Cisco AAA/Identity/Nac :: 1142 How CDP Device Sensor Probe Works With ISE
Jan 24, 2013
how the CDP device sensor probe works with ISE ?What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it I have done the following so far: Configured the switch to talk to ISE via radius accounting: [code] Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ?How do the device sensors work ?
We have a Cisco aironet 1162N connected to a Wireless Controller (LIGHTWEIGHT mode), the device failed and it needs to be replaced.We have a Cisco aironet 1142N in stock available to use.Can we proceed with the change just with disconnect the failed AP (model: 1162N ) and connect the new one (model: 1142N)? Or there is any other task to be done before the change? since the WLC manages the configuration for each AP.
First, my configuration, (then the problem down below):
I have an Aironet 1142 with multiple SSIDs [mapped to V LANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area. This switch is up linked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960. Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS
I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS. RADIUS is sending VSA device-traffic-class=switch to the 2960. The closet-2960 has no special 802.1x configuration, nor is it an authenticator switch; it just has a manually-configured trunk port to the user-area 2960 [for now; I'm trying to take this one step at a time!].
The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB]. The Aironet boots up, the port is opened, I can ping the Aironet on the native V LAN, and all is well [so it seems]. The Aironet dot11Radio is configured for two SSIDs and mapped to V LANs, which are being spanned via STP thru the user-area 2960 and the closet-2960. STP is correct and verified on all switches.
I have DHCP snooping configured on the user-area 2960 but only for V LAN 1 [but NOT the wireless user V LANs], the trunk port to the closet 2960 is a trusted port. Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs. On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses. Again, I am *NOT* running dhcp snooping on wireless SSID V LANs [i read elsewhere that can cause problems as users roam between Aironets].
I do have CISP configured on the user-area 2960. I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong]. Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise. The Aironet simply would not run dot1x [best I could tell]. The documentation and configuration didn't seem complex, so I was quite confused.
I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but I'm willing to be persuaded otherwise, based on sound advice]. Ok, now the problem:
Users on the guest wireless SSID (V lan 20) say they cannot connect. Yep, classic. V LAN 20 is trunk and spanned to all the sufficient places. The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server! DHCP snooping is not configured on that V LAN. I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries. I appear to have that problem. However, the user on the Staff wireless (V LAN 10) has full access. Am I running into a problem with "multi- host" authentication config? Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20. What puzzles me is how I do see *SOME* traffic from a V LAN 20 host on this SSID, but no uni cast traffic!
Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:
#sh run br | in ip dhcp ip dhcp snooping vlan 1 no ip dhcp snooping information option ip dhcp snooping database flash:dhcp_snoop.txt ip dhcp snooping [code]......
I´m getting started on ciscoworks and i trying to configure a device discovery to start but i have some questions about how configure this tool exist 5 parameters that i have to configure to start the device discovery.
I want to add devices that found neighbors via CDP son in the configuring discovery module setting i choice that option In the configuring seed device setting i choose DCR as seed device that means those devices already in the DCR start discovering from those devices but you can add more seed devices how i can add a seed device ? with ip addres or something like this? and this device have to be in the DCR already or not? The configuring SNMP settings, this community correspond to what device? the devices that i want to add ? and in the field target name what ip adders have to be? and if i have different community of snmp in my devices what device and snmp community have to configure in this parameter
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
I have a 512MB USB Flash device and was able to boot the IOS on the C2960 from it.After that i tried to Copy the IOS file from the USB to the system flash, but it could not find the USB Device.At plugging in the device the systems tells me: "Transfer type 2 not supported" I configured the USB device in NTFS and FAT both are able to boot with the ROMMON, but the normal system does not accept them and i know i can do the copy over a TFTP from my laptop, but it is strange that rommon accepts the usb device and the system does not?
We are in the process of upgrading from ACS 4.2 to 5.3. Most things seem to be working but we are having some major issues with the Rancid configuration tool. I can log into devices using CLI login with the credentials that Rancid uses but Rancid fails login.
This worked fine with our 4.2 implementation but not the 5.3. Presumably I need to make a chance in the expect scripts because the new ACS server sends a different string but I have no idea what it is supposed to be.
I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA. In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down. I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain. As a condition, it shows up as DomainName:External Groups. I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store. I adjusted the Identity Sequence and now I receive a the following error:
15039: Selected Authorization Profile is Deny Access. So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.
This question might actually belong under tacacs server but it's only happening with the ACE. I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor. If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin. We're running ACS ver 4.1 and the ACE is A4(1.1)
I have an RDP server farm that lost a disk. The RDP service was still running but users were unable to log in. I'd like to create a health probe that does maybe a combination of TCP probe for port 3389 and something that can determine if the drive that stores user profiles is available.
I cannot add any new service (http or ftp) to the server. Is there any way I can check SNMP mibs on the windows server or maybe WMI through TCL?
