Cisco :: 802.1x ACS 4.1 Authentication Required
Jul 9, 2012
I will attempt to explain the history of our wireless controller configurations as best I can. We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance. All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together. The ACS is setup to map to AD for specific groups.
In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to. Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks. The reason for this is those ip networks can reach certain services that are not allowed for general users. ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
Problem 1. When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
Problem 2. Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not. Upon further investigation it was discovered that the reason they are not is that the authentication is not correct. When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username . So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
View 2 Replies
ADVERTISEMENT
Oct 16, 2012
I've gotten to the point where I can test against active directory and get in, also I can get AD groups from my server on the ASA. My problem, I can't connect in via my AnyConnect client on my Android. I immediately get a "log in failed" and I know I'm using the right username/pass. Doing a little troubleshooting, I have attached my AnyConnect debug log and the results of the "debug ldap 255" command on the ASA. Also, I've used ldp.exe to determine I can connect in with the username/password combo I'm using.Combing through the AnyConnect logs I see a few instances of "global error unexpected" but no Google searches have brought up anything useful.
View 7 Replies
View Related
May 15, 2011
Due to a bug int the IOS (F4 loosing routing information) i needed to upgrade the IOS from 15.0.1-M4 to the latest one which is 15.1.Is it ok to do without valid Smartnet contract? Cisco website allowed me to download the IOS and then put it on the router.Due you need some sort of a license to upgrade the IOS?
View 3 Replies
View Related
Aug 14, 2011
I'm running LMS 4.0 as an evaluation and I'm only discovering 86 devices, using the auto discovery. I've added a seed and although it sees lots of neighbours on that seed it only goes on to discover devices off a particular range. All the devices are set up the same way (standard config) so it should see them as well.
I know it has a limit on the number of managed devices of 100, and I could understand if it hit 100 and then stopped. We have around 500 devices in total (not including phones, DMPs, etc).
I've just added the seed and selected cdp as discovery method and set the snmp target as *.*.*.*. Is there anything else I should be doing?
View 1 Replies
View Related
Jan 5, 2012
I have a customer that purchased an LMS 3.0 package and later upgraded it to LMS 3.2 using same license for 300 devices.Now the customer wants to upgrade to LMS 4.1 and is asking if they can get a similar free upgrade as before, especially since their current LMS is covered under an SP Base contract.
Do you know if the SP Base contract will qualify them for this? I have tried discussing it with a TAC licensing Engineer and the Local Accounts team both have not given me a solid answer.
View 3 Replies
View Related
Sep 22, 2012
My main goal i want to filter certain sites including facebook not to be accessible within the network and block all torrets including maliciuos site. I was advised to get Cisco ASA 5505 which i already got a quote. But now i want to know if is the ASA 5505 good enough for this purpose, is there anything additional required to succesfully overcome my main goal?
View 5 Replies
View Related
Jan 10, 2010
setting up IPsec for a DMVPN between a 2811 and 2951s in a test lab. I have enabled IPsec on the hub (2811) but I am unable to do so on either of the 2951s. After researching, it seems that I may have the incorrect IOS for this, but I am at a loss which IOS I should be using. Currently the 2951s are on "c2951-universalk9-mz.SPA.151-2.T2.bin" and the only crypto options.
View 9 Replies
View Related
Oct 18, 2011
I am very confused on how I setup a Pix 515 that I just got to route traffic out a cable modem. First, let me give you a little details on my current network setup and what I am trying to accomplish with this Pix 515. Currently all my users go out the proxy for any internet access, however I have certain users that need to go out the cable modem instead of the proxy server. Below is an example of the current IP setup of a user A:The cable modem that we currently have has DHCP so I would need the external PIX address to accept a DHCP address. I also don't really understand what else I need to setup so if I have say four users hitting the cable modem through the pix how do I direct their web traffic to the correct computer (NAT ?),I will be plugging the PIX into a cisco switch that all ports are in VLAN 48 so hopefully a static internal address on the pix of 10.24.48.254 will keep me from having to do any routes since all traffic will be originating from the 10.24.48.0 network.
