commentBlock = $("#comment_post_40285").find('.comment-blocks'); commentBlock.find('.loading').hide(); commentBlock.find('.see-all-comments').hide(); commentBlock.html("
<\/a>
\"it_user375078<\/a>
it_user375078<\/a>Senior Network Engineer/Mobility Specialist at CCSI - Contemporary Computer Services, Inc.<\/span><\/div>
<\/span>Real User<\/span><\/div>
<\/i><\/div>
<\/i>Report as inappropriate<\/a><\/div><\/div><\/div>

We may have borrowed ideas from other sources, but I do not think so. More based on years of experience with ACLs, firewall rule sets and working on the ISE flow and best practices. Also creating a flow chart of ISE flow is great. If you can create it prior to configuration it will guide you. And then create or adjust after implementation. Remember that if your flow chart is clumsy or difficult to organize chances are that your logic is also clumsy or even incorrect. With that said if you are new to ISE (and Dot1x, EAP and RADIUS) a poor flow chart may not reflect an incorrect implementation but a lack of understanding of the underlying principles. GOOD LUCK again! <\/p><\/div>

<\/i>Like<\/span>(0<\/span>)<\/a><\/i>Reply<\/span><\/a><\/div>
<\/div><\/div>
<\/a>
\"it_user326337<\/a>
it_user326337<\/a>Customer Success Manager at PeerSpot<\/span><\/div>
<\/span>Consultant<\/span><\/div>
<\/i><\/div>
<\/i>Report as inappropriate<\/a><\/div><\/div><\/div>

Thanks, WiFiSuperman, that really is helpful. \n
Are these recommendations based on rules you have set for your own software, or are they rules you have seen used by others?<\/p><\/div>

<\/i>Like<\/span>(0<\/span>)<\/a><\/i>Reply<\/span><\/a><\/div>
<\/div><\/div>
<\/a>
\"it_user375078<\/a>
it_user375078<\/a>Senior Network Engineer/Mobility Specialist at CCSI - Contemporary Computer Services, Inc.<\/span><\/div>
<\/span>Real User<\/span><\/div>
<\/i><\/div>
<\/i>Report as inappropriate<\/a><\/div><\/div><\/div>

Sure! Two things we find helpful are to never use any default rues as a PERMIT. #1 All default rules are to Deny as DEFAULT is generic and will exist in every Profile set multiple times and therefore be very confusing in logs. #2 Use descriptive names but do not make them long or over-descriptive without purpose. For wireless I like to separate profile sets by SSID. Then name the profile set accordingly with the SSID first in the name. Authentication and Authorization Profiles follow suit with the same SSID prefix. With Authentication profiles you will often see MAB, Dot1x, or CWA referenced. Make sure you use the same convention i.e. if Dot1x is used do not use 802.1x or dot1x. This way everything is similar and the eye keys on syntax and capitalization during troubleshooting. I hope this helps!<\/p><\/div>

<\/i>Like<\/span>(0<\/span>)<\/a><\/i>Reply<\/span><\/a><\/div>
<\/div><\/div>
<\/a>
\"it_user326337<\/a>
it_user326337<\/a>Customer Success Manager at PeerSpot<\/span><\/div>
<\/span>Consultant<\/span><\/div>
<\/i><\/div>
<\/i>Report as inappropriate<\/a><\/div><\/div><\/div>

WiFiSuperman, do you have any recommendations for how the way the solution employs naming conventions can be adopted by other companies/solutions? <\/p>\n\n

This would be a great insight that others can learn and benefit from. <\/p>\n\n

Looking forward to your input<\/p><\/div>

<\/i>Like<\/span>(0<\/span>)<\/a><\/i>Reply<\/span><\/a><\/div>
<\/div><\/div>
<\/a>
\"it_user216399<\/a>
it_user216399<\/a>Senior Network Engineer with 1,001-5,000 employees<\/span><\/div>
<\/span>Real User<\/span><\/div>
<\/i><\/div>
<\/i>Report as inappropriate<\/a><\/div><\/div><\/div>

Tal Surasky: Im Based in singapore, i\'m more than happy to discuss with you. I\'ve already filed 2 new bugs (CSCvc11975 and CSCvb87634) while troubleshooting issues on my end. Still dealing with other issues with TAC now. Unfortunately, TAC experience on ISE is not so vast. Only few are trained or experienced on it. Currently, i want to explore 2.2 version which came out recently.<\/p><\/div>

<\/i>Like<\/span>(0<\/span>)<\/a><\/i>Reply<\/span><\/a><\/div>
<\/div><\/div>
<\/a>
\"it_user216399<\/a>
it_user216399<\/a>Senior Network Engineer with 1,001-5,000 employees<\/span><\/div>
<\/span>Real User<\/span><\/div>
<\/i><\/div>
<\/i>Report as inappropriate<\/a><\/div><\/div><\/div>

The Best way to troubleshoot is to go through the details of authentication from GUI. If you are good with Linux cmds, then CLI can be a good options. Always start troubleshoot, from bottom to top. The reason is you might have missed a small step in investigation, which can make troubleshoot more complex.. <\/p><\/div>

<\/i>Like<\/span>(0<\/span>)<\/a><\/i>Reply<\/span><\/a><\/div>
<\/div><\/div>
<\/a>
\"it_user375078<\/a>
it_user375078<\/a>Senior Network Engineer/Mobility Specialist at CCSI - Contemporary Computer Services, Inc.<\/span><\/div>
<\/span>Real User<\/span><\/div>
<\/i><\/div>
<\/i>Report as inappropriate<\/a><\/div><\/div><\/div>

So get to know the fields in the AAA logs and pay close attention to the modifiers available for searches. Also a good design, which includes logical, consistent naming conventions will make things jump out and will make searching that much easier. I hope this helps!<\/p><\/div>

<\/i>Like<\/span>(0<\/span>)<\/a><\/i>Reply<\/span><\/a><\/div>
<\/div><\/div>
<\/a>
\"it_user326337<\/a>
it_user326337<\/a>Customer Success Manager at PeerSpot<\/span><\/div>
<\/span>Consultant<\/span><\/div>
<\/i><\/div>
<\/i>Report as inappropriate<\/a><\/div><\/div><\/div>

Thanks, WiFiSuperman. <\/p>\n\n

Do you have any advice to other users for how to overcome/alleviate the clumsiness & inconvenience of troubleshooting?<\/p>\n\n

Can you share any responses you\'ve found to be successful?<\/p><\/div>

<\/i>Like<\/span>(0<\/span>)<\/a><\/i>Reply<\/span><\/a><\/div>
<\/div><\/div>
<\/a>
\"it_user375078<\/a>
it_user375078<\/a>Senior Network Engineer/Mobility Specialist at CCSI - Contemporary Computer Services, Inc.<\/span><\/div>