I recently saw a Cisco demo of ISE with a customer and the Cisco SE was setting the port description to the logged in username (dot1x). I can't find any docs on doing this. I did find some old ACS docs that mention using an AV pair and sending aaa:suplicant-name in the result, but that isn't working. I'm trying this on a 3750. and using ISE.
View 3 RepliesSLM2008T does not have the ability to add Port Description or Login Banner like the SG300's do? I knew there would be some features that the 200 would lack, but I've never seen a smart switch that did not have the capability of labeling the ports via software/web admin. Really makes it easier to keep your head screwed on straight when you are in and out of 14 or more switches during the course of a day.
View 4 Replies View Relatedusing ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.
View 1 Replies View RelatedThere are two Win7 SP1 PCs (A & B), plugged in to a 3750-x (v12.2-58-SE2), on ports 33 and 41.
The ports are configured for 802.1x, auth order of MAB then Dot1x. Priority is Dot1x, MAB. The config is the same on both ports (verified at show run all).
When either PC is plugged in to port 33, everything works as I expect. Client sends an EAPoL message, gets a response, and is authenticated. When PC A is plugged in to port 41, same correct result. When PC B is plugged into port 41, the client sends an EAPoL start, and the switch never replies.
If port 41 has the authentication order changed to dot1x then MAB, PC B works fine.
We have a stack of switches that is at the max number of members allowed in the stack. Problem is we are running out of port density and need to add more ports. So instead of adding a whole new stack I would rather replace 2 of the 24-port swicthes with 48-port switches.
If the two 24-port swicthes we are removing are stack members and neither of them are the stack master, I should be able to replace the 24-port switches with the 48-port switches without bringing the master offline? If the new 48-port switches are running the same IOS version as the current 24-port swicthes, they should add themselves to the stack?Would I have to tell the new 48-port swicthes what switch numbers they are replacing in order for them to be added to the stack since we are at the max number of members?Also since the 48-port swicthes are replacing 24-port switches will the master give the 48-port switches the configuration for only the 24-ports?
how to: port forwarding to 2 different destinations based on incoming WAN port
The default HTTP service works fine: TCP80/80-> 192.168.0.55
I have a couple of IP security camera's I'd like to be able to access remotely that also listen on port 80. I tried TCP & UDP 8009/8009-> 192.168.0.9 without any luck. Not sure how to handle the port redirects on the RV042G? Seems simple and was on the Symantec, could be user training :-)
I was able to do port redirect with the Symantec Firewall I'm replacing.
We have several pairs of CSS11501 and 11503 in our network.This issue affects only one pair of CSS11503 in one of our data centres. [code] We use vrrp in one-armed mode for load balancing and they units have performed great for a number of years. We're obviously going to be migrating to ACE ... but not just yet.We have started to experience a problem with replicating the configurations between two CSS11503 in a pair.When running the commit-VipRedundConfig, it starts off happily enough, though slowly.Ending with "working" and the spinning cursor, even after 1 hour the script hasn't completed.We noted on the backup CSS that the APP configuration disappears during the process and I can't remember if this is normal behaviour.
Re-adding the app session configuration seems to interrupt the process, and when checking the configuration on the backup CSS approximately half of it is missing. Everything after the first owner is gone.
1. Configuration is too large, or just large enough to make the commit script take too long for realistic service.
2. Software bug?
3. Combination of both.
4. From now on manually add config to both CSS's and maintain it by process management.
We have 2 firewall (ASA5510) pairs. Each pari configured for Active/Stdby mode.
Pair1 : Internet browising, Remote access VPN, Citirx access & L2L VPN access
For this pair , I need to move the 'outside' interface to Gig 1/3 and change the IP addresses. (minimize the downtime)[code] Remove the ip from outside interface and add the new IP and enable to monitor interface outside?
We have a lot of 6913's handling our office ports and I'd like to know a simple way to find multiple ports knowing their description.
I'm use to Juniper so if I were looking for the 8 ports for the office's 3190-3199 I would type something similar to:
show | display set | match 319
I know I can use | include with a show run on Cisco but that won't pull the interface just the description.
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
I am using ACS 5.2 and attempting to authorize users through TACACS to Nexus 5.1 code. I seem to have ACS setup correctly based on documentation I received through here. The problem is that the NX/OS doesnt seem to be operating as expected.
View 2 Replies View RelatedI have 2 types of network, DC & Office. I have 3 types of users NOC, Office & DC. Office network devices are in Office NDG, DC network devices are in DC NDG. Becasue of such config, Office network users can only access Office devices & DC network users can only access DC network devices....Now i have NOC users, who wants access to both Office & DC network devices. How can i achieve this?
View 6 Replies View RelatedHow to setup a 20 -30 computer network.
Requirement:
- All systems can be accessed from network and should be connected.
- Data storage in a centralized device and accessible from all device.
- Should be connected to internet.
setup of 20 users small network description
View 1 Replies View RelatedWe use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).
View 4 Replies View RelatedA short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
How to implement certificate based 802.1x authentication network access using ACS5.3 & external identity store as AD.
View 13 Replies View RelatedI'm trying to configure ACS 5.2 to assign the VLAN to a user dynamically based on the AD group that the user belongs to. I've gone into:
Users and Identity Stores -> External Identity Stores -> Active Directory -> Directory Groups tab
and selected the group name from the AD. If I understand correctly, I should now see this group under:
Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles -> Common Tasks -> VLAN ID/Name
However, it does not. Am I missing something?
I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise. Also previously I could define IP pools on ACS 4 but can't seem to do that now. Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?
