. The devices will not
be able to connect with any EAP method as they can’t complete the handshake. In
our testing this impacted all Cisco Wireless 792X phones in addition to some
Windows Point Of Sale Embedded OS machines. For the Windows POS devices we
where able to find a update from Microsoft to add newer cipher support. I am
sure there are more devices then this that will have issue but these are the
devices we found in testing. This issue is not fixed yet. The Cisco bug on this
issue is CSCux27365.
Hope this helps anyone thinking about going to ISE 2.0!
Nick Ciesinski
University of Wisconsin - Whitewater
**
Participation and subscription inform ation for this EDUCAUSE Constituent Group
discussion list can be found at
http://www.educause.edu/groups/.<http://www.educause.edu/groups/>
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.