View 1 Replies
View Related
Jul 2, 2012
I have modified my radius accounting reports using "interactive viewer" and saved successfully but the exported report doesn't reflect these changes. I'm just wondering what's the point of being able to modify the reports if you can't export your changes or there is something I'm missing?
View 3 Replies
View Related
Sep 29, 2011
i have LMS 3.2 installed in my campus. i need the serial number of the LMS suite to open a service request with cisco. but unable to find the same. How to find the same.
View 1 Replies
View Related
Jun 14, 2011
I have two ASA 5510 with Security Plus license and Shared SSL VPN licensing enabled.
The problem is that the client get “Session could not be established: session limit of 25 reached” but ther is only 6 ssl vpn user connected with AnyConnect.The software on the firewall’s is 8.2(1)Is there any BUG in this software related to this problem?
View 1 Replies
View Related
May 20, 2012
I need my security key
View 1 Replies
View Related
Apr 10, 2012
I want to directly connect two Win XP machines together to transfer large files.Both have "Gigabit Ethernet".Its been years since I last did this, and used to need a special cable called a crossover cable to accomplish this, but reading up to refresh my memory I believe I no longer need the special cable, but can use the cable that now connects my cable modem to my computer, as the Gigabit specification eliminates the need for a crossover cable.
View 3 Replies
View Related
Jul 28, 2012
I have a DIR-825 coming. Do I really need that long to setup something? When I got my Netgear all I did was plug the sucker in. Two ethernet cables in the back. Done. Later on I added a wireless device in the living room so I setup a name and key. Done.I still have the same devices, except going to add my Girlfriends Daughter and QOS her bandwidth.
View 1 Replies
View Related
Jan 29, 2011
We are looking at buying an ASR1001 but I'm confused by the Licenses and I've struggled to find the information in the cisco data sheets. The router will need to run IPSEC on gre tunnels and I figure that I need the IPSEC license (FLSASR1-IPSEC) do I also require the Advanced IP Services license? or is all that is required the IPSEC license? Is there some sort of list that shows the feature set of each license, they cost the same amount so I'm not sure which license fits what we require best or if we need both.
View 1 Replies
View Related
May 2, 2012
We have a problem with AIR-LAP1142N access points.
AIR-LAP1142N-E-K9
Version 12.4(21a)JA
LAP's are not assotiated with controller yet. They get the ip address via dhcp, they are reachable by icmp.When I try to telnet, I get Password required, but none set? Is there any chance to get access to them without using serial port?
View 7 Replies
View Related
Jun 6, 2012
We have purchased a new Websense 10000 Appliance and I'm not a hundred percent how to set this up. I see that URL Filtering is a possibility and WCCP, which way to move forward on implementing this?
View 4 Replies
View Related
Apr 19, 2011
I am trying to set up my Cisco 520 router with a firewall that will: Allow port 80 traffic to the vlan 20,Block all other incomming ports to vlan 20 (unless initalised from inside),Allow all outgoing ports on vlan 20,Block all access from vlan 20 to vlan 10 (unless initalised from vlan 10)
View 35 Replies
View Related
May 11, 2011
as the subject .. All those who have the WAP4410N ...want the new firmware 2.0.4.1 and solve the AP problems of stops an repeat. believe in CISCO.
View 28 Replies
View Related
Apr 3, 2013
Is there a guide to setup a VPN connection using this router? I've follow the setup guide provided by cisco but I'm having issues. When attempting to connect using the quick vpn client, I get error messages.