View 6 Replies View RelatedI am deploying ISE with WLC 7.4. I have two SSID(s) running in my network 1. Corporate & 2. Services. I have a domain setup lets say "AD.com" with 4 groups 1. Corporate, 2. Services, 3. Employees, 4. Contractors.Here is an example of the scenario that I want:
AD.com Group : Corporate's User : 1. C_USER1
2. C_USER2
3. C_USER3
4. C_USER4
5. C_USER5
[code]....
Now what I want to do is have 802.1x authentication on my Corporate SSID that will check in AD.com, ONLY AND in ONLY corporate group for authentication. That is only C_USER1 to C_USER5 are allowed to connect to it. Users from any other AD group shouldnt be authenticated on this SSID.The same for the services group & SSID.
I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN. Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request. We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value. The SIM cards cannot be used in other devices, only their matched device. The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?
Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.
We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership.
I'm administrator of small network. I wish to replace my old switches by new SG300-10 and SG300-16 managed switches. I have big trouble in my network because everyone can assign IP his neighbour (or any IP) to his network card. I have policy that IP is 172.16.1.X with x is home number. Could I do that IP based ACL assigned to port where is cable from home example 29, permit only IP 172.16.1.29 (mas 255.255.254.0) (from specified port only permit packets with specified source IP (LAN user IP) other (if user set not his IP) is denied) ?
I want know that before buying equipment. How to configure that ?
I think IPv4 Based ACE, action: permit, source IP: 172.16.1.x (nr of home), widcard 0.0.0.0, destination: any, protocol: any, source port: any ?
and in ACL Binding, I have to bound this ACL to port where user whose IP is in ALC is connected?
I have a customer with a Sonic wall that I want to replace with a 521.He currently has port forwaring setup so that only 3 ip addresses can access the port forward. Everyone else is dropped. Is there a way to do something similar?I can make it work for a single one via the DMZ tab with a source ip address. but there is not a way I can find to add the allow for the other two remote connections.
View 1 Replies View RelatedThis is a continuation of my last post in which I need to apply ACLs to the physical ports within Etherchannels. The switch is a Catalyst 2970 running IOS 12.2. These Etherchannels are configured as trunks with 2 VLANS allowed on each trunk.I have applied an inbound ACL on the physical ports that filters based on layer 3 and layer 4 traffic. The issue that I am seeing is that the counters for the ACL are not increasing even though the ACL is clearly doing its job. At the end of the ACL I have an entry of "permit ip any any". Removing this from the list causes connectivity problems to the server on this port. Adding it back and everything is back to normal. However the counters don't increase. At first I thought maybe this wasn't supported on this switch but then I noticed the counter had increased to "2 matches" later in the day. What is the normal behavior is for this switch and does it support logging on an ACL entry as well.
View 2 Replies View Relatedthis is my first time configuring a cisco router. For instance, a cisco router 1700 with 2 ethernet WICs and 1 LAN port. We have 2 ISPs one more stable than the other. We use an RDP session to an external host identified by lets say IP address 200.1.1.2 using ISP2 to get to this computer. We use ISP1 for all the internet usage, web pages, youtube etc. We are thinking of using this cisco router 1700 to make the packet filtering and routing of this RDP session to the correct ISP2 since we only have 1 NIC per computer on the LAN side.
The main idea would be:
| YES -----> ----------- then use ISP2
LAN---------> Are the packets RDP ?
| No--------> ----------- then use ISP1
Does this can be achieved using packet filtering using extended ACLs and to be router from the lan interface to route rdp (port 3389) packets to ISP2 WAN interface?
I have recently separated a few sites that I operate, into multiple virtual machines, all with their own IP.Basically, site A is located on for instance www.siteA.com, Site B is located on blog.domain.com etc etc. So my question is, how do I (with the Cisco RV220W), forward port 80 based on host?[URL]
View 3 Replies View RelatedI have a simple design with 3750. I configured a route-map which define a next hop. I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR? I think of CEF .
View 5 Replies View RelatedIn our datacenter we have a 3750 stack with IP base image. I have enabled PBR and reloaded the switch. Show sdm prefer says i am using default template. The reason i want to use PBR is that we have 2 firewalls on the same work and want to be able to have granular control over which gateway out of the network they use but still be able to access all internal resouces accross wan and locally.
Created access list to identify traffic:
access-list 10 permit 10.2.3.59 (test workstation on vlan 3)
Created policy:
route-map TestASA permit 10
match ip address 10
set ip next-hop 10.2.0.3
Assigned policy to the user vlan3:
ip policy route-map TestASA
Results:It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan.
I have a simple design with 3750.I configured a route-map which define a next hop.I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR?
View 10 Replies View RelatedI want to implement port-based and MAC-based in these two switches: 2960 & 3560 (both of them have this IOS version: 12.2(55)SE1). And I haven't found a way to implement both of them at the same time. This is what I got:
ip dhcp use subscriber-id client-id
ip dhcp subscriber-id interface-name
ip dhcp excluded-address 192.168.0.0 192.168.0.2
ip dhcp excluded-address 192.168.0.251 192.168.0.255
[code]....
With this configuration I can use port-based, but not MAC based. If I remove the first two lines and change the last line for this one:
address 192.168.0.7 client-id 0112.ae1d.af58.60
Then, the computer with that MAC address got the correct IP, but then the port-based doesn't work. Also, I got this line in the interface what I want to use MAC-based:
ip dhcp server use subscriber-id client-id
I am looking for a script or applet that will dis/enable an ethernet interface on Cat 6500 based on reachablity to an external destination. Reachability should be verified either directly by sending ICMP packets, or based on IPSLA status.
View 4 Replies View Related