I have four ACE 4710. Each pair of ACE is in one geographical location. Probes are configured so that it is checking regular regex (HTTP GET).When there is need rserver update we change text in our testpage.html (for ie. from "OK" to "SUSPEND" ) so that probe detect fail. In fact rservers are still operational, but should not accept new connections. This works fine. BUT I observed that established connection/sessions did not end up after probe fails. ACE probably wait for openned/established connections to end up and it is what I am askign for.What happens if probe fails but in fact rserver is operational? I thought that if probe fails it also end up/cut all established connections to rserver. But seems it is not true.
I have a physical server running behind the ACE module ACE20-MOD-K9. The Server has several virtual machines. One of that virtual machines, has a WEB SERVER running virtual https servers. For example, server with IP address 10.0.0.20/24, has serveral virtual HTTPs servers as of urll... So, if you nslookup the servers, they all respond with 10.0.0.20 IP address. So if I do url...goes to 10.0.0.20 and read the VIRTUAL SERVER config and replies back to the request.Now, I am trying to verify that the TCP connection (443) and the HTTPS server itself is up and running but only for the url... site and not for the other 2.The problem that I am facing is tha the HTTPS probe fails randomly. The TCP probe works fine.
I have a new 5512-X with the built in IPS sensor. The firewall is running in transparent mode with the management interface being used for both the ASA and the IPS sensor. i.e. a single interface.
Both the IPS and the ASA are configured on the same network segment (172.29.25.252 for the firewall and 172.29.25.250 for the IPS).However the IPS module keeps going off-line whilst the firewall is fine. So CSM Health and Performance Manager keeps coming up with an error.
Now the interesting bit... If I SSH to the firewall and issue a session ips I get straight into the sensor.I can then ping something from the sensor - exit out and the sensor is visible on the network for a while.It then drops again.Is there a keep-alive that I need to configure to get this working properly?
I want to configure my ACE so that if a probe fails, it fails over to the backup rserver, BUT it won't failback to the primary rserver until manual intervention is complete. The problem is we don't want an rserver to fail and failover to secondary, then failback to primary, repeat... (flip-flopping). I want to be able to have time to get on the server and find out what may have caused the probes to fail before it fails back.
I have been testing my new DCS-942L and found that while the motion detection works great it is sometime hindered by the audio mic setting of motion detection. I have turned down the microphone settings to the lowest (10) and the only difference is miniscule. The camera will still set off the motion detection prior to anyone being in the screen, and if the person enters the screen immediately after the noise the camera will not record the movement.
I have adjusted the sensitivity down to 25% and continued having the issue. I would like to record motion with sound. So either the microphone needs to be able to be adjusted lower, or not set off the motion detector.
In our scenario, easy vpn users are being authenticated by acs 5.3 successfully. We have created seperate user group for these users. The issue is, these users are also able to access our routers using their username/password. I want to restrict this particular group so that its not able to access any device.
A 1552E has a temperature gauge sensor connected to its power over Ethernet port. the port status shows line protocol as down.The cable from 1552 to the sensor has been changed twice. We can see the 1552E gig1 interface is at 1000full duplex. Is there any chance the speed is causing the problem here. it seems the 1552E doesn't allow to set different speed & remains on 1000.
We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers. Here is what we did:
1) Created a user in ACS
2) Create Shell command Autorization Set - ReadOnly Unmatched Commands - Deny Commands Added show exit
* this should limit the user to the show and exit command only (correct)?
3) Created a group - HelpDesk with the following TACACS+ Settings
Shell (exec) is checked Priviledge level is check with 15 as the assigned level Assign a Shell Command Authorization Set for any network device - selected ReadOnly - shell command autorization set seleted
When the user logs on to the router/switch it appears that he has full access. He can enter the enable command, config terminal command, etc. All we want him to be able to do is to issue the show command.
I have a question reguarding the Cisco Secure ACS 5.2 and network access vs device admin access. We have our switches,routers,and firewall configured to use TACACS+. We also have configured our Wireless LAN Controller to use RADIUS for allowing for 802.1X authentication to the wireless network. We are using Active Directory for the backend user database and have assigned the users to different groups in AD. We have a Network Admins group to access the network devices and a Wireless Users to access the WLAN. The problem that we have is that everyone in the Wireless Users group can access the devices and run full commands on them. We want to limit the Wireless Users group from being able to do this. Is there a policy or config change that we will need to make for this?
I have 2 types of network, DC & Office. I have 3 types of users NOC, Office & DC. Office network devices are in Office NDG, DC network devices are in DC NDG. Becasue of such config, Office network users can only access Office devices & DC network users can only access DC network devices....Now i have NOC users, who wants access to both Office & DC network devices. How can i achieve this?
I have a ACS version 5.2 (TACACS) where I require equipment integrated with Sandvine, I currently looking information and very little to manage the integration of ACS with these teams Sandvine.
I have an information on the provider Sandvine with a guide to the case where only states:
TACACS + server On a TACACS + server, each user entry must allow the service "Sandvine". Within this service, the attribute-value pairs Following can exist: • An attribute named "Sandvine-Group" of type string.
We have a nexus 5k, and it kind of got hung today... it is running. Version 5.1(3)N2(1b) the reset reason shows.Power down due to temperature sensor policy trigger.It doesn't look documented. What policy is it referring to? not sure if this is an IOS bug ?
my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?
I am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.
I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?