View 1 Replies
View Related
Nov 20, 2011
Im loosing my patience with my home setup im running. My ISP has given me a /29 static range which I have correctly applied. I have statically mapped a external IP to a device on the LAN without any issues. When checkign external ip on the device it appears as it shoud and everythgin else appears as the external address of the PIX. When I try to access anything past the router externally I cannot. I can ping the dialer and vlan1 interface on the 857w but cannot see anything past that. All I want the router to do is route, and control everything from the pix. Have i left out a command somewhere?
View 5 Replies
View Related
Apr 14, 2010
I have Cisco 7609 router and we have observed that router is rebooted due to the following error ;SLOT 3: Apr 13 16:06:26.621: %CARDMGR-2-ESF_DEV_ERROR: An error has occurred on Egress ESF Engine: Control Store Parity Error SLOT 3: Apr 13,Slot -3 we have SIP-400 card. We would like to know if there is any MIB which can monitir such reboots.
View 1 Replies
View Related
Apr 24, 2013
What is the required power by WAP321 ? There's no information about IEEE 802.3af class at the datasheet.
View 1 Replies
View Related
Mar 21, 2011
I tried to find the EOL or EOS of the IOS A2(1.6a) of our ACE10-6500-K9 module.what to do ?
View 1 Replies
View Related
Jun 6, 2013
How to confirm the linceses required for me to get this working. I understand that it needs the 'AnyConnect for Cisco VPN Phone' license but do I also need to have anyconnec essentials? This is for ASA version 8.2 and the a license info below is for the ASA i intend to delpoy this on. This platform has an ASA 5550 VPN Premium license.
View 2 Replies
View Related
Jan 6, 2013
what is the meaning of the following log messages on Cisco 7604 Core routers. The Core router is configured with 2 STM card configurations with Vlan assignments: [code]
View 3 Replies
View Related
Mar 11, 2013
need The Firmware for the device....URL
View 5 Replies
View Related
Apr 7, 2010
We are getting ready to bring up 2 new 5.1 ACS servers to replace our ACS 4.2 configuration.The documentation says that 512GB of disk space is required for each server. This means we will need to request1 TB of disk space. The VMware folks in our group are asking why we need so much space when the 4.2 servers are only using 20 gigs including the OS.
View 3 Replies
View Related
Oct 5, 2011
Does the following setting is a shipping default in the ACS 5.1?,In the Access Policies ->Network Device Admin -> Identity -> Advanced Options, the If user not found was set to “Continue” .
View 6 Replies
View Related
Sep 16, 2007
do i still need ACS if i have the NAC appliance say 3310.
View 3 Replies
View Related
Jan 10, 2012
I'm in the process of migrating a rather big NAT configuration from a customer running pre 8.2 ASA software.The customer has 2 Dynamic Policy NAT configured which have overlapping source addressesOther Dynamic Policy NAT has the destination address of "any"
Other Dynamic Policy NAT has a single host address as destination address towards InternetThe Dynamic Policy NAT configured with the "any" destination is applied to all translations for the source host towards Internet
What I'm interested in is the following
Since both NAT statements are equal in a sense (because they are of same type) what is the next deciding factor for ASA decides which translation rule to use?
Does the "nat_id" parameter define which rule is checked first? Is the NAT rule with the lowest "nat_id" value used regardless what the order of the NAT rules is when you check them on the CLI? (with "show run global" and "show run nat")I'm just interested on how the NAT operates in this case, even though were generally using 8.4 at the moment.
View 6 Replies
View Related
May 16, 2011
I upgraded my ASA 5520 with the latest image. Now I get an error upon launching ASDM.Your ASA image has a version number 7.2(4) which is not supported by ASDM 6.4(1), use Device Manager version 5.2(x)Continue Anyway?
What are the newest, recomended image versions of ASA and ASDM I should be using?I will also be using the SSM-20 module with this setup, so I would like to stay with a working version of ASDM.
View 1 Replies
View Related
Oct 30, 2012
We are using ACS 5.2 in our Network. As can be seen in the provided figure, nothing in the Access Services can be displayed properly.
View 4 Replies
View